Syslog-ng is my hero

When you have to administer (read painfully fix problems) in remote machines (mine are in Tokyo, for example) logfiles are a must-have feature. But what happens when you can’t access the remote host?

The problem is even worse in Cisco routers when you use logging buffered and this buffer is reset after a reboot. The usual question is “What made that machine reboot?“. Check the logs if you can.

One solution is, of course, to have a central log server to where they will be sent and stored. Following is a simple configuration file to use with syslog-ng.

At the Cisco Router (or switch)

service timestamps log datetime localtime

logging <ip syslog server>

logging trap notifications

This configuration will instruct the Cisco device to send the log files with a severity higher or equal to notifications (5) to the syslog servers. The less important notifications will be shown only through the console.

Now, at the syslog server side:


options {






source src{


udp(ip( port(514));


# Filter for IP address (more options)

filter f_ROUTER01{ host(“”); };

filter f_ROUTER02{ host(“”); };


# Destination files

destination ROUTER01{ file(“/var/log/ROUTER01.log”); };

destination ROUTER02{ file(“/var/log/ROUTER02.log”); };

# The actual logging command(s)
# Note how they filter the input and connect
# the result with the destination (predefined)



After saving the configuration, the only tasks left are to create the logfiles (with touch) and restart the service.

Happy logging!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s