MonitorWare Knowledge Base

Your first source for knowledge

Skip to content

rsyslog won't receive udp from Cisco ASA

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Post a reply

rsyslog won't receive udp from Cisco ASA

Postby john.imig » Fri Jun 19, 2009 5:18 pm

Platform: fedora 11 with rsyslog as default on x86 arch.

Config files:

/etc/rc.d/init.d/rsyslog
Code: Select all
#!/bin/bash
#
# rsyslog        Starts rsyslogd/rklogd.
#
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files.  It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:  2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
#              among others, MySQL, syslog/tcp, RFC 3195, permitted
#              sender lists, filtering on any message part, and fine
#              grain output format control.
### END INIT INFO

# Source function library.
. /etc/init.d/functions

RETVAL=0

start() {
        [ -x /sbin/rsyslogd ] || exit 5

        # Source config
        if [ -f /etc/sysconfig/rsyslog ] ; then
                . /etc/sysconfig/rsyslog
        fi
        umask 077

        echo -n $"Starting system logger: "
        daemon rsyslogd $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
        return $RETVAL
}
stop() {
        echo -n $"Shutting down system logger: "
        killproc rsyslogd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog
        return $RETVAL
}
reload()  {
    RETVAL=1
    syslog=`cat /var/run/syslogd.pid 2>/dev/null`
    echo -n "Reloading system logger..."
    if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
        kill -HUP "$syslog";
        RETVAL=$?
    fi
    if [ $RETVAL -ne 0 ]; then
        failure
    else
        success
    fi
    echo
    return $RETVAL
}
rhstatus() {
        status rsyslogd
}
restart() {
        stop
        start
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload|force-reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart)
        [ -f /var/lock/subsys/rsyslog ] && restart || :
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart}"
        exit 2
esac

exit $?




/etc/sysconfig/rsyslog
Code: Select all
# Options to syslogd
# syslogd options are deprecated in rsyslog v3
# if you want to use them, switch to compatibility mode 2 by "-c 2"
SYSLOGD_OPTIONS="-c 3"



and finally /etc/rsyslog.conf
Code: Select all
#rsyslog v3 config file

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

#$ModLoad ommysql
$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so     # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress *
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# *.*      :ommysql:127.0.0.1,Syslog,root,14all&all41

### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###




In rsyslog.conf, the commented out mySQL stuff is from when I was trying phplogcon, but evne then I never got the machine to actually receive the logs from the Cisco ASA.

I have confirmed the Cisco ASA is blasting logs at the rsyslog machine with tcpdump, and also confirmed that they are coming udp/514 (curiously, using tcp on the Cisco ASA disallows using any port below 1047).
Code: Select all
03:01:07.843979 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.debug, length: 121
03:01:07.950545 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 155
03:01:07.984103 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 155
03:01:08.115338 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 135
03:01:08.115387 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 178
03:01:08.156536 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.notice, length: 153
03:01:08.189846 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 168
03:01:08.215514 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 173
03:01:08.218309 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.notice, length: 107
03:01:08.265151 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 134
03:01:08.265164 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 183
03:01:08.319982 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 180
03:01:08.433689 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 169
03:01:08.450420 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 135
03:01:08.450435 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.info, length: 178
03:01:08.491367 IP 10.10.30.1.syslog > 192.168.1.107.syslog: SYSLOG local4.notice, length: 153



SELinux is disabled (just in case it was a problem, as it so often is). I tried to put a line in the rsyslog.conf to route everything to a file, but all it did was a touch on the file and it never increased in size...and our firewall is logging A LOT.

So, please advise me on getting the rsyslog machine to receive the logs from the Cisco ASA, and piping to a file, say /var/log/cisco-asa.log


Please be gentle, my reading comprehension is good, but I am pretty green with *nix.
john.imig
New
 
Posts: 3
Joined: Fri Jun 19, 2009 5:03 pm
Top

Professional Services Information

  • Custom written rsyslog.conf?
  • Maintenance Contract?
  • Installation support?

Re: rsyslog won't receive udp from Cisco ASA

Postby rgerhards » Fri Jun 19, 2009 5:50 pm

the config looks ok. Did you check the the firewall on the fedora box permits this incoming traffic? by default it does not...
User avatar
rgerhards
Site Admin
 
Posts: 2647
Joined: Thu Feb 13, 2003 11:57 am
Top

Re: rsyslog won't receive udp from Cisco ASA

Postby john.imig » Fri Jun 19, 2009 6:20 pm

Yes, I used the GUI, but I made sure it is allowing traffic on port 514.

I think I may just be missing the part or the syntax in rsyslog.conf to get the logs from the Cisco ASA routed to a file...
john.imig
New
 
Posts: 3
Joined: Fri Jun 19, 2009 5:03 pm
Top

Re: rsyslog won't receive udp from Cisco ASA

Postby john.imig » Fri Jun 19, 2009 6:38 pm

Wait!

Something I did is working (I think) - I found this in /var/log/messages:
Code: Select all
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.182 Accessed URL 72.14.213.100:http://gg.google.com/csi
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.182 Accessed URL 72.14.213.100:http://gg.google.com/csi
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.214 Accessed URL 69.80.200.254:http://secure-us.imrworldwide.com/cgi-bin/m
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.116 Accessed URL 174.129.210.179:http://lt.andomedia.com/lt
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-6-302014: Teardown TCP connection 2896550 for Outside:69.80.200.254/80 to Inside:192.168.1.214/50260 duration 0:00:00 bytes 1013 TCP FINs
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.182 Accessed URL 72.14.213.100:http://gg.google.com/csi
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.182 Accessed URL 72.14.213.100:http://gg.google.com/csi
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-5-304001: 192.168.1.214 Accessed URL 66.212.231.78:http://banners.chipleader.com/banners/bnrimg.php
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-6-302014: Teardown TCP connection 2896544 for Outside:174.129.210.179/80 to Inside:192.168.1.116/2941 duration 0:00:00 bytes 883 TCP FINs
Jun 19 03:51:57 Jun 19 2009 10:50:28: %ASA-6-302014: Teardown TCP connection 2896520 for Outside:192.168.6.11/2592 to Inside:192.168.1.18/85 duration 0:00:01 bytes 1820 TCP FINs


So now, how do I get those logs and only those logs (not local events) into their own file please?

Wait again! If I disable the local module on the machine, then I should only be logging the incoming udp stuff, right?

I'm off to make changes, let me know if you think of anything important.
john.imig
New
 
Posts: 3
Joined: Fri Jun 19, 2009 5:03 pm
Top

Re: rsyslog won't receive udp from Cisco ASA

Postby Hinze57 » Mon Jul 13, 2009 8:48 pm

In case you are still working on this,

add something like this to your /etc/rsyslog.conf
Code: Select all
$template ASAFormat,"%timereported% %FROMHOST% %syslogtag%%msg:::drop-last-lf%\n"

local4.debug                                             /var/logs/cisco-asa.log;ASAFormat
& ~


Then, restart rsyslog.

There are other interesting ways of doing this I've found in the forums that look something like:

:fromhost,isequal,"<ip_address_of_asa>" /var/logs/cisco-asa.log
& ~

But I've not tested that yet.
Hinze57
New
 
Posts: 5
Joined: Thu May 14, 2009 5:02 pm
Top

Re: rsyslog won't receive udp from Cisco ASA

Postby Hinze57 » Thu Aug 06, 2009 3:17 pm

BTW, so the time-stamp is not duplicated look at this post:

cisco-asa-formating-rsyslog-version-t9902.html

Hope this helps
Hinze57
New
 
Posts: 5
Joined: Thu May 14, 2009 5:02 pm
Top

Google Ads

Post a reply

Return to Configuration

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

phpBB SEO
Time : 0.096s | 12 Queries | GZIP : On
cron