Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Cisco Syslog messages not appearing in the console

https://support.nagios.com/forum/viewtopic.php?t=34869

Page 1 of 1

Cisco Syslog messages not appearing in the console

Posted: Fri Sep 25, 2015 10:58 am
by rpaulmorris
we have configured a cisco asa firewall to send it's syslog messages to a nagios log server on port 5544.
When I do a tcpdump on the logserver I can see the syslog messages hitting the log servers interface:

15:41:08.682838 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683169 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683366 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683382 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.684438 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.info, length: 187

but a search for syslog messages on the log server console produces no results from the cisco device.
Other devices (Centos mail server) are sending logs to the server and they do appear in the console.
Is there some other configuration required to display these log entries?

Re: Cisco Syslog messages not appearing in the console

Posted: Fri Sep 25, 2015 12:16 pm
by jolson
It's possible that your Cisco ASA logs don't match the default 'syslog' input that's assigned to port 5544. Try sending to logs to our default 'raw' input at UDP port 2056 instead.

If sending the logs to the raw UDP input works properly, you may desire to set up a new input specifically geared toward your Cisco ASA. Let me know once you've reached that point. Thanks!

Re: Cisco Syslog messages not appearing in the console

Posted: Wed Sep 30, 2015 1:30 pm
by rpaulmorris
Ok the ASA was changed to send it's syslog messages to udp port 2056
18:26:32.370183 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:26:32.418504 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 180
18:26:32.418533 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 183
18:26:32.418826 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 174
18:26:32.435806 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but a search for source 10.28.102.1 results in 0 hits in the dashboard.

Re: Cisco Syslog messages not appearing in the console

Posted: Wed Sep 30, 2015 1:40 pm
by rpaulmorris
the cisco was reconfigured to send it's syslog messages to udp port 2056

18:34:53.309964 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.311889 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.318786 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but there are still no entries in the dashboard when searching for the source ip 10.28.102.1

Re: Cisco Syslog messages not appearing in the console

Posted: Wed Sep 30, 2015 3:12 pm
by jdalrymple
When coming into the raw input it's not likely to have the host part filtered out. You can either create that filter and make sure it's assigned to events coming into the raw input, or you can simply look through the events for messages that are from the ASA. The latter method will require that you identify some distinct data manually. The former simply requires that you write a grok filter and match it to the events coming in on the filter.

Perhaps also worth using tcpdump to verify that the data is actually streaming to the server.

Re: Cisco Syslog messages not appearing in the console

Posted: Fri Oct 02, 2015 10:45 am
by rpaulmorris
tcpdump shows this:
15:36:49.697963 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.698836 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699400 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699418 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699433 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699940 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699972 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.700528 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.710435 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.719185 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
modified my input file:
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
udp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}

still no entries in the dashboard

Re: Cisco Syslog messages not appearing in the console

Posted: Fri Oct 02, 2015 11:22 am
by jolson
On Nagios Log Server, were you certain to open up both TCP _and_ UDP port 2056? You can check the current firewall status like so:

Code: Select all

iptables -L -n
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited