Have you ever wanted to get a Cisco device to send it's logs to your local Gentoo host? This guide will show you how to configure syslog-ng to accept incoming logs from a Cisco device (or any external syslog enabled device).

Configure your Cisco device

Before you can do anything to your Gentoo box, you will need to configure the Cisco device to send it's logs somewhere else.

Code: Login to your router/switch
#conf t
(config)# logging x.x.x.x #replace x with your Gentoo box's IP address.

Configure Syslog-ng

Now you simply need to add a few lines to your syslog-ng.conf. Check out the man page for syslog-ng and syslog-ng.conf for more options. The following lines display all the information I care to see.

File: /etc/syslog-ng/syslog-ng.conf
source net { udp(ip( port(514)); }; # will allow all hosts to send their logs to your host.

destination d_cisco { file("/var/log/cisco.log"); };

filter f_cisco_info { level(info); };
filter f_cisco_notice { level(notice); };
filter f_cisco_warn { level(warn); };
filter f_cisco_crit { level(crit); };
filter f_cisco_err { level(err); };

log { source(net); filter(f_cisco_info); destination(d_cisco); };
log { source(net); filter(f_cisco_notice); destination(d_cisco); };
log { source(net); filter(f_cisco_warn); destination(d_cisco); };
log { source(net); filter(f_cisco_crit); destination(d_cisco); };
log { source(net); filter(f_cisco_err); destination(d_cisco); };

That's all there is to it. Restart syslog-ng and you should be seeing your Cisco logs.


If all goes well you should see the file /var/log/cisco.log created with the logging output from your Cisco device. If you have more than one Cisco device, you can set each device to use a different logging facility and simply create a new set of syslog-ng.conf rules to filter each device.

