Configure Rsyslog Server for Cisco Devices

Configuration Link to heading

• Enable NTP in the Rsyslog server

[root@server ~]$ vi /etc/ntp.conf
server 127.127.1.0
fudge 127.127.1.0 stratum 10

• Configure the router to sync time with the Rsyslog server

R1(config)# ntp authentication-key 1 md5
R1(config)# ntp server 192.168.1.100 key 1
R1(config)# ntp trusted-key 1
R1(config)# ntp authenticate
*Dec  5 22:07:36.198: NTP Core(INFO): keys initilized.
*Dec  5 22:07:36.198: NTP Core(NOTICE): proto: precision =  usec
*Dec  5 22:07:36.198: %NTP : Drift Read : FFFFFFFF.FFFFF470
*Dec  5 22:07:36.198: NTP Core(DEBUG): drift value read: -0.000000000
*Dec  5 22:07:36.198: NTP Core(NOTICE): ntpd  PPM
*Dec  5 22:07:36.198: NTP: Initialized interface Embedded-Service-Engine0/0
*Dec  5 22:07:36.198: NTP: Initialized interface GigabitEthernet0/0
*Dec  5 22:07:36.198: NTP: Initialized interface GigabitEthernet0/1
*Dec  5 22:07:36.198: NTP: Initialized interface GigabitEthernet0/2
*Dec  5 22:07:36.198: NTP: Initialized interface Backplane-GigabitEthernet0/3
*Dec  5 22:07:36.198: NTP: Initialized interface Serial0/0/0
*Dec  5 22:07:36.198: NTP: Initialized interface Serial0/0/1
*Dec  5 22:07:36.198: NTP: Initialized interface RG-AR-IF-INPUT1
*Dec  5 22:07:36.198: NTP: Initialized interface VoIP-Null0
*Dec  5 22:07:36.198: NTP Core(INFO): more memory added for keys.
*Dec  5 22:07:36.198: NTP Core(INFO): key (1) added.
*Dec  5 22:07:36.246: NTP Core(INFO): key (1) marked as trusted.
*Dec  5 22:07:37.198: NTP message sent to 192.168.1.100, from interface 'NULL' (0.0.0.0).
*Dec  5 22:07:37.198: NTP message received from 192.168.1.100 on interface 'GigabitEthernet0/0' (192.168.1.1).
*Dec  5 22:07:37.198: NTP Core(DEBUG): ntp_receive: message received
*Dec  5 22:07:37.198: NTP Core(DEBUG): ntp_receive: peer is 0x22606EE0, next action is 1.
*Dec  5 22:07:37.198: NTP Core(DEBUG): Peer becomes reachable, poll set to 6.
*Dec  5 22:07:37.198: NTP Core(INFO): 192.168.1.100 E014 84 reachable
*Dec  5 22:07:37.198: NTP Core(INFO): 192.168.1.100 F02D 8D popcorn popcorn
*Dec  5 22:07:38.322: NTP Core(INFO): 0.0.0.0 C01C 0C clock_step
...
*Dec  6 02:21:14.444: NTP Core(NOTICE): Clock is synchronized.

R1# show ntp association
  address         ref clock       st   when   poll reach  delay  offset   disp
*~192.168.1.100   127.127.1.0     11     13     64     1  1.234  -0.544 3937.6
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R1# show ntp status
Clock is synchronized, stratum 12, reference is 192.168.1.100
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**20
ntp uptime is 12800 (1/100 of seconds), resolution is 4000
reference time is DDD1D29A.722F8839 (02:21:14.446 UTC Wed Dec 6 2017)
clock offset is -0.5441 msec, root delay is 1.23 msec
root dispersion is 7887.42 msec, peer dispersion is 3937.65 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 17 sec ago.

• Create a log file which store all router’s logs in the Rsyslog server

[root@server ~]$ cd /var/log

[root@server ~]$ touch cisco

[root@server ~]$ vi /etc/syslog.conf
# Cisco routers use the local7 facility
local7.info /var/log/cisco

[root@server ~]$ /etc/init.d/syslog restart

• Configure the router to send log messages to the Rsyslog server

R1(config)# logging ip_address_of_server
R1(config)# logging trap
R1(config)# logging on
R1(config)# service timestamps log datetime

Verification Link to heading

[root@server ~]$ cat /var/log/cisco.log
Nov 22 11:30:25 172.16.100.254 86: Nov 22 16:30:09: %SYS-5-CONFIG_I: Configured from console by console
Nov 22 11:30:25 172.16.100.254 87: Nov 22 16:30:10: %SYS-3-LOGGINGHOST_FAIL: Logging to host 172.16.100.100 port 514 failed
Nov 22 11:30:25 172.16.100.254 88: Nov 22 16:30:15: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.100.100 port 514 started - reconnection
Nov 22 11:34:29 172.16.100.254 90: Nov 22 16:34:13: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Nov 22 11:34:29 172.16.100.254 91: Nov 22 16:34:14: %SYS-3-LOGGINGHOST_FAIL: Logging to host 172.16.100.100 port 514 failed
Nov 22 11:34:29 172.16.100.254 92: Nov 22 16:34:19: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.100.100 port 514 started - reconnection
Nov 22 11:35:21 172.16.100.254 93: Nov 22 16:35:20: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
Nov 22 11:35:21 172.16.100.254 94: Nov 22 16:35:21: %SYS-5-CONFIG_I: Configured from console by console

Reference Link to heading

• Linux Syslog Server - Setup for Cisco Devices