REQUIREMENTS:

• Ubuntu Server with RSYSLOG installed (installed by default on Ubuntu 17.04). This configuration was tested with Ubuntu Server 17.04.
• Ubuntu Server only needs internet access if you are going to also enable web viewing
• A Cisco router or switch with connectivity to the Ubuntu server

NOTES:

• <CR> is pressing the enter key
• <ESC> is pressing the Escape key
• // denotes comments regarding what we are doing
• None of this configuration takes security into account, USE AT YOUR OWN RISK!
• I will not talk about the importance of time, that is a discussion for another time

Overview:

Basically, we will be configuring an Ubuntu Server to receive all of the log data from a Cisco router or switch. As a bonus, we will also configure the log to be available on a web page.

First, we will get the log file set-up.

sudo mkdir /var/log/cisco<CR> // creates a directory to hold log file(s)

sudo touch /var/log/cisco/cisco.log<CR> // creates a new empty log file

sudo chown -R syslog:adm /var/log/cisco<CR> // changes ownership and group so that rsyslog can access the file

Now, to configure the specific configuration for the Cisco logging data.

sudo vi /etc/rsyslog.d/cisco.conf<CR> // use vi to create and edit the rsyslog configuration file for Cisco devices

Add the following to the /etc/rsyslog.d/cisco.conf file (press 'a', then type):

local7.* /var/log/cisco/cisco.log<ESC> // tells rsyslog to send log data from Cisco devices to a file at: /var/log/cisco/cisco.log

<ESC>:wq!<CR> // exits out of the append mode, and forcibly saves and writes the file

Changing the overall rsyslog configuration to handle udp and port 514.

sudo vi /etc/rsyslog.conf <CR> // uses vi to edit the base rsyslog configuration file

Un-comment the following two lines by placing the cursor over the '#' at the start of these two lines (press 'd' then 'l') over each '#':

#module(load=imudp")

#input(type="imudp" port="514")

Then type:

:wq!<CR> // forcibly saves the file, and closes vi

sudo service rsyslog restart <CR> // restarts the rsyslog service to incorporate the changes we made

Now for the fun part, configuring the Cisco device to send logs data to the server (ensure the device (switch or router) has connectivity to the SYSLOG server, and that you know the IP for it.

router> enable<CR>

router# configure terminal<CR>

router(config) #logging <IP Address of syslog server><CR>

BONUS EVENT! (make log file view-able via web browser)

On the Ubuntu server that you just configured to receive SYSLOG data on, complete the following:

sudo apt-get update<CR> // update repository data for Ubuntu

sudo apt-get install apache2<CR> // install Apache 2

cd /var/www/html<CR> // change directory to the location where Apache 2 is serving web pages from

sudo ln -s /var/log/cisco<CR> // create a symbolic link to the cisco log directory we created, all files within will be view-able

Finally, go to a computer that has a web browser and connectivity to the Ubuntu SYSLOG server. Enter the below into the address bar:

http://<IP Address of Ubuntu Server>/cisco/cisco.log<CR>

You should be able to see at least a line showing that the Cisco router/switch that you configured has sent an entry stating that it is logging to the Ubuntu Server!

No CATS were harmed in the writing of this tutorial. Cat provided at the request of /u/the-packet-thrower.