Develop Reference

Syslog receives logs from Cisco Switch but doesn't log them

So, I got the task of transmitting all logs made by one particular Cisco switch to our dedicated Syslog Server. Via Cisco IOS I did the following:
schu-ebd-sw-vt14-11#configure terminal
schu-ebd-sw-vt14-11(config)#logging 10.254.1.103
schu-ebd-sw-vt14-11(config)#logging on
schu-ebd-sw-vt14-11(config)#logging host 10.254.1.103 transport udp port 514
schu-ebd-sw-vt14-11(config)#logging trap debugging
schu-ebd-sw-vt14-11(config)#logging facility local5
10.254.1.103 is the ip to our Syslog server. It has the alias cldlog001. Now entering show log shows the following:
schu-ebd-sw-vt14-11#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 224 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 226 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level debugging, 112 message lines logged
Logging to 10.254.1.103 (udp port 514, audit disabled,
link up),
110 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
I can confirm via tcpdump that our Syslog server is receiving messages on port 514 from the Cisco device.
[root#cldlog001 remote]# tcpdump -vv -i any port 514 | grep schu-ebd-sw-vt14-11
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
schu-ebd-sw-vt14-11.switch.schu.64118 > cldlog001.cld.schu.syslog: [udp sum ok] SYSLOG, length: 99
However, no logs are written by cldlog001. Here are the important bits of the config file (/etc/rsyslog.conf).
#### TEMPLATES ####
$template CiscoLog, "/var/log/remote/%HOSTNAME%/cisco.log"
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
local5.* -?CiscoLog
I tried restarting rsyslog but it didn't work.
Any ideas?

You need to add log reception. The imudp module provides the ability to receive syslog messages via UDP.
module(load="imudp")
input(type="imudp" port="514")
Also, when creating a dynamic file, you probably want to use RainerScript, which is the most recent script language for rsyslog. This could look like the following:
# Rsyslog uses templates to generate dynamic files
template(name="DynaFile" type="string"
string="/var/log/remote/%hostname%/cisco.log")
# Custom template to generate the log folder dynamically based on the client's hostname.
action(type="omfile" template="someMessageTemplate" dynaFile="DynaFile")
Note: You'll also have to make sure, that you (or rsyslog) have the needed permissions to create folders and files.

capturing raw syslog messages with tcpdump

i am currently collecting logs from a cloud platform which i would like to keep anonymous. while trying to create a custom parser for the syslogs that i am collecting i am trying to capture the raw syslog by using tcpdump.exe for windows. the syntax that i am using to capture the raw syslog messages are: tcpdump.exe -s 0 -A udp port 514
the issue that i am having is that at the beginning of each syslog message it starts with:
..s....#._<133>
and ends with:
E..T..#.#..C#.?O
does anyone know what that means and/or how i can capture the raw syslog messages with tcpdump without the beginning and ending garbage?

Logstash TCP input retrieves all past logs once it comes up

Application Logback configuration -
<appender name="stash"
class="net.logstash.logback.appender.LogstashAccessTcpSocketAppender">
<destination>localhost:5001</destination>
<!-- encoder is required -->
<encoder>
<pattern>%d{dd/MM/YY HH:mm:ss.SSS} - %-5level[%-5thread] - %logger{32} - %msg%n</pattern>
</encoder>
</appender>
Logstash input is TCP plugin and output is ElasticSearch.
Initially Logstash server is down and the application is generating logs continuously. When viewed in Kibana, no new logs are getting added. After sometime the logstash is started. Now when logs are viewed in Kibana,it seems all the logs which were generated when logstash was down, is flushed to ES and can be viewed.
I have checked ss | grep 5001 when the logstash server was down, the port 5001 is in CLOSED-WAIT state and queues are empty.
What can be the reason for this?

The appender net.logstash.logback.appender.LogstashAccessTcpSocketAppender extends [net.logstash.logback.appender.AbstractLogstashTcpSocketAppender](https://github.com/logstash/logstash-logback-encoder/blob/ master/src/main/java/net/logstash/logback/appender/AbstractLogstashTcpSocketAppender.java) which has an internal ring buffer that buffers the log events. Buffering is required to achieve non blocking behavior. Otherwise the appender would block your code when writing events to the TCP socket.
The ring buffer holds by default 8192 bytes. If the buffer gets full before the events can be send to the socket, the appender starts dropping events. The buffer size and many other properties can be configured via the appender interface.

IETF syslog input to fluentd

Is there any way to support IETF / RFC 5424 syslog messages with fluentd? My application has no disk, so tailing a file is not an option. The system already outputs standard syslog messages, but it looks like fluentd's syslog plugin is not, by default, able to parse the RFC 5424 message format.

A Fluentd maintainer here.
You are correct: in the past, Fluentd only supported a "default" syslog message via in_syslog. Hopefully in the next version, we have in_tcp and in_udp which accept arbitrary input format, including RFC 5424 syslog format. Here is a pull request for it

Linux Syslog Server Format

I am creating a syslog formatted message according to RFC3164 and sending it to my linux default syslog server which is listining of port 514.
The message i am sending is
<187>Nov 19 02:58:57 nms-server6 %cgmesh-2-outage: Outage detected on this device
I open a socket, make a datagram packet and send this packet on that socket.
Now in the var/log/syslog.log which i have configured to receive all the syslog messages as
. /var/log/syslog.log
I am getting this extra hostname getting inserted by the server automatically as show below
Nov 19 02:58:57 nms-server6 nms-server6 %cgmesh-2-outage: Outage detected on this device
as you see nms-server6 is getting repeated twice while i am sending it just once...so somehow the server is inserting it by default..
can some one share some knowledge on this ?

Are you adding the hostname in your message? If so, I don't think that's necessary as the hostname will be taken from the packet - which would explain the duplication.
Also, as a side note - it's nice that you've added the %fac-sev-mnemonic: portion, but that is not a standard, it's used by Cisco devices.
Here's a link to a good whitepaper that covers Cisco Mnemonics (and syslog management):
Building Scalable Syslog Management Solutions:
http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html