Easy cisco syslog monitoring using Webmin

At some point probably a network team would need something similar to this, so I thought it would be a good article to document what I’ve used to achieve this scenario:

There is a need to monitor multiple CISCO boxes, and these logs should be easily accessible internally to a team of network admins, some of which may not have any linux experience or direct ssh access to the monitoring server.

Quite a common scenario I thought. The level of monitoring being asked for was easily achieved by simply enabling syslog on the CISCO units. It’s quite easy to setup a central Linux syslog server (dont forget – with plenty of harddisk space!). But the interesting part was the network admins dont have SSH access since they are not linux-savvy… so i couldnt just ask them to login and check the logs manually via tail or other linux tools.

This is where “webmin” came in really handy. Webnin is a GUI wrapper for most linux configuration files, so it’s extremely convenient in quickly setting up a server or administering an existing server without having to manually dig through all the scripts. I do tend to prefer to not use webmin since I prefer getting my hands really dirty and understanding the guts of the system, but it does come in handy when you can take the time to study the scripts it generates.

In this case, I wanted to use webmin to present a web page to the network admins, that they could use to filter the logs, refresh in real time and so on.

So here’s a quick rundown of what I did.

Linux configuration

First of course we need to setup the syslog server that will receive the information from the cisco devices. I’ll be using a CentOS 5 box here. Syslog is installed by default on almost all distributions. However, by default it usually only listens for local syslog message. To allow the syslog server to receive syslog from remote hosts, we need to edit the /etc/sysconfig/syslog and I changed the SYSLOGD_OPTIONS line to this:

# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-rxm 0"

As the comments explain, I added the “r” and “x” switch to recieve messages from remote machines and give me some performance gains by not doing DNS lookups.

Now, I wanted to log the cisco messages to a separate log file on the server, so I added the following line to the /etc/syslog file:

# save cisco logs
local5.*        /var/log/cisco.log

This command is not cisco specific, it just tells the syslog server to store any syslog messages of the “local5” category to a specific log file.

One last important note. Many admins forget the importance of setting the correct time on their logging servers. This is really important because you need to correlate messages coming from different hosts and possibly different syslog servers in the correct order. So do take the time to make sure NTP or something like that is setup

Last, just restart the syslog service: /etc/init.d/syslog restart

Cisco configuration

We next instruct the ciscos to send their logging to the syslog servers. Four commands in conf mode should do it:

logging origin-id hostname
logging facility local5
logging 10.91.25.15
logging trap 6

The first command tells the cisco node to prepend it’s hostname to the syslog message. Of course the box needs a hostname to begin with, and this is quite a handy way to distinguish between messages from multiple boxes all logging to the same server.

The seconds command tells the cisco to “class” the syslog messages as “local5”, which if you remember in my linux configuration I instructed should be logged to a specific log file.

The third command specifies the IP address of the syslog server, while the last command specifies the verbosity of the syslog messages.

Just like before, dont forget to make sure you use NTP to have correct timestamping

Webmin configuration

Webmin was a breeze to install, just download the correct package and install it, i’ve had no issues here. Once installed, point a browser to http://server_ip:10000 and enter your root credentials.

If the cisco boxes are already logging to the server, you should be able to see these via webmin already. On the left hand side select “system > system logs” and you should see the log file there:

logging

There is a “view” link that leads you to the page the ultimately we want to give access to:

logging2

You can see the hostnames of the cisco nodes and there’s also a search functionality which is quite handy.

The next challenge is to allow anonymous access to just this module of Webmin, so we dont need to give out root access to our system via webmin. This is done by:

1. Adding a user to webmin

                  – Webmin > Webmin Users > Create New Webmin User

                  – I used “anon” ans a username. As a password select “no password accepted”

                  – Expand the “Available Webmin Modules” and enable system logs:

logging3

                  – Save and exit

2. Allow anonymous access to the syslog module

                  – Webmin > Webmin Configuration > Anonymous Module Access

                  – Insert the URL and the user created:

logging4

Unfortunately webmin doesn’t allow more granular control so there is a risk the users may try to change the log settings. I’m sure this is resolvable somehow (maybe via htaccess or something similar?) but I havent had the time to investigate.

3. Remove the “trusted referrers” check

By default, webmin will only allow requests that contain a specific HTTP “referrer” header. This is a light security control to allow only trusted servers to redirect to the site. In this case, I wanted to be able to give the admins direct access to the URL, which means their requests would not contain a referrer header. So under:

Webmin > Webmin configuration > trusted referrers

I disabled this option. As a slightly more secure option, you could always host another webserver and embed the link into a webpage on this server. Then add the webserver hostname as a trusted referrer.

That’s it, admins now can visit the webmin site without user / password and view syslogs quite easily🙂