目的:
搭建記錄CISCO 日誌事件的LINUX服務器.
2.cisco交換機地址:10.0.0.71
Linux地址:192.168.80.63
3.試驗步驟主要分兩大塊
1)交換機
首先設置交換機能夠發出日誌
開啓:
(config)#logging on (開啓日誌)
(config)# logging facility local4 (local4設備號,這要和LINUX那對應)
(config)#logging 192.168.80.63
(config)#logging trap
注意:logging trap level 指定日誌消息的級別
logging facility命令更改設備號,並Show logging
2)LINUX
2.1 設置/etc/syslog.conf 配置文件文件(此文件是設置cisco發過來的文件到那個文件)
[root@localhost log]# vi /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local4.* /var/log/80.log
(*表示所有消息) (這裏local4就是和cisco設置的local4對應,並且它把cisco發過來的日誌放到var/log/80.log)
可以用man syslog 共有8種消息等級.
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* action must be taken immediately */
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
alert -需要立即採取的動作
crit -臨界狀態
err -錯誤狀態。等同error
warning -預警信息,等同warn
notice -正常但是要注意
info -正常消息
debug -調試
none -一般的信息
crit -臨界狀態
err -錯誤狀態。等同error
warning -預警信息,等同warn
notice -正常但是要注意
info -正常消息
debug -調試
none -一般的信息
2.2修改配置文件/etc/sysconfig/syslog
改這裏是因爲需要linux去讀取來的消息
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with –r (不用DNS解析)
# See syslogd(8) for more details
SYSLOGD_OPTIONS=" -m 0" 修改爲 SYSLOGD_OPTIONS="-r -x -m 0"
# Options to klogd# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
2.3修改文件syslog 之後
重啓syslog服務
Service syslog restart
2.4 查看syslogd進程
ps –ef |grep syslogd |grep –v “grep syslogd”
root 30307 1 0 13:59 ? 00:00:00 syslogd -r -x -m ###有-r 就表示成功
2.5 設置LINUX 允許cisco數據包進來.
[root@localhost log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere 192.168.80.63 udp dpt:syslog
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
命令是: iptables –A INPUT –p udp –d 192.168.80.63 –dport 514 –j ACCEPT
2.6 查看日誌服務器監聽的udp端口:514
netstat -untl |grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:* ###514 已經起來
這樣,查看80.log是否有記錄
[root@localhost log]# cat /var/log/80.log
Jan 14 21:36:06 10.0.0.71 949: 001021: *Mar 14 00:47:29: %SYS-5-CONFIG_I: Configured from console by abc on vty1 (192.168.2.1)
Jan 14 22:51:04 10.0.0.71 950: 001022: *Mar 14 02:01:32: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
Jan 14 22:51:05 10.0.0.71 951: 001023: *Mar 14 02:01:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up(完)