This topic is to discuss the following lesson:
Rene,
How do we send this to the syslog server? I saw a command notify syslog don’t we need an IP address?
Please clarify.
Thanks
Hamood
Hi Hamood,
“notify syslog” will ensure that configuration change will send messages to syslog but you will still need to configure syslog to send messages to an external syslog server. Here’s how it’s done:
https://networklessons.com/network-management/cisco-ios-syslog-messages/
Rene
Hi Rene,
Can you please give me the equivalent of these command for IOS XR?
Hope to hear from you soonest.
Hi Adekunle,
IOS XR has a similar mechanism. You can view the commit list and its changes:
RP/0/0/CPU0:ios#show configuration commit list
Mon Mar 7 11:44:19.885 UTC
SNo. Label/ID User Line Client Time Stamp
~~~~ ~~~~~~~~ ~~~~ ~~~~ ~~~~~~ ~~~~~~~~~~
1 1000000002 cisco con0_0_CPU0 CLI Mon Mar 7 11:44:17 2016
2 1000000001 cisco con0_0_CPU0 CLI Mon Mar 7 11:43:48 2016
Above you can see two changes have been made through the CLI. Here’s what the first change looks like:
RP/0/0/CPU0:ios#show configuration commit changes 1000000001
Mon Mar 7 11:44:53.743 UTC
Building configuration...
!! IOS XR Configuration 6.0.0
interface GigabitEthernet0/0/0/0
ipv4 address 192.168.1.1 255.255.255.0
!
end
In the first change, only an IPv4 address was configured on the Gigabit interface.
Hope this helps.
Rene
Hi Rene,
Coreswitch#show archive log config all provisioning
archive
log config
logging enable
hidekeys
interface lo0
shutdown
interface Loopback0
no shutdown
enable secret *****
Coreswitch#show loggi
Coreswitch#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 7 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 129 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 85 messages logged, xml disabled,
filtering disabled
Logging to: vty2(35)
Buffer logging: disabled, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: disabled
I am not able to see any logged messages send to my terminal (ssh) unlike yours
%PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:enable secret *****
I still see those interface up , down messages except the LOGGED message. Does it only send to console ?
Regards,
Alan
Hi Alan,
By default, syslog will only show up on the console. Not on VTY (telnet or SSH). You can enable it by typing terminal monitor on the console.
Rene
2 Likes
I am task with with monitoring specific interfaces on the cisco 9200 and sending the logs to nagios log server.Already i see logging 10.120.20.22(Not real ip) in the configuration show logs are forward to the server.Is there cisco ios commands to forwards the interfaces logs to the nagios server?
I am trying to achieve the following.
all systems to be monitored are on cluster 3 or “C” and following are the interfaces along with servers on those interfaces: gi1/0/20, gi2/0/19 (host sds2dc1 with informant server - 10.20.11.12); gi1/0/18, gi2/0/17 (host sds2dc2 with OISPRD-192.168.110.17 which is the Oracle hotel interface for VOD and other hotel check items reported to have intermittent issues, either related to software or network, VOD server is in azure cloud at IP 51.122.15.82); gi1/0/22, gi2/0/21 (host sds2dc3 with parallax server - 10.20.28.10); gi1/0/24, gi2/0/23 (host sds2dc4 with latitude -
Hello Temitope
It depends on what you want to monitor on the device. Monitoring can take many forms including features and protocols such as syslog, SNMP, Netflow and others.
If it is configuration change notification, then you can follow the details in this Configuration Change Notification Logging lesson. Note that you can’t send configuration change logging directly to a server, it will be kept on the device itself. However, you can send the notifications to the syslog of the device. From there, you can use the various syslog features in order to send these notifications anywhere you like, such as you NAGIOS server. Information about syslog configuration can be found in this lesson:
Now having said that, NAGIOS is capable of “monitoring” a system in many ways. It can recieve syslog messages of all types (not only config change notifications), but it can also monitor using SNMP, and is also compatible with Cisco Netflow. So you have a lot of choices as how to send your data to the server.
I’m not sure why your configuration is not successfully sending the data to the NAGIOS server, but I hope that the guidelines and concepts described in the above lessons will help you out in your troubleshooting procedures.
I hope this has been helpful!
Laz
Thanks a lot…my concern is i configured the following:
logging 10.20.5.23
logging trap 6
Logging source-interface GigabitEthernet 1/0/20
Logging source-interface GigabitEthernet 2/0/19
Logging source-interface GigabitEthernet 1/0/18
Logging source-interface GigabitEthernet 2/0/17
Logging source-interface GigabitEthernet 1/0/22
Logging source-interface GigabitEthernet 2/0/21
Logging source-interface GigabitEthernet 1/0/24
Logging source-interface GigabitEthernet 2/0/23
But when i used show logging command to verify my configy, it only show gi2/0/23 as the only log source interface…what about other interfaces?
Logging to 10.20.5.23 (udp port 514, audit disabled,
link up),
1061 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
GigabitEthernet2/0/23Hello Temitope
The logging source-interface command is used to configure which source IP address will be used in all messages sent to the syslog server. This configuration can only have a single value. This means that every time you issued the command above, you are changing the configuration of this value. The show logging command simply shows you the current source of the syslog messages sent to the server, which is the last logging source-interface command that you issued.
For more information on how to configure an external syslog server take a look at the following lesson:
Can you share with us a little more about what you are trying to accomplish so that we can help you further?
I hope this has been helpful!
Laz
Thank you for the clarity.
I am tasked with sending logs from specific interfaces from our nexus switches to nagios syslog server.
TASK:
all systems to be monitored are on cluster 3 or “C” and following are the interfaces along with servers on those interfaces: gi1/0/20, gi2/0/19 (host sds2dc1 with informant server - 10.10.11.12); gi1/0/18, gi2/0/17 (host sds2dc2 with OISPRD-192.168.153.66).
I was hoping to send logs from those specific interfaces to Nagios
Hello Temitope
Because Nagios is capable of monitoring both syslog as well as SNMP messages, you must first determine what you want to do. Because you initially were using the logging command, we are focusing on syslog messages. I will respond to both however, so you can make a more responsible decision as to how you want to approach the issue.
In general, it is not best practice to try to filter syslog messages at the device itself. When you direct logging to a specific syslog server, such as Nagios, all syslog messages are sent there. You can configure the severity of the syslog messages that will be sent, ranging from 0 to 7, but not on a per interface basis. For more info about syslog and severity configurations, take a look at the syslog lesson I posted in a previous post.
You may be able to filter these messages using a complex configuration including EEM scripting, but this is too much hassle for what you want to achieve. The syslog feature will send all syslog messages (of configured severity) from all interfaces on the device to the syslog server.
But remember, the syslog server has powerful tools that can sort, parse, and further analyze these syslog messages. That’s one of the primary purposes of the server. Within this configuration, you should be able to filter out all the unneeded and unnecessary information, so you just have what you want to see. You could even configure specific alarms for particular interfaces so that you can be informed if a threshold has been exceeded.
If on the other hand you are using SNMP, then you can easily specify which interface is of interest to you so that information about that interface can be sent to the SNMP server and further analyzed. For more information about SNMP, take a look at the following lesson:
I hope this has been helpful!
Laz
Hello, everyone!
I haven’t covered much of AAA yet, but I know that the last A stands for Accounting. Accounting is responsible for logging what the user has done, correct?
I know that we can use protocols like TACACS+ or RADIUS to implement AAA. So could we also achieve the same outcome as demonstrated in this lesson with those two protocols instead of using the Change notification feature?
Thank you.
David
Hello David
The Change Notification feature is a tool that performs a very specific function that helps network administrators monitor configuration changes in real time. It creates syslog entries when changes are made, and includes the details of the specific commands that were applied.
As far as AAA goes, you’re absolutely correct in your understanding. The Accounting aspect does indeed keep track of what a user does while they have access to the network. However, it keeps track in a different way from the Change Notification feature. For example, with RADIUS, when a session begins, the “Accounting” mechanisms kick in, and data is collected. What data is collected depends upon the configured attributes to be included in the accounting records. You can configure these attributes so that they capture all configuration changes. Such data is then sent to the RADIUS server along with all other accounting data that has been configured to be captured, and stored for future analysis. Once collected, it would have to be parsed to filter out the specific accounting info collected that pertains to configuration changes.
Strictly speaking, RADIUS could capture all of the same data as the Change Notification feature, however, the collected data is presented in very different ways, and depending on your needs, one way may be preferable to the other.
I hope this has been helpful!
Laz