So you’ve got your GNS lab running and you managed to connect it to your LAN. As you do your studies, you will find yourself quite often checking logs and debug output on your routers. It happens that, when testing specific technologies, the amount of logs/debugs generated can be quite overwhelming. Furthermore, I found that switching tabs from one device to the other, is not very practical either.

I think it is a lot better to have all logs sent to a syslog server for the following reasons:

  1. Log Backup: all logs are saved so we could refer back to those entries later
  2. Granularity: you could save the logs to different files based on device, facility name or log priority; you could even get those logs sent to another remote device – say a database
  3. Scripting: having all in one place, depending on your scripting skills, you could make use of some scripting (keep reading)
Just be careful you also implement log-rotation otherwise, you may find yourself out of disk space.

 

INDEX:

  1. Topology
  2. Setting Up the Server
  3. Setting Up the Clients
  4. Customizing output using a Bash script

 

TOPOLOGY

At home, my setup is slightly different whereas my Syslog server is actually the same server which is also running Dynamips. Below is just an example of a topology which would work as well – the idea is really getting your networking devices to connect to your Syslog server, in one way, or another …

syslog-lab

 

SETTING UP THE SERVER

As you finish installing Ubuntu server, it installs the syslog deamon by default – it doesn’t however accept inbound connection. Furthermore, I wanted to separate my GNS Logs from anything else. I had therefore to change the default configuration by editing the file located at /etc/rsyslog.conf. Once all changes have been made, I restarted the rsyslog daemon.

1. Open the file

sudo nano /etc/rsyslog.conf

2. Edit the file

#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides –MARK– message capability

# provides UDP syslog reception
#$ModLoad imudp   –> Remove the “#” so that the server starts listening on a specific UDP port
#$UDPServerRun 514   –> Remove the “#” – this specifies the UDP port number

# provides TCP syslog reception
#$ModLoad imtcp   –> Remove the “#” so server listens on a specific TCP port
#$InputTCPServerRun 514  –> Remove the “#” – this specifies the TCP port number

3. Inspect facility SYSLOG and redirect log entries to another a file

#############################
### RULES ###
#############################
#
#
syslog.* /var/log/labsyslog

NOTE: Above, syslog is the name of the logging facility, as configured on the clients (routers/switches). The asterisk (*) is a placeholder for “any priority”you can find more information here. labsyslog is the filename where the log entries are being sent to.

4. Restart the service

sudo /etc/init.d/rsyslog restart

 

SETTING UP THE CLIENTS

 I will show below a sample configuration from one of my routers:

logging trap debugging
logging origin-id hostname
logging facility syslog
logging source-interface Loopback0
logging 192.168.1.249

 

CUSTOMISING OUTPUT USING A BASH SCRIPT

To monitor the logs, use the command tail; we could also use grep so that we filter the output. Let’s see two examples; here, I am bouncing an interface on router R1:

tail -f /var/log/labsyslog

Nov 10 16:38:15 172.16.0.1 64: R1: *Mar 1 04:19:35.970: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Nov 10 16:38:17 172.16.0.1 65: R1: *Mar 1 04:19:37.314: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 172.16.1.254 on interface FastEthernet0/0
Nov 10 16:40:10 172.16.0.1 66: R1: *Mar 1 04:21:30.390: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
Nov 10 16:41:03 172.16.0.2 46: R2: *Mar 1 04:22:22.730: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
Nov 10 16:41:48 172.16.0.2 47: R2: *Mar 1 04:23:07.434: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:do sh run
Nov 10 16:42:14 172.16.0.2 48: R2: *Mar 1 04:23:33.362: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface lo10
Nov 10 16:42:14 172.16.0.2 49: R2: *Mar 1 04:23:34.350: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
Nov 10 16:42:21 172.16.0.2 50: R2: *Mar 1 04:23:40.446: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no interface Loopback10
Nov 10 16:42:23 172.16.0.2 51: R2: *Mar 1 04:23:42.434: %LINK-5-CHANGED: Interface Loopback10, changed state to administratively down
Nov 10 16:42:23 172.16.0.2 52: R2: *Mar 1 04:23:43.434: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to down

But we are also getting output regarding some events which happened on R2 – Next, I will filter the output so that we see R1 events only:

tail -f /var/log/labsyslog | grep ” R1: *”

Nov 10 16:38:15 172.16.0.1 64: R1: *Mar 1 04:19:35.970: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Nov 10 16:38:17 172.16.0.1 65: R1: *Mar 1 04:19:37.314: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 172.16.1.254 on interface FastEthernet0/0
Nov 10 16:40:10 172.16.0.1 66: R1: *Mar 1 04:21:30.390: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done

For convenience, I wanted to implement a sort of command line tool to make the job slightly easier and more intuitive. To do so, I created two new text files and added the following commands to each file respectively.

Once both files have been created and saved, you also need to make them executable using the command: sudo chmod +x <filename>

FILE: showlogs

#!/bin/bash
tail -f /var/log/labsyslog | grep “: “${1##*( )}”: *”

 

FILE: showlogsall

#!/bin/bash
tail -f /var/log/labsyslog

Now, if I want to see the logs on a particular router (based on the hostname, as displayed in the logs) I can use the command:

./showlogs R2

Nov 10 16:41:03 172.16.0.2 46: R2: *Mar 1 04:22:22.730: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
Nov 10 16:41:48 172.16.0.2 47: R2: *Mar 1 04:23:07.434: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:do sh run
Nov 10 16:42:14 172.16.0.2 48: R2: *Mar 1 04:23:33.362: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface lo10
Nov 10 16:42:14 172.16.0.2 49: R2: *Mar 1 04:23:34.350: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
Nov 10 16:42:21 172.16.0.2 50: R2: *Mar 1 04:23:40.446: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no interface Loopback10
Nov 10 16:42:23 172.16.0.2 51: R2: *Mar 1 04:23:42.434: %LINK-5-CHANGED: Interface Loopback10, changed state to administratively down
Nov 10 16:42:23 172.16.0.2 52: R2: *Mar 1 04:23:43.434: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to down

Or, to see all logs, I just run:

./showlogsall

Nov 10 16:38:15 172.16.0.1 64: R1: *Mar 1 04:19:35.970: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Nov 10 16:38:17 172.16.0.1 65: R1: *Mar 1 04:19:37.314: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 172.16.1.254 on interface FastEthernet0/0
Nov 10 16:40:10 172.16.0.1 66: R1: *Mar 1 04:21:30.390: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
Nov 10 16:41:03 172.16.0.2 46: R2: *Mar 1 04:22:22.730: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
Nov 10 16:41:48 172.16.0.2 47: R2: *Mar 1 04:23:07.434: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:do sh run
Nov 10 16:42:14 172.16.0.2 48: R2: *Mar 1 04:23:33.362: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface lo10
Nov 10 16:42:14 172.16.0.2 49: R2: *Mar 1 04:23:34.350: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
Nov 10 16:42:21 172.16.0.2 50: R2: *Mar 1 04:23:40.446: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no interface Loopback10
Nov 10 16:42:23 172.16.0.2 51: R2: *Mar 1 04:23:42.434: %LINK-5-CHANGED: Interface Loopback10, changed state to administratively down
Nov 10 16:42:23 172.16.0.2 52: R2: *Mar 1 04:23:43.434: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to down


Thank you,
Signature
View Rafael A Couto Cabral's profile on LinkedIn



Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>