Administrator Handbook | Table of contents |
LoriotPro as a Syslog Server can receive syslog messages sent by systems (linux and Unix) and network devices.
The LoriotPro Syslog server provides a central point for collecting and processing system logs (syslog). These system logs are useful later for troubleshooting and auditing.
Syslog message can be filtered by LoriotPro on multiple conditions and can trigger actions that will notify the administrator of a system or network default and security breach.
The Syslog system provides the transport and storage mechanisms for event notification messages, in the form of Logs. Syslog is a de-facto standard defined by RFC3164 for logging system events. It was commonly and initially used by Unix systems, later on by network devices (router syslog, switch syslog, firewall syslog) and more recently by firewalls. It will be very efficient in a Cisco device architecture for the collection of PIX syslog and Cisco syslog generated by routers and switches).
Example of Syslog messages console of LoriotPro.
Remark : LUTEUS has also release a complete solution for syslog message management called SYSLOG COLLECTOR. The Syslog collector is far most powerful than this embedded Syslog Server with limited feature. Consult the Syslog Collector documentation on our WEB www.loriotpro.com site for more details.
Syslog message filters can be set on :
When syslog message filters are matched the following actions can be triggered.
These last two actions could be triggered by a cumulative count of the same message.
A syslog message is an ASCII string that consists of :
Syslog messages come in 8 severity levels ranging from emergencies (most severe) to debugging (least severe).
LoriotPro Icône | Numerical | Severity Code |
---|---|---|
0 |
Emergency: system is unusable |
|
1 |
Alert: action must be taken immediately |
|
2 |
Critical: critical conditions |
|
3 |
Error: error conditions |
|
4 |
Warning: warning conditions |
|
5 |
Notice: normal but significant condition |
|
6 |
Informational: informational messages |
|
7 |
Debug: debug-level messages |
Syslog messages are generally categorized on the basis of the source programs that generate them. These source program can be the operating system itself, a process or an application.
These categories, called facility, are represented by integers.
Numerical Code | Facility |
---|---|
0 |
kernel messages |
1 |
user-level messages |
2 |
mail system |
3 |
system daemons |
4 |
security/authorization messages |
5 |
messages generated internally by Syslog |
6 |
line printer subsystem |
7 |
network news subsystem |
8 |
UUCP subsystem |
9 |
clock daemon |
10 |
security/authorization messages |
11 |
FTP daemon |
12 |
NTP subsystem |
13 |
log audit |
14 |
log alert |
15 |
clock daemon |
16 |
local use 0 (local0) |
17 |
local use 1 (local1) |
18 |
local use 2 (local2) |
19 |
local use 3 (local3) |
20 |
local use 4 (local4) |
21 |
local use 5 (local5) |
22 |
local use 6 (local6) |
23 |
local use 7 (local7) |
Syslog messages can be acknowledged undividually or by group. Acknowledged syslog are in light grey on a withe background.
Syslog message displayed in the syslog windows can be managed form the contextual menu.
Table of the syslog contextual menu options
Acknowledge selected syslog messages |
|
Acknowledge all syslog messages |
|
Clear only the Acknowledge syslog messages |
|
|
Clear all syslog messages |
|
Clear selected syslog messages |
Filter rules are sets of filters gathered in a filter list. Each time a Syslog message arrives, it is analyzed against each rule in the list, sequentially processing from top to bottom.
By default few rules are defined to displays syslog and send default event. The first rule match all syslog messages, next rules are not processed (option next filter at No).
A rule contains conditions and actions. If the conditions are satisfied, actions are executed.
A single Syslog message can match multiple filter rules and triggers multiple actions.
Among the possible actions, one is able to stop the walking process through the filter list and jump to the processing of the next incoming message.
To create, move and delete rules use the button of the filter window.
Button | Explanation |
---|---|
Insert a new filter rule in the list above an existing selected rule. |
|
Insert a new filter rule in the list below an existing selected rule. |
|
Insert a new filter rule at the top of the list. |
|
Insert a new filter rule at the bottom of the list. |
|
Move the selected filter rule up. |
|
Move the selected filter rule down. |
|
Suppress the selected filter rule. |
Columns |
Explanation |
||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
IP Address |
This is a condition field. The agent process checks that the source IP address of the sender matches the IP address and network mask specified here.
A double-click on this field in the filter list allows you to modify this parameter. |
||||||||||||||||||||||||||||||
Facility |
This field allows you to filter messages according to their Facility type. The Facility field is defined initially on the device that sends the Syslog message. |
||||||||||||||||||||||||||||||
Level |
This field allows you to filter messages according to their Facility Level value. The Facility field is defined initially on the device that sends the Syslog message. |
||||||||||||||||||||||||||||||
String 1 |
A Syslog message is a simple character string. The field “String 1” allows you to filter messages based on a match between this string and the contents of the message. An empty string (null) will allow any message to match this condition. |
||||||||||||||||||||||||||||||
Offset |
If the offset is specified the predefined string (String 1) will have to start at this precise position. |
||||||||||||||||||||||||||||||
And/Or |
A second condition on a second string can be added. Boolean “or” and “and” operators can be applied to both strings. |
||||||||||||||||||||||||||||||
String 2 |
This is the second string that can be defined as a condition. |
||||||||||||||||||||||||||||||
Offset |
Offset that c an be applied on this second string. Offset specified the number of characters from the string’s beginning. |
||||||||||||||||||||||||||||||
Column |
Explanation |
||||||||||||||||||||||||||||||
Case |
The case of the string is either sensitive or not. If sensitive, uppercase and lowercase characters are not the same. |
||||||||||||||||||||||||||||||
Action |
If all the previous conditions are satisfied then a basic action is executed.
|
||||||||||||||||||||||||||||||
LoriotPro |
If all the conditions are satisfied and if an IP address is defined in this field the agent will send a LoriotPro event message (proprietary format) to this address. The next fields, Event and Level, are used to build the message. However, the event number should be different from 0. |
||||||||||||||||||||||||||||||
Event |
The event number use in the LoriotPro event format. |
||||||||||||||||||||||||||||||
Level |
The severity level used by the LoriotPro event format.
|
||||||||||||||||||||||||||||||
Syslog |
If all the filtering conditions are satisfied and if an IP address is defined in this field the agent will send a Syslog message to this address. |
||||||||||||||||||||||||||||||
Threshold | Is used to trigger the sending of a LoriotPro or Syslog message upon a predefined count. Example: If the value is set to 3, a LoriotPro and/or a Syslog message will be sent only when three incoming syslog messages of that type will be seen. |
||||||||||||||||||||||||||||||
Next Filter | This option allows you to stop the filter rule list processing. The next rules in the list are not processed if the NO option is selected. | ||||||||||||||||||||||||||||||
Log File | If all the conditions are satisfied and if the action is log or log+display the message is appended to the file specified here. The final file name is built from this name and from the current date. The file follows the csv format and is text readable. Note: A new file is automatically created each 24 hours. |
||||||||||||||||||||||||||||||
Few commands are required on the Cisco device to enable it to send syslog message to the LoriotPro syslog server.
In config mode enter:
llogging ip_address
Specify the IP address of the LoriotPro syslog server
To change the minimum severity level that is sent to syslog, use the logging trap configuration command.
ogging trap level
In order to send debugging output to the Loriotpro syslog server, issue logging trap debugging at the configuration prompt.
Router-1603-Cisco(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
By default, Cisco IOS sends all messages of informational (severity 6) and above to the syslog server.
That means that everything except debugging output will be received by the Loriotpro syslog server.
If you need to store the debugging output for later research, you have to send debugging output too.
Warning : It’s important to remember the effect that syslog logging has on the network device. If the device is sending too much logging information to the LoriotPro syslog server, it can affect its performance and also overload the network. If the number of syslog debugging messages is going to be voluminous, use this command with great care and attention.
Configuring a PIX for sending syslog message requires few commands but depend from the PIX version.
Furthermore , the syslog messages generated by a Cisco PIX Firewall begin with a percent sign (%) and are slightly different than the IOS syslog messages.
Following is the format of syslog messages generated by a Cisco PIX Firewall:
%PIX-Level-Message_number: Message_text
As an example, since 22 = 00010110, and the last four bits=0110=decimal 6, this is local6. (A shortcut is to take the X value and subtract 16. For example, 22-16=6, or local6.)
The Y number is the level. As an example, if Y=2, messages sent would include those at level 2 (critical), level 1 (alert), and level 0 (emergency). The PIX levels are 0-7; these should not be confused with the logging facilities (which are local0-local7).
Examples:
syslog 20.720 equals local4 logging facility.
.7 is the level. 7 means debug to the PIX (all messages are logged).
23 equals local7 logging facility
.2 is the level. 2 means critical to the PIX (critical, alert, and emergency messages are logged).
The syntax for syslog changed in PIX Software releases 4.2.x. Instead of the syslog host #.#.#.# command, use the new logging host #.#.#.# command. In 4.2.x, the logging facility and level definitions are the same, but instead of using the syslog output X.Y command, you need to have these two statements:
logging facility X
logging trap Y
The level is no longer expressed as a number. It is expressed as the name of the level. This is an example:
syslog output 20.7
logging facility 20 (local4)
logging trap debugging (debugging through emergency)
In 4.3.x and later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent.
In addition to these commands:
You can issue these commands:
This results in having all messages, except message 111005 (that is, "End configuration"), sent with timestamps.
Remark: Because the 111005 message is a Notification level sysloge, it is not seen if the level on the PIX is set for Emergency, Alert, Critical, Error, or Warning.
This is an example of a time-stamped non-111005 message. (The first timestamp is from our UNIX server and the second is from the PIX.)
Apr 25 13:15:35 10.31.1.53 Apr 25 1999 13:23:00: %PIX-5-111007:
www.loriotpro.com |
|