,----------------------------------------------. | AfNOG 2009 - Cairo - SI-E - Syslog Exercise | `----------------------------------------------' My FreeBSD server's address is: ... 196.200.220. .......... (H.H.H.H) My cisco router's address is: ... 196.200.220. ............ (R.R.R.R) 1. CONFIGURE THE ROUTER Add the following configuration to the router, and save it: logging facility local7 logging H.H.H.H <---- use the real router address! 2. WATCH FOR LOG MESSAGES As root on your FreeBSD server, use tcpdump to watch for messages: # tcpdump udp port 514 Edit the configuration on your router -- even if you don't change anything, typing "configure terminal" and then exiting ought to make the router generate messages. Do you see packets arriving on your server? Press control-C to make tcpdump exit. 3. CONFIGURE SYSLOGD On your FreeBSD server, edit /etc/syslog.conf and add the following line: local7.* /var/log/network.log DO NOT ADD THIS RIGHT AT THE BOTTOM OF THE FILE! FreeBSD's syslog.conf is a little unusual. You need to add that line *above* the first line in the file which starts with a "!" (e.g. just before "!startslip"). Make sure that the log file exists, and has appropriate permissions, as root: touch /var/log/network.log chmod 644 /var/log/network.log 4. EDIT SYSLOG PARAMETERS We want to accept syslog messages from the network. Edit /etc/rc.conf and add the following line: syslogd_flags="-a R.R.R.R/32:*" <---- use the real router address! The ":*" is required on FreeBSD because the source port used by cisco routers is not 512, but is instead a random port. We want to accept the message no matter what source port was used. ":*" does this. 5. RESTART SYSLOGD Run the following script as root: /etc/rc.d/syslogd restart 6. CONFIGURE LOG ROTATION Whenever you start writing to a log, you want to make sure it can't fill up your disk. On FreeBSD, we do this with newsyslog. Add the following line to /etc/newsyslog.conf: /var/log/network.log 644 5 100 * JC This means keep 7 old copies of the log, don't let the log file grow larger than 100k, start a new file at any time, compress the old logs ("J") and create the log file if it's missing ("C"). The change to newsyslog.conf takes effect immediately. 7. WATCH THE LOG Type the following to watch the log for new lines: tail -f /var/log/network.log Try changing the configuration on your router, and verify that log messages are shown by "tail".