Date parsed: 11/22/2004 11:20:01 PM
Date: Mon, 22 Nov 2004 23:20:01 +0100
> is it still revelant to apply the patch if i am only udp ?
No, if you're using UDP.
- Please take a capture of the syslog traffic and send it to me.
- Also, use SL4NT perf counters to monitor how many messages are received
when you generate the 3 three messages ( 1 or 3 ?).
- Also, please export your configuration to a file (using SL4NT Manager) and
send it to me.
Thanks,
Franz
"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
news:R7jCQ4N0EHA.1296@is1.netal.com...
>
> "Franz Krainer" <franzk@netal.com> wrote in message
> news:wg9AYuN0EHA.1280@is1.netal.com...
> > Michel,
> >
> > are you using TCP as transport for sending/receiving syslog messages?
>
> udp , and i don't see anywhere in the concentrator config to switch to
tcp
>
> >
> > If yes, please take a look at the thread "TCP Syslog from Netscreen
> > ScreenOS
> > 5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed
> > version of SL4NTSVC, solvind a problem with receiving messages over TCP.
>
> is it still revelant to apply the patch if i am only udp ?
>
> Michel
>
> >
> > Franz
> >
> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> > news:fCGvWpN0EHA.1280@is1.netal.com...
> >>
> >> > can you tell me more about the properties of SEV3-5 messages?
> >> >
> >> > If possible, please use Network Monitor on the SL4NT computer to
> >> > capture
> >> > the
> >> > syslog messages (UDP/514) sent to the SL4NT computer, save the
captured
> >> > packets to a file and then send the .CAP file to me for further
> > analysis.
> >>
> >>
> >> I'll check for Network Monitor , i may have to install it.
> >>
> >> In the mean time i made some other tests , replacing WhatsUp with
> > tftp32
> >> syslog , so i can get
> >> the logs in a text file.
> >>
> >> The Cisco concentrator is configured to send the messages to both
> >> servers.
> >> It also propose
> >> two formats , Original or Cisco IOS Compatible . I tried both .
> >> My test is to establish a vpn connection , first i enter a wrong
> >> password
> > ,
> >> then the good password,
> >> then i disconnect. This will generate 3 messages of Severitie 3 -4 and
> >> 5.
> >>
> >> Here are the results,
> >>
> >> ****TEST1****
> >> 3010 Syslog format: Original
> >>
> >>
> >> Received by tftp32 syslog
> >>
> >> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3
AUTH/5
> >> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified
handle
> >> =
> >> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>
> >>
> >> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5
IKE/25
> >> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote
> > Proxy
> >> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0
> >>
> >> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4
> >> AUTH/28
> >> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:
> >> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv:
> >> 624
> >> Reason: User Requested
> >>
> >> Received by SL4NT
> >>
> >> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004
> >> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:
> >> Reason = Unspecified handle = 889, server = x.x.125.157, user =
mcaissie,
> >> domain = <not specified>
> >>
> >> ****TEST2*****
> >> 3010 Syslog format: Cisco IOS Conpatible
> >>
> >> Received by tftp32 syslog
> >> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660
EST -5:00
> >> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =
> >> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain
=
> >> <not specified>
> >>
> >> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030
EST -5:00
> >> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]
> > Received
> >> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,
> > Port
> >> 0
> >>
> >> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680
EST -5:00
> >> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]
> >> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt:
0
> >> Bytes rcv: 416 Reason: User Requested
> >>
> >> Received by SL4NT
> >>
> >> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22
> >> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication
> >> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user
=
> >> mcaissie, domain = <not specified>
> >>
> >>
> >>
> >> ps: i replaced some IPs with x.x
> >>
> >> thanks
> >> Michel Caissie
> >> >
> >> > Thanks,
> >> > Franz
> >> >
> >> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> >> > news:tqyKt4bzEHA.4892@is1.netal.com...
> >> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages
but
> > log
> >> >> SEV 3 messages.
> >> >>
> >> >> mcaissie
> >> >>
> >> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> >> >> news:s7nF6zbzEHA.4892@is1.netal.com...
> >> >> > Hi,
> >> >> >
> >> >> > is there any known problem for SL4NT 3.1 to receive syslog
> >> >> > messages
> >> >> > from a cisco 3010 concentrator.
> >> >> >
> >> >> > I first tested the concentrator with my pc running WhatsUp syslog
,
> >> >> > and
> >> >> > once i got the setup working
> >> >> > i transfer the syslog to a SL4NT server already running and
> >> > functionnal
> >> >> > . I have a general rule "Log to file" triggering an action "Log
to
> >> > File"
> >> >> > wich is a Log to File Type, and as you can guess log each message
to
> > a
> >> >> > file , whatever the Source - Severity -time etc,...
> >> >> >
> >> >> > For some reason it doesn't receive all messages , but curiously
> >> > receive
> >> >> > some of them .
> >> >> >
> >> >> > Just to be sure , i configure the concentrator to send the
messages
> > to
> >> >> > both the WhatsUp and SL4NT
> >> >> > syslog server, and effectively some message are received by
both
> >> > and
> >> >> > others only by WhatsUp.
> >> >> >
> >> >> > If you need i can send you Print Screen from WhatsUp ( cannot
> > CopyPaste
> >> >> > the report page) , along with
> >> >> > SL4NT log file .
> >> >> >
> >> >> > thanks
> >> >> >
> >> >> > Michel Caissie
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>