How to confiure Syslog

K-Dubb

I have reviewed the help for NPM, and it seems that all you need to is start the SNMP Syslog service, and SolarWinds Syslog service.  However, i am still not seeing any messages.  Is there something I am supposed to configure on each server as well?

ecklerwr1

For windows to send event logs to syslog you can use this free util from Purdue:

http://code.google.com/p/eventlog-to-syslog/

It supports vista, windows 7, and server 2008 and can be compiled for 32 or 64 bit environs

you can also use SolarWinds log forwarder which they have improved in the latest version.

For cisco devices:

Syslog Configuration and Cisco Devices

Syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices. Routers, switches, firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. The following examples will show how to have a different log file for each class of device.

If you have a large data center, then you may also want to switch off all logging to /var/log/messages as suggested above for the home/SOHO environment. In all the network device configuration examples below we are logging to the remote Linux logging server 192.168.1.100 which we set up in the previous section.

 

Cisco Routers

By default Cisco routers send syslog messages to their logging server with a default facility of local7. We won't set the facility in this case, but we can tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface.

 

service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.1.100

 

Catalyst CAT Switches running CATOS

By default Cisco switches also send syslog messages to their logging server with a default facility of local7. We won't change this facility either, therefore making routers and switches log to the same file.

 

set logging server enable
set logging server 192.168.1.100
set logging level all 5
set logging server severity 6

 

Cisco Local Director

Local Directors use the "syslog output" command to set their logging facility and severity. The value provided must be in the format FF.SS (facility.severity) using the numbering scheme below:

 

Facility	FF Value		Severity	SS Value
local 0	16		System unusable	0
local 1	17		Immediate action required	1
local 2	18		Critical condition	2
local 3	19		Error conditions	3
local 4	20		Warning conditions	4
local 5	21		Normal but significant conditions	5
local 6	22		Informational messages	6
local 7	23		Debugging messages	7

 

Here we using facility LOCAL4 and logging debugging messages and above.

 

syslog output 20.7
no syslog console
syslog host 192.168.1.100

Cisco PIX Filewalls

PIX firewalls use the following numbering scheme to determine their logging facilities.

 

Facility	Logging Facility Command Value
local 0	16
local 1	17
local 2	18
local 3	19
local 4	20
local 5	21
local 6	22
local 7	23

 

This configuration example assumes that the logging server is connected on the side of the "inside" protected interface. We're sending log messages to facility LOCAL3 with a severity level of 5 (Notification) set by the "logging trap" command.

 

logging on

logging standby

logging timestamp

logging trap notifications

logging facility 19

logging host inside 192.168.1.100

 

Cisco CSS11000 (Arrowpoints)

This configuration for this is more straight forward. You specify the facility with an intuitive number using the "logging host" command and  set the severity with the "logging subsystem" command. This example shows the CSS11000 logging facility LOCAL 6 and severity level 6 (Informational)

 

logging host 192.168.1.100 facility 6
set logging subsystem all info-6
logging commands enable

Hopefully this will get you started :}