These are the instructions for configuring CentOS 7.x with syslog-ng in preparation for the Splunk CISCO TA and Splunk CISCO app and using syslog-ng to manage the logs from your CISCO devices.
I have updated the original instructions for setting up syslog-ng on CentOS 6.x by Charles Gerow.
GREEN = Typed commands followed by pressing ENTER
BLUE = Screen Output or File Contents
Requirements:
- CentOS 7.x
- Internet Connectivity
- wget (yum install wget)
Installation:
- Install EPEL Repositories:
- Login to your server as root (or su -)
- Type: cd /root
- Type (Current link as of this post):
- Type: rpm -Uvh /root/epel-release-7-7.noarch.rpm
- To verify the software repository was installed type: yum repolist
You should see something like:[root@myserver ~]# yum repolist Loaded plugins: fastestmirror epel/x86_64/metalink | 14 kB 00:00:00 epel | 4.3 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 575 kB 00:00:00 (2/3): epel/x86_64/group_gz | 170 kB 00:00:01 (3/3): epel/x86_64/primary_db | 4.2 MB 00:00:06 Loading mirror speeds from cached hostfile * base: dallas.tx.mirror.xygenhosting.com * epel: mirror.sfo12.us.leaseweb.net * extras: mirrors.unifiedlayer.com * updates: mirrors.sonic.net repo id repo name status base/7/x86_64 CentOS-7 - Base 9,007 *epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 10,228 extras/7/x86_64 CentOS-7 - Extras 353 updates/7/x86_64 CentOS-7 - Updates 1,994 repolist: 21,582 - Install Syslog-NG:
- Run an update check: yum check-update
To see if this will impact any other software on your system. - Check the availability of Syslog-NG by typing: yum list *syslog-ng*
[root@myserver ~]# yum list *syslog-ng* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: dallas.tx.mirror.xygenhosting.com * epel: mirror.sfo12.us.leaseweb.net * extras: mirrors.unifiedlayer.com * updates: mirrors.sonic.net Available Packages syslog-ng.x86_64 3.5.6-3.el7 epel syslog-ng-devel.x86_64 3.5.6-3.el7 epel syslog-ng-geoip.x86_64 3.5.6-3.el7 epel syslog-ng-json.x86_64 3.5.6-3.el7 epel syslog-ng-libdbi.x86_64 3.5.6-3.el7 epel syslog-ng-mongodb.x86_64 3.5.6-3.el7 epel syslog-ng-redis.x86_64 3.5.6-3.el7 epel syslog-ng-smtp.x86_64 3.5.6-3.el7 epel
- Install both syslog-ng and syslog-ng-libdbi (to avoid an error message) by typing: yum install syslog-ng syslog-ng-libdbi
(Of course, you could install everything… if you want to…)[root@myserver ~]# yum install syslog-ng syslog-ng-libdbi Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cisp.com * epel: archive.linux.duke.edu * extras: mirror.symnds.com * updates: mirrors.easynews.com Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package syslog-ng.i686 0:3.2.5-3.el6 will be installed --> Processing Dependency: libnet.so.1 for package: syslog-ng-3.2.5-3.el6.i686 --> Processing Dependency: libevtlog.so.0 for package: syslog-ng-3.2.5-3.el6.i686 ---> Package syslog-ng-libdbi.i686 0:3.2.5-3.el6 will be installed --> Processing Dependency: libdbi.so.0 for package: syslog-ng-libdbi-3.2.5-3.el6.i686 --> Running transaction check ---> Package eventlog.i686 0:0.2.12-1.el6 will be installed ---> Package libdbi.i686 0:0.8.3-4.el6 will be installed ---> Package libnet.i686 0:1.1.5-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================== Package Arch Version Repository Size ==================================================================================================== Installing: syslog-ng i686 3.2.5-3.el6 epel 442 k syslog-ng-libdbi i686 3.2.5-3.el6 epel 31 k Installing for dependencies: eventlog i686 0.2.12-1.el6 epel 17 k libdbi i686 0.8.3-4.el6 base 39 k libnet i686 1.1.5-1.el6 epel 55 k Transaction Summary ==================================================================================================== Install 5 Package(s) Total download size: 583 k Installed size: 1.7 M Is this ok [y/N]: yIf prompted to to import a GPG key… type: y
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Importing GPG key 0x0608B895: Userid : EPEL (6) Package: epel-release-6-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Is this ok [y/N]: y
- Run an update check: yum check-update
- Configure CentOS Services, Stop Rsyslog, and Start Syslog-NG:
- Disable rsyslog: chkconfig syslog off (actually this is systemctl status syslog.service)
- Confirm rsyslog is disabled:
[root@myserver ~]# chkconfig --list rsyslog rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off - Enable syslog-ng: chkconfig syslog-ng on
- Confirm syslog-ng is enabled:
[root@myserver ~]# chkconfig --list syslog-ng syslog-ng 0:off 1:off 2:on 3:on 4:on 5:on 6:off - Stop Rsyslog:
[root@myserver ~]# service rsyslog stop Shutting down system logger: [ OK ] - Start Syslog-NG:
[root@myserver ~]# service syslog-ng start Starting syslog-ng: [ OK ]
- Example Configuration for Syslog-NG:
- Add the following to the END of /etc/syslog-ng/syslog-ng.conf:
options { keep-timestamp(no); } # My Switches source s_cisco { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); }; destination d_cisco { file( "/var/log/cisco/$HOST-$YEAR$MONTH$DAY.log" perm(644) create_dirs(yes) ); }; log { source(s_cisco); destination(d_cisco); };This will basically take ALL (udp/tcp 0.0.0.0) syslog data and place it into /var/log/cisco. The names of the files are based off the host name and date. For example, if you have switch named MYSWITCH and the current date is December 10th, 2013… the full path and file name would be: /var/log/cisco/MYSWITCH-20131210.log
- *** DO NOT modify any other portion of the file unless you are certain you know what you are doing!
- Restart the syslog-ng service to implement changes:
[root@myserver syslog-ng]# service syslog-ng restart Stopping syslog-ng: [ OK ] Starting syslog-ng: [ OK ]
- Add the following to the END of /etc/syslog-ng/syslog-ng.conf:
- Delete Old Syslog-NG Files:
- Login as root
- Type: crontab -e
- Add the following to your crontab file:
# Delete Old Syslog Files # 3 AM, Every Sunday 0 3 * * 0 /usr/bin/find /var/log/cisco -maxdepth 1 -mtime +60 -name "*.log" -exec rm {} \;Change the "60" to your desired number of "days".