This article explain how to forward logs from router, switch, firewall or any other telecom device to Apsolab-Server.

Requirements

To forward logs from telecom devices to Apsolab-Server, your device must be able to send logs in syslog format to external host. In short, it must be compatible with syslog protocol.

Scenario

  • If you don’t have any special needs like extracting fields from syslog message or saving message in external file, just forward you device logs to Apsolab-Server. This is explained in scenario #1.
  • To save a copy of logs in external file or to extract fields (special parsing) or if your device is not compatible with syslog UDP, refer to scenario #2.

 

Scenario 1: direct forward to Apsolab-Server

Configure Apsolab-Server to parse syslog messages

  • With administrator account (root), open Settings from Administration menu. Select Services tab.

Router, Switch and Firewall Syslog Settings

  • In [Syslog] section, enter UDP port number. You can use multiple UDP ports if you want more control over logging threshold, filtering and monitoring. List all ports separated with comma.
  • Click ‘Apply Service’ to save your changes.
  • Click ‘Close’ to close this window.
  • Now, configure your device to forward logs to UDP port you just entered in the Services window.
  • Don’t forget to enable those ports in local Apsolab server firewall and selinux.

 

Scenario 2: use syslog-ng

For our example, we will configure one router and two switch to forward logs to server 10.1.1.128 running syslog-ng. This server also run Apsolab-Server and accept connections from XLog-Agent on port 5470. In this scenario, each devices will connect with Apsolab-Server with there own logger. With this setup, you will see 3 loggers in Apsolab-Console. One for each device. This will allow you to control each log source. It’s also easier to set filters and alarms with this setup.

Note: If your devices support TCP, we recommend using it. It’s more reliable. But since not all devices support TCP, we will configure our syslog-ng with UDP in the following examples.

Logs from firewall, switch and router to syslog

Step one: Configure your device to forward logs to syslog-ng on server 10.1.1.128.

Step two: Edit file /etc/syslog-ng/syslog-ng.conf and add the following content.

source s_port {
    udp(ip(0.0.0.0) port(514));
};

filter f_router { 
    level(debug..emerg) and
    netmask(10.1.1.1/32);
};

filter f_switch01 { 
    level(debug..emerg) and
    netmask(10.1.1.2/32);
};

filter f_switch02 { 
    level(debug..emerg) and
    netmask(10.1.1.3/32);
};

# Note: template must be on single line
template t_telecom {
    template ("<xlog><loggertype>syslog</loggertype><category>telecom</category><timestamp>$UNIXTIME</timestamp><facility>$FACILITY</facility><host>$HOST</host><sourceip>$SOURCEIP</sourceip><program>$PROGRAM</program><pid>$PID</pid><pri>$PRI</pri><msg>$MSGONLY</msg></xlog>\n");
    template_escape(no);
};

# Note: program must be on single line
destination d_router { program("cd /opt/apsolab/latest/bin; ./xlogagent -d warning -t /var/log/xlogagent-router.log
                        -l router -x 127.0.0.1 -p 5470 >/dev/null" template(t_telecom));
}; 

# Note: program must be on single line
destination d_switch01 { program("cd /opt/apsolab/latest/bin; ./xlogagent -d warning -t /var/log/xlogagent-switch01.log
                        -l switch01 -x 127.0.0.1 -p 5470 >/dev/null" template(t_telecom));
}; 

# Note: program must be on single line
destination d_switch02 { program("cd /opt/apsolab/latest/bin; ./xlogagent -d warning -t /var/log/xlogagent-switch02.log
                        -l switch02 -x 127.0.0.1 -p 5470 >/dev/null" template(t_telecom));
}; 

log { 
    source(s_port);
    filter(f_router);
    destination(d_router);
};

log { 
    source(s_port);
    filter(f_switch01);
    destination(d_switch01);
};

log { 
    source(s_port);
    filter(f_switch02);
    destination(d_switch02);
};

Step three: Restart syslog-ng.

Options

You can connect syslog-ng with Apsolab-Server without using XLog-Agent.
For that, you need one template per destination. A unique logger name must be set within each template
(<loggername>router</loggername>).
Simply replace the destination with something like:

destination d_router {
   tcp("localhost" port(5472) template(t_telecom));
};