Cisco – Syslog does not record logs received over TCP to a file

ciscologgingrouterrsyslogsyslog

I am trying to setup a centralized rsyslog server on CentOS 6.5 for Cisco routers and switches. On the Cisco devices, I've set the correct date/time and enabled timestamps, logging to the server over TCP on port 514, set the facility to local4 for routers and local5 for switches, and am trapping debug for testing.

In /etc/rsyslog.conf, I've enabled TCP and set local4.* to log to /var/log/cisco/routers.log and local5.* to log to /var/log/cisco/switches.log.

I checked SELinux and it didn't report any violations. I've tested with the firewall on (port 514 allowed through) and iptables off. I can see the connections are established and tcpdump shows syslog packets are coming into the server, but syslog does not log anything to the files. It doesn't log anything received to /var/log/messages either.

When I tested with UDP, it works perfectly fine. And this was without modifying $AllowedSender. Any ideas what could be the problem?

Best Answer

Looks like you need to configure the $imtcp portion of the config.

module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")

Add that to the beginning of the rsyslog.conf, then restart the service.

Related Solutions

RSyslog does not work with a log file located outside of /var/log

SELinux will prevent processes that are labeled syslogd_t to write to files that are (probably) labeled default_t. You need to label the file with something syslogd_t can write to. Files in /var/log are mostly labeled var_log_t, a type syslogd_t can surely write to.

You should not just relabel the files in /Testing to var_log_t, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /.

Instead, write a little policy that automatically and consistently labels your files in /Testing. Something to get your started. Your policy file could look similar to this:

/Testing(/.*)?    --    gen_context(system_u:object_r:var_log_t)

SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.

However, I personally feel that logging should really go into /var/log. It's there for a reason. No matter how good you think your reason is for writing to /Testing, it's probably better to write to something like /var/log/testing.

Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t to write to var_log_t, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing as var_log_t if you must...

Postgresql – syslog writing to general instead of specific file

It looks to me like you have a typo in your postgresql.conf file. Make sure that you're actually using

syslog_facility = 'local0'

Also, old syslogd required that hard tabs be used instead of spaces in your config file, so make sure that you aren't actually using spaces, or that your editor isn't converting tabs into spaces (such as the expandtab option in vim).

You also mention both old syslogd and rsyslog, so check to see which one you are actually using. Rsyslog's config file was designed to be backward compatible with syslogd, but does use a different file. So if you are using rsylog then add your logging line to /etc/rsyslog.conf instead.

In order to prevent those messages from also showing up in /var/log/messages you'll need to explicitly filter out that facility. In order to do that, modify your config for messages to this:

*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none;\
    local0.none          -/var/log/messages

That translates to, "Do not write any severity levels from the local0 facility to this file." Or, in effect, exclude anything local0.*.

Best Answer

Related Solutions

RSyslog does not work with a log file located outside of /var/log

Postgresql – syslog writing to general instead of specific file

Related Topic