Configuring syslog on network devices

All syslog messages are passed through the external event filters. See Managing-external-event-filters. Events matching a filter (for example, configuration change events) are logged to the event log and processed by the Policy Manager.

The BMC Network Automation system can receive syslog events directly from the network devices on port 514 (default). You can change this default port by editing the settings for the BMC Network Automation remote device agent. See Managing-device-agents.

BMC Network Automation can also receive syslog events from one or more existing syslog relays (for example, Linux syslogd or syslog-ng). For configuring syslog to forward events, see Configuring-existing-syslog-servers-to-forward-events.

BMC Network Automation includes a factory-installed syslog template. You can use this template for configuring your devices to send syslog events to the BMC Network Automation system. As part of the Job Deploy to Active action, select the Commit option to save the change to the startup configuration.

The following sections contain product-specific notes pertaining to syslog configuration.

 Cisco ASA/PIX/FWSM - managing high event volume

The Auto Archive policy triggers on end configuration syslog events from Cisco ASA/PIX/FWSM devices. ASA/PIX/FWSM devices by default classify the severity of this event as Notification (level 5). These devices can generate a very high volume of syslog events at the Notification level under normal operating conditions, which can overwhelm the system (both the main web server and the remote device agent), leading to slow performance accessing almost every web page. BMC recommends two solutions for this issue:

  1. If you currently suppress low severity ASA/PIX/FWSM events (for example, logging trap 4), change the default syslog level for the end configuration event to a higher severity (for example, Major at level 4). This results in the system receiving only the higher severity events, which will be a much lower volume.

    logging host inside <BMC_Network_Automation_application_server_IP_address>
    logging message 111005 level 4

  2. If you do not want to change the ASA/PIX/FWSM syslog configuration, you can set up a syslog relay to forward onlythe end configuration events of interest to the BMC Network Automation system using the source, filter, and log commands highlighted in red. For information about how to relay syslog messages to the system using syslog-ng, see Configuring an existing syslog-ng server.
     Make sure host names are preserved from the source message.

    options {
            keep_hostname (yes);
            };
    ##### Sources #####
    # connect FIFO from syslogd source to the BMC Network Automation destination
    source syslogdOutput  { fifo("/usr/local/syslog-ng/syslogdOutput.fifo"); };
    source syslogdPixOutput { fifo("/usr/local/syslog-ng/syslogdPixOutput.fifo"); };
    ##### Filters #####
    filter f_pix { match(".*end configuration.*"); };
    ##### Destinations #####
    destination BCAN{ udp("10.1.1.14"  port(1514) template("$HOST $MSG\n")); };
    ##### Logs #####
    log { source(syslogdOutput); destination(BCAN); };
    log { source(syslogdPixOutput); filter(f_pix); destination(BCAN);
    };

If one of these approaches is not adequate for your operations, follow these instructions for configuring syslog.

  1. Log on by using telnet or ssh.
  2. Enter enable and the enable password.
  3. Enter configure terminal. You are now in the configuration mode.
  4. Enter logging on.
  5. Enter logging host <application_server_IP_address>.
  6. Enter logging trap 5.
  7. Enter logging facility 23.
  8. Enter logging timestamp.
  9. Enter exit.

 Cisco VPN 3000 concentrator series (manual syslog configuration)

Use the following example when doing a manual syslog configuration for the Cisco VPN 3000 concentrator series.

Traverse Menu
1>Configuration
2>System Management
6>Event Configuration
1>General
5>Set Severity Parameters
3>Which Event Severities go to Syslog
Highest Severities to Syslog
Event> 5
H> to go home
Traverse Menu
1>Configuration
2>System Management
6>Event Configuration
5>Syslog Servers
1>Add a Syslog Server
Syslog Server> <application_server_IP_address>
Syslog Server port > 514
H> to return home

Motorola Symbol WS 2000 Wireless Switch

Use the following example when configuring the Motorola Symbol WS 2000 Wireless Switch for syslog.

system
log
set ipaddr <syslog_IP_address>
set level <syslog_level>
set mode <enable|disable>
set cf_logging_mode <mode>
set server <ftp_server>
set user <ftp_user>
set passwd <ftp_password>

 SonicWALL firewalls (manual syslog configuration)

Connect and log on to the firewall by using your web browser.

  1. Select Log > Automation in the left panel menu. Click Add to add a syslog server IP address (that is, BMC Network Automation server IP address) and port (for example, 514).
  2. Select Log > Categories in the left panel menu, then select User Activity.

Related BMC Communities video

The following BMC Communities video (7:12) describes how to configure syslogging for network devices with BMC Network Automation.

icon-play.png https://www.youtube.com/watch?v=qyxP0fI39m8&list=PLr4ck07lc-F8iEOqfe2sYqkR5LBYo1WKI&index=3

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*