How to configure syslog server for switches

  1. We install syslog server on a CentOS machine. This is 208.x.x.x in ACME which is a Virtuozzo VPS.

    # yum install rsyslog

    The configuration file is /etc/rsyslog.conf . Uncomment or add the following in the configuration file:

    $ModLoad imudp
    $UDPServerAddress 208.x.x.x #     this MUST be before the $UDPServerRun directive!
    $UDPServerRun 514

    The logs by default go to /var/log/messages

  2. Now we need to configure switchesFor HP Procurve:

    # logging 208.x.x.x

    For Brocade FCX (Core switches):

    # logging host 208.x.x.x

    ( # logging buffered 200 ; This command is for local switch log )

    # logging cli-command

    For Dell switches:

    # logging 208.x.x.x
    # logging cli-command

     

  3. In order to separate logs from different sources we can add the following rules to the  /etc/rsyslog.conf . The rules must be before the default rules otherwise logs will also go to /var/log/messages and the &~ is necessary in order to prevent further processing of the same log.

    if ($fromhost-ip==’208.x.x.x) then /var/log/Core1.log
    &~
    if ($fromhost-ip==’208.x.x.x’) then /var/log/Core0.log
    &~
    if ($fromhost-ip==’208.x.x.x’) then /var/log/Switch40.log
    &~

    After any change in “rsyslog.conf”, rsyslog service has to be restarted in order for the changes to take effect.

    #  service rsyslog restart

     

  4. We also limit the access to the UDP port 514 in firewall to internal networks:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  —  anywhere             anywhere
    ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     udp  —  208.x.x.x/22       anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  208.x.x.x/22        anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  199.x.x.x/21      anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  10.x.x.x/16         anywhere            udp dpt:ntp
    DROP       udp  —  anywhere             anywhere            multiport dports ntp,syslog     

  5. The following directives have been added to /etc/logrotate.conf in order to configure log rotation for the new log files.

    /var/log/Switch*.log /var/log/Core*.log {
    #   monthly
    missingok
    notifempty
    create 0600 root root
    size 1M
    #   minsize 1M
    dateext
    rotate 4
    postrotate
    /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
    }