EdgeRouter - Remote Syslog Server for System Logs

Overview


Readers will learn how to configure the EdgeRouter to send log messages to a server using syslog. 

book_25x25white.png

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.

 

Equipment used in this article:

EdgeRouter-4 (ER-4)

- Syslog server

Table of Contents


  1. Steps: Syslog Server
  2. Steps: Testing & Verification
  3. Related Articles

Syslog Server


Back to Top

You can either use the GUI or CLI to configure the location of the syslog server and the severity level (0-7). The syslog server can be defined using an IP address or hostname. The severity levels are:

  • 0 - Emergency
  • 1 - Alert
  • 2 - Critical
  • 3 - Error
  • 4 - Warning
  • 5 - Notice
  • 6 - Informational
  • 7 - Debug
 

The configured severity level will include all the lower number severity levels as well. For example, if you set the severity level to 6 (Informational), the router will send syslog messages for levels 0-6. 

 

By default, EdgeOS uses the 'BSD' syslog format, the rsyslogd service and UDP port 514 for syslog. It is possible to use an alternate port by adding the port to the syslog server address. For example, configuring 192.168.1.10:10514 will send syslog messages to UDP port 10514.

 

GUI: Access the Graphical User Interface.

System > System Log

Log to remote server: 192.168.1.10
Log Level: Informational

 

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure
set system syslog host 192.168.1.10 facility all level info
commit ; save

Steps - Testing & Verification


Back to Top

You can use the build-in tcpdump functionality to verify if the syslog messages are actually sent to the server. 

sudo tcpdump -i eth1 -n udp dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:11:38.337306 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 141
18:11:38.341110 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 94
18:11:38.787049 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 83
18:11:49.106441 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG auth.info, length: 96
18:11:49.110156 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 100
18:12:39.358084 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 141
18:12:39.361312 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 94
18:12:39.806304 IP 192.168.1.1.34820 > 192.168.1.10.514: SYSLOG authpriv.info, length: 83

If needed, restart the rsyslogd process with:

sudo service rsyslog restart

Related Articles


Back to Top

We're sorry to hear that!