How to setup and configure logging for network devices with log rotation

Most of the people does not know Ubuntu linux  comes with a pretty decent Syslog server which you can configure with log rotation(archiving).I always used windows kiwi version but Ubuntu syslog server is amazing and very easy to configure and easy to manage and administer

Steps:-

a)login to the ubuntu server as root or as a user with sudo privilege
b)install syslog server
                     #apt-get install syslogd

c)vi the file /etc/default/syslogd
modify the entry SYSLOGD=”” to      SYSLOGD=”-r”
(This change is for allowing remote logging from remote devices)

d)restart the syslogd service
                    # /etc/init.d/sysklogd stop
                    # /etc/init.d/sysklogd start

verify the syslogd service is running the command

                #netsstat -na | grep 514

A similar output is expected

root@netmon01:~# netstat -na | grep 514
udp   119448      0 0.0.0.0:514             0.0.0.0:*

e)Now vi the file /etc/syslog.conf

create entries like this

local5.debug                                               /var/log/local5
local6.debug                                                /var/log/local6
local7.debug                                                /var/log/local7

Here i am planning send all the Cisco device logs to local 6 and load balancer logs to local7.

logging levels varies from 0 through 7.I am configuring informational logs here which is level 6(You can change it according to your needs)

f)Configure the network device

      configuring a Cisco 3560 switch

 #logging history informational

# logging trap informational
# logging facility local6
#logging SERVERIP# loggin on




Steps to confgure a Cisco ASA



logging enable
logging timestamp
logging monitor informational
logging trap informational

logging facility 22

logging host INTERFACE SERVERIP

In ASA logging level of 6 corresponds to facility 22

Similarly you can configure loadbalancer’s or other devices to send the logs to another facility on Syslog server say local5

Restart the sysklog service

verify the logging by sh logging on cisco devices and from the server by tail -f local6

(If you want you can create a sym link to levels like

#ln -s /var/log/cisco.log /var/log/local6

#ln -s /var/log/lb.log /var/log/local5

How to log rotate the logs ?

Ubuntu comes with a log rotation facility where you can specify the the files needed to be auto archived.Its under /etc/logrotate.d

My tacacs aaa logs and tacacs system logs are configure under /var/log/tac-plus/tacacs.log and 

/var/log/tac_plus.log

To log rotate them please create similar entries under /etc/logrotate.d

 # cd /etc/logrotate.d

 # touch tacacs

 #touch tacplusyslog

Add the following content to log rotate tacacs

—————————————————————————————–

/var/log/tac-plus/*.log {
    monthly
    missingok
    compress
    notifempty
    postrotate
        /etc/init.d/tac_plus stop >/dev/null
        /etc/init.d/tac_plus start >/dev/null
    endscript


}

——————————————————————————————

Add the following content to log rotate tacplussyslog


——————————————————————————————-

/var/log/tac_plus.log {
    weekly
    missingok
    compress
    notifempty
    postrotate
        /etc/init.d/tac_plus stop >/dev/null
        /etc/init.d/tac_plus start >/dev/null
    endscript


}


——————————————————————————————-




Instead of monthly you can use daily,weekly,hourly etc.For log rotating other files just create a file and add appropriate script to the file




Please note that ubuntu has its own log archival for local6 which will be done by the OS itself.(syslogd-listfiles command will give you the information)But still you can make changes to the syslogd script to make changes to the archival frequency


Please reach me out @ bejoybkn@yahoo.com/bejoy.bnair@gmail.com

I can help you out with your doubts or questions