A powerpoint presentation from San Diego Cisco User Group created and presented by Octavio.

1. Introduction to Syslog
Octavio Alvarez
alvarezp@alvarezp.ods.org
San Diego Cisco User Group
July 19th, 2012

2. Overview
● Problems to solve
● The Syslog protocol
● Technicalities
– Protocol content, RFCs, etc.
● Example of topologies
– A simple one and one a bit more complex.
● Simple demonstration
Feel free to interrupt me at any time!

3. Problems to solve
● Having to look in each device separately for
information collection.
● Having the clocks not exactly synchronized.
● Hard to search in devices without search support
(like "include" or "grep").
● Having to look for past events (more than N-bytes
ago).

4. Introducing Syslog
● A protocol.
● A de-facto standard...
● ... a documented de-facto standard (RFC 3164)
● ... and is being standardized (RFC 5424, obsoletes
RFC 3164).

5. The simplest possible logging
implementation with Syslog

6. Content (obsolete, RFC 3164)
● Priority = 8 * Facility + Severity
– Severity (0-7)
– Facility (0-23)
● Header
– Timestamp (RFC3339 with restrictions)
– Hostname (a.k.a. Cisco's "origin") (FQDN, IP,
hostname)
● Message

7. Content (new, RFC 5424)
● Version
● Application
● Process ID
● Message ID
● Structured data (Element, ID, Param)
– Elements: timeQuality, origin, meta

8. Severities
● 0: Emergency: system is unusable
● 1: Alert: action must be taken immediately
● 2: Critical: critical conditions
● 3: Error: error conditions
● 4: Warning: warning conditions
● 5: Notice: normal but significant condition
● 6: Informational: informational messages
● 7: Debug: debug-level messages

9. Facilities (part 1)
● 0: kernel messages
● 1: user-level messages
● 2: mail system
● 3: system daemons
● 4: security/authorization messages
● 5: messages generated internally by syslogd
● 6: line printer subsystem
● 7: network news subsystem (maybe: RSS, Google
group...)

10. Facilities (part 2)
● 8: UUCP subsystem (maybe: backup, rsync...)
● 9: clock daemon
● 10: security/authorization messages
● 11: FTP daemon
● 12: NTP subsystem
● 13: log audit
● 14: log alert
● 15: clock daemon
● 16-23: local use 0-7 (local0-7)

11. A slightly more complex Syslog usage

12. Syslog application-layer "components"
(as per the RFC)
● Originator (application-layer)
– Cisco router, Apache Server
● Collector (application-layer)
– rsyslog, dsyslog, syslog-ng
– Solarwinds Kiwi Syslog Server
● Relay (application-layer)

13. Syslog application-layer "components"
(as per the RFC)

14. An extra component: the front-end
● Depends on the storage method.
● Text processors: grep, gawk
● FOSS: php-syslog-ng, Adiscon's Log Analyzer
(PhpLogCon), Logzilla, logtool, petit...
● Gratis: Kiwi (basic), WhatsUp Gold's Syslog Server
● Commercial: Splunk, LogRhythm, LogClarity,
Logalot, Kiwi (full), XLog-Server,
SyslogAppliance, WinSyslog

15. Simple demo: configuring a Cisco
router as an originator
● Some IOS versions:
– logging host A.B.C.D <level>
– logging origin <origin-type>
– logging on
● Some other IOS versions:
– logging host A.B.C.D
– logging on
– logging trap <level>

16. Simple demo: configuring an Ubuntu
box as a text collector
● rsyslog already installed
● Edition of /etc/rsyslog.conf

17. Thanks! Any questions?
a blog.alvarezp.org
/categorias/por-idioma/english
@alvarezp2000
alvarezp@alvarezp.com
The only legal way
to burn a Windows disc superkb.sf.net