Guest

CiscoWorks LAN Management Solution 3.2 and earlier

Integrating Syslog-NG and CiscoWorks LMS 3.2

Hierarchical Navigation

Downloads

Contents

Introduction

What Is Syslog-ng?

How Does It Work?

Matrix of Syslog-ng and LMS 3.2

How to Install Syslog-ng

Syslog-ng Install

Sample Reference Configuration File

SyslogAnalyzer Process Must Be Restarted on LMS Server

Restarting from the GUI

Restarting from CLI

PACE Solution and Syslog-ng

Reference

For More Information


Introduction

What Is Syslog-ng?

According to the homepage for syslog-ng, http://www.balabit.com/network-security/syslog-ng/ the application embodies the next generation of logging systems and is the first truly flexible and scalable system logging application. Syslog-ng is an open source implementation of the syslog protocol for UNIX and UNIX-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, and flexible configuration options and adds important features to syslog, such as using TCP for transport.

How Does It Work?

The overview of how syslog-ng works is shown in Figure 1.

Figure 1. Syslog-ng Overview

Devices can send syslogs to the syslog-ng server. Syslog-ng can be configured to spoof the syslogs and filter or forward them as original syslogs to CiscoWorks LAN Management Solution (LMS) servers as needed. When we say spoof, we mean changing the IP address of the original sender (in this case, the device originating the syslogs).
Spoofing has some disadvantages:

• User Datagram Protocol (UDP) failure to deliver may be reported back to the device instead of to syslog-ng

• Spoofing won't work if there is a firewall rule between syslog-ng and the LMS server. It will work only if traffic from syslog-ng is allowed.

Matrix of Syslog-ng and LMS 3.2

Table 1 provides a matrix of how syslog-ng and CiscoWorks LMS work together. Table below makes it easier to decide whether to use LocalMode or RemoteMode. It also allows user to see at a glance what benefits are enabled based on the choice of your operating system.

Table 1. Syslog-ng and CiscoWorks LMS 3.2 Matrix

LocalMode

syslog-ng (Windows or Solaris 10)

Write to File

RemoteMode

Solaris 10 "syslogd"

Forwarded spoofed syslogs

RemoteMode

Solaris 10 "syslog-ng"

Forwarded spoofed syslogs

RemoteMode

Windows

Forwarded spoofed syslogs

How to Install Syslog-ng

Syslog-ng Install

Compiling Syslog-ng from Source

Install the entire syslog-ng prerequisites from http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/compiling/.
Once that is done, you will need to compile syslog-ng as follows.

Configure Options

You must configure syslog-ng with --enable-spoof-source in order to enable the spoof source feature (which is disabled by default).
./configure --enable-spoof-source

Make and Install

Once you successfully configure syslog-ng, you can proceed to the installation as follows:
$ make
$ make install
If you run into any issues during the installation, you can refer to the syslog-ng forum at https://lists.balabit.hu/mailman/listinfo/syslog-ng or you can refer to the syslog-ng knowledge base at http://www.balabit.com/support/knowledge_base/kbsearch.bbq?kw=product_syslog-ng.

Note: Cisco Technical Assistance Center (TAC) will not able to provide installation or compile support for syslog- ng.

Sample Reference Configuration File

Below is a sample configuration file that could be used as is to get a quick jump start. Users will need to modify the IP address, ports, and other such local information according to their environment.
##########################################################
# First, set some global options.
options {
use_fqdn(no);
use_dns(no);
long_hostnames(off);
sync(0);
};
# Then, set some global sources.
source src {
udp(ip("0.0.0.0") port(514));
};
# Then, set some global destinations.
destination Remote_LMS_SyslogNG {
udp("192.168.141.43" port(514) spoof_source(yes));
udp("192.168.141.44" port(514) spoof_source(yes));
udp("192.168.141.45" port(514) spoof_source(yes));
udp("192.168.141.46" port(514) spoof_source(yes));
};
destination Local_LMS_SyslogNG {
file("/var/log/syslogs_info"
template("$DATE $HOST $MSG\n")
);
};
# Now log it
log {
source(src);
# if using Remote LMS, uncomment the following:
# destination(Remote_LMS_SyslogNG);
# if running SyslogNG Locally on LMS, uncomment the following:
# destination(Local_LMS_SyslogNG);
};
##########################################################

SyslogAnalyzer Process Must Be Restarted on LMS Server

Restarting from the GUI

Navigate to Common Services > Admin > Processes. Look for SyslogAnalyzer, check that row, and click Stop. Once that process is stopped, check the same row (if unchecked), and click Start.

Restarting from CLI

You can also restart SyslogAnalyzer using the command-line interface (CLI).
Windows:
Stop SyslogAnalyzer
C:\Program Files\CSCOpx\bin\pdterm SyslogCollector SyslogAnalyzer
Start SyslogAnalyzer
C:\Program Files\CSCOpx\bin\pdexec SyslogCollector SyslogAnalyzer
Verify SyslogAnalyzer
C:\Program Files\CSCOpx\bin\pdshow SyslogCollector SyslogAnalyzer
Solaris:
Stop SyslogAnalyzer
# /opt/CSCOpx/bin/pdterm SyslogCollector SyslogAnalyzer
Start SyslogAnalyzer
# /opt/CSCOpx/bin/pdexec SyslogCollector SyslogAnalyzer
Verify SyslogAnalyzer
# /opt/CSCOpx/bin/pdshow SyslogCollector SyslogAnalyzer

PACE Solution and Syslog-ng

In this situation, we need to point the syslogs from the syslog-ng server to a CiscoWorks Network Compliance Manager (NCM) machine in the Proactive Automation of Change Execution (PACE) solution if LMS/NCM are installed on different machines.

Reference

http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/

http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/compiling/

http://en.wikipedia.org/wiki/Syslog-ng

http://www.campin.net/syslog-ng/faq.html

https://lists.balabit.hu/mailman/listinfo/syslog-ng

http://www.balabit.com/support/knowledge_base/kbsearch.bbq?kw=product_syslog-ng

For More Information

For more information about the CiscoWorks LAN Management Solution, visit http://www.cisco.com/go/lms, contact your local Cisco account representative, or send an email to the product marketing group at lms-pm@cisco.com.