linux for cisco 日志服务器搭建

目的:
搭建记录CISCO 日志事件的LINUX服务器.
2.cisco交换机地址:10.0.0.71
Linux地址:192.168.80.63
3.试验步骤主要分两大块
1)交换机
首先设置交换机能够发出日志
开启:
(config)#logging on (开启日志)
(config)# logging facility local4 (local4设备号,这要和LINUX那对应)
(config)#logging 192.168.80.63
(config)#logging trap
注意:logging trap level 指定日志消息的级别



logging facility命令更改设备号,并Show logging

2)LINUX
2.1 设置/etc/syslog.conf 配置文件文件(此文件是设置cisco发过来的文件到那个文件)
[root@localhost log]# vi /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
local4.* /var/log/80.log
(*表示所有消息) (这里local4就是和cisco设置的local4对应,并且它把cisco发过来的日志放到var/log/80.log)
可以用man syslog 共有8种消息等级.
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* action must be taken immediately */
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
alert －需要立即采取的动作
crit －临界状态
err －错误状态。等同error
warning －预警信息，等同warn
notice －正常但是要注意
info －正常消息
debug －调试
none －一般的信息

[align=left]2.2修改配置文件/etc/sysconfig/syslog[/align]
[align=left]改这里是因为需要linux去读取来的消息[/align]
[align=left] [/align]
[align=left]# Options to syslogd[/align]
[align=left]# -m 0 disables 'MARK' messages.[/align]
[align=left]# -r enables logging from remote machines[/align]
[align=left]# -x disables DNS lookups on messages recieved with –r (不用DNS解析)[/align]
[align=left]# See syslogd(8) for more details[/align]

[align=left]SYSLOGD_OPTIONS=" -m 0" 修改为 SYSLOGD_OPTIONS="-r -x -m 0"[/align]# Options to klogd
[align=left]# -2 prints all kernel oops messages twice; once for klogd to decode, and[/align]
[align=left]# once for processing with 'ksymoops'[/align]
[align=left]# -x disables all klogd processing of oops messages entirely[/align]
[align=left]# See klogd(8) for more details[/align]
[align=left]KLOGD_OPTIONS="-x"[/align]
[align=left]#[/align]
[align=left]SYSLOG_UMASK=077[/align]
[align=left]# set this to a umask value to use for all log files as in umask(1).[/align]
[align=left]# By default, all permissions are removed for "group" and "other".[/align]
[align=left]2.3修改文件syslog 之后[/align]
[align=left] 重启syslog服务[/align]
[align=left] Service syslog restart[/align]
[align=left]2.4 查看syslogd进程[/align]
[align=left]ps –ef |grep syslogd |grep –v “grep syslogd”[/align]
[align=left]root 30307 1 0 13:59 ? 00:00:00 syslogd -r -x -m ###有-r 就表示成功[/align]
[align=left]2.5 设置LINUX 允许cisco数据包进来.[/align]
[align=left][root@localhost log]# iptables -L[/align]
[align=left]Chain INPUT (policy ACCEPT)[/align]
[align=left]target prot opt source destination [/align]
[align=left]ACCEPT udp -- anywhere 192.168.80.63 udp dpt:syslog [/align]
[align=left] [/align]
[align=left]Chain FORWARD (policy ACCEPT)[/align]
[align=left]target prot opt source destination [/align]
[align=left] [/align]
[align=left]Chain OUTPUT (policy ACCEPT)[/align]
[align=left]target prot opt source destination [/align]
[align=left] [/align]
[align=left]命令是: iptables –A INPUT –p udp –d 192.168.80.63 –dport 514 –j ACCEPT[/align]
[align=left]2.6 查看日志服务器监听的udp端口：514[/align]
[align=left] netstat -untl |grep 514[/align]
[align=left]udp 0 0 0.0.0.0:514 0.0.0.0:* ###514 已经起来[/align]
[align=left] [/align]
[align=left]这样,查看80.log是否有记录[/align]
[align=left][root@localhost log]# cat /var/log/80.log[/align]
[align=left]Jan 14 21:36:06 10.0.0.71 949: 001021: *Mar 14 00:47:29: %SYS-5-CONFIG_I: Configured from console by abc on vty1 (192.168.2.1)[/align]
[align=left]Jan 14 22:51:04 10.0.0.71 950: 001022: *Mar 14 02:01:32: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up[/align]
[align=left]Jan 14 22:51:05 10.0.0.71 951: 001023: *Mar 14 02:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up(完)[/align]

[align=left]参考: http://blog.chinaunix.net/u3/94782/showart_1968806.html[/align]
[align=left]http://www.51cto.com/art/200802/65788.htm[/align]