According to the homepage for syslog-ng, http://www.balabit.com/network-security/syslog-ng/ the application embodies the next generation of logging systems and is the first truly flexible and scalable system logging application. Syslog-ng is an open source implementation of the syslog protocol for UNIX and UNIX-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, and flexible configuration options and adds important features to syslog, such as using TCP for transport.
How Does It Work?
The overview of how syslog-ng works is shown in Figure 1.
Figure 1. Syslog-ng Overview
Devices can send syslogs to the syslog-ng server. Syslog-ng can be configured to spoof the syslogs and filter or forward them as original syslogs to CiscoWorks LAN Management Solution (LMS) servers as needed. When we say spoof, we mean changing the IP address of the original sender (in this case, the device originating the syslogs).
Spoofing has some disadvantages:
• User Datagram Protocol (UDP) failure to deliver may be reported back to the device instead of to syslog-ng
• Spoofing won't work if there is a firewall rule between syslog-ng and the LMS server. It will work only if traffic from syslog-ng is allowed.
Matrix of Syslog-ng and LMS 3.2
Table 1 provides a matrix of how syslog-ng and CiscoWorks LMS work together. Table below makes it easier to decide whether to use LocalMode or RemoteMode. It also allows user to see at a glance what benefits are enabled based on the choice of your operating system.
Note: Cisco Technical Assistance Center (TAC) will not able to provide installation or compile support for syslog- ng.
Sample Reference Configuration File
Below is a sample configuration file that could be used as is to get a quick jump start. Users will need to modify the IP address, ports, and other such local information according to their environment.
In this situation, we need to point the syslogs from the syslog-ng server to a CiscoWorks Network Compliance Manager (NCM) machine in the Proactive Automation of Change Execution (PACE) solution if LMS/NCM are installed on different machines.
For more information about the CiscoWorks LAN Management Solution, visit http://www.cisco.com/go/lms, contact your local Cisco account representative, or send an email to the product marketing group at firstname.lastname@example.org.