Privacy Policy

Guest
  • Guest
  • Guest Topic Starter
2004-11-18T11:21:39Z
Date parsed: 11/18/2004 11:21:39 AM
Date: Thu, 18 Nov 2004 17:21:39 -0500

Hi,

is there any known problem for SL4NT 3.1 to receive syslog messages from
a cisco 3010 concentrator.

I first tested the concentrator with my pc running WhatsUp syslog , and
once i got the setup working
i transfer the syslog to a SL4NT server already running and functionnal .
I have a general rule "Log to file" triggering an action "Log to File" wich
is a Log to File Type, and as you can guess log each message to a file ,
whatever the Source - Severity -time etc,...

For some reason it doesn't receive all messages , but curiously receive
some of them .

Just to be sure , i configure the concentrator to send the messages to both
the WhatsUp and SL4NT
syslog server, and effectively some message are received by both and
others only by WhatsUp.

If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste the
report page) , along with
SL4NT log file .

thanks

Michel Caissie



Guest
  • Guest
  • Guest Topic Starter
2004-11-18T11:30:13Z
Date parsed: 11/18/2004 11:30:13 AM
Date: Thu, 18 Nov 2004 17:30:13 -0500

It appears that SL4NT does not log SEV 4 and SEV 5 messages but log
SEV 3 messages.

mcaissie

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
news:s7nF6zbzEHA.4892@is1.netal.com...
> Hi,
>
> is there any known problem for SL4NT 3.1 to receive syslog messages
> from a cisco 3010 concentrator.
>
> I first tested the concentrator with my pc running WhatsUp syslog , and
> once i got the setup working
> i transfer the syslog to a SL4NT server already running and functionnal
> . I have a general rule "Log to file" triggering an action "Log to File"
> wich is a Log to File Type, and as you can guess log each message to a
> file , whatever the Source - Severity -time etc,...
>
> For some reason it doesn't receive all messages , but curiously receive
> some of them .
>
> Just to be sure , i configure the concentrator to send the messages to
> both the WhatsUp and SL4NT
> syslog server, and effectively some message are received by both and
> others only by WhatsUp.
>
> If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste
> the report page) , along with
> SL4NT log file .
>
> thanks
>
> Michel Caissie
>
>
>


Guest
  • Guest
  • Guest Topic Starter
2004-11-19T17:31:06Z
Date parsed: 11/19/2004 5:31:06 PM
Date: Fri, 19 Nov 2004 17:31:06 +0100

Hi,

can you tell me more about the properties of SEV3-5 messages?

If possible, please use Network Monitor on the SL4NT computer to capture the
syslog messages (UDP/514) sent to the SL4NT computer, save the captured
packets to a file and then send the .CAP file to me for further analysis.

Thanks,
Franz

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
news:tqyKt4bzEHA.4892@is1.netal.com...
> It appears that SL4NT does not log SEV 4 and SEV 5 messages but log
> SEV 3 messages.
>
> mcaissie
>
> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> news:s7nF6zbzEHA.4892@is1.netal.com...
> > Hi,
> >
> > is there any known problem for SL4NT 3.1 to receive syslog messages
> > from a cisco 3010 concentrator.
> >
> > I first tested the concentrator with my pc running WhatsUp syslog , and
> > once i got the setup working
> > i transfer the syslog to a SL4NT server already running and
functionnal
> > . I have a general rule "Log to file" triggering an action "Log to
File"
> > wich is a Log to File Type, and as you can guess log each message to a
> > file , whatever the Source - Severity -time etc,...
> >
> > For some reason it doesn't receive all messages , but curiously
receive
> > some of them .
> >
> > Just to be sure , i configure the concentrator to send the messages to
> > both the WhatsUp and SL4NT
> > syslog server, and effectively some message are received by both
and
> > others only by WhatsUp.
> >
> > If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste
> > the report page) , along with
> > SL4NT log file .
> >
> > thanks
> >
> > Michel Caissie
> >
> >
> >
>
>


Guest
  • Guest
  • Guest Topic Starter
2004-11-22T10:29:23Z
Date parsed: 11/22/2004 10:29:23 AM
Date: Mon, 22 Nov 2004 16:29:23 -0500


> can you tell me more about the properties of SEV3-5 messages?
>
> If possible, please use Network Monitor on the SL4NT computer to capture
> the
> syslog messages (UDP/514) sent to the SL4NT computer, save the captured
> packets to a file and then send the .CAP file to me for further analysis.


I'll check for Network Monitor , i may have to install it.

In the mean time i made some other tests , replacing WhatsUp with tftp32
syslog , so i can get
the logs in a text file.

The Cisco concentrator is configured to send the messages to both servers.
It also propose
two formats , Original or Cisco IOS Compatible . I tried both .
My test is to establish a vpn connection , first i enter a wrong password ,
then the good password,
then i disconnect. This will generate 3 messages of Severitie 3 -4 and 5.

Here are the results,

****TEST1****
3010 Syslog format: Original


Received by tftp32 syslog

Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5
RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle =
889, server = x.x.125.157, user = mcaissie, domain = <not specified>

Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25
RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote Proxy
Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0

Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4 AUTH/28
RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:
Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv: 624
Reason: User Requested

Received by SL4NT

11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004
15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:
Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,
domain = <not specified>

****TEST2*****
3010 Syslog format: Cisco IOS Conpatible

Received by tftp32 syslog
Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00
%AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =
Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =
<not specified>

Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00
%IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie] Received
remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0, Port
0

Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00
%AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]
disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0
Bytes rcv: 416 Reason: User Requested

Received by SL4NT

11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22
16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication
rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =
mcaissie, domain = <not specified>



ps: i replaced some IPs with x.x

thanks
Michel Caissie
>
> Thanks,
> Franz
>
> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> news:tqyKt4bzEHA.4892@is1.netal.com...
>> It appears that SL4NT does not log SEV 4 and SEV 5 messages but log
>> SEV 3 messages.
>>
>> mcaissie
>>
>> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
>> news:s7nF6zbzEHA.4892@is1.netal.com...
>> > Hi,
>> >
>> > is there any known problem for SL4NT 3.1 to receive syslog messages
>> > from a cisco 3010 concentrator.
>> >
>> > I first tested the concentrator with my pc running WhatsUp syslog ,
>> > and
>> > once i got the setup working
>> > i transfer the syslog to a SL4NT server already running and
> functionnal
>> > . I have a general rule "Log to file" triggering an action "Log to
> File"
>> > wich is a Log to File Type, and as you can guess log each message to a
>> > file , whatever the Source - Severity -time etc,...
>> >
>> > For some reason it doesn't receive all messages , but curiously
> receive
>> > some of them .
>> >
>> > Just to be sure , i configure the concentrator to send the messages to
>> > both the WhatsUp and SL4NT
>> > syslog server, and effectively some message are received by both
> and
>> > others only by WhatsUp.
>> >
>> > If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste
>> > the report page) , along with
>> > SL4NT log file .
>> >
>> > thanks
>> >
>> > Michel Caissie
>> >
>> >
>> >
>>
>>
>
>


Guest
  • Guest
  • Guest Topic Starter
2004-11-22T10:56:02Z
Date parsed: 11/22/2004 10:56:02 AM
Date: Mon, 22 Nov 2004 16:56:02 -0500


"Franz Krainer" <franzk@netal.com> wrote in message
news:wg9AYuN0EHA.1280@is1.netal.com...
> Michel,
>
> are you using TCP as transport for sending/receiving syslog messages?

udp , and i don't see anywhere in the concentrator config to switch to tcp

>
> If yes, please take a look at the thread "TCP Syslog from Netscreen
> ScreenOS
> 5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed
> version of SL4NTSVC, solvind a problem with receiving messages over TCP.

is it still revelant to apply the patch if i am only udp ?

Michel

>
> Franz
>
> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> news:fCGvWpN0EHA.1280@is1.netal.com...
>>
>> > can you tell me more about the properties of SEV3-5 messages?
>> >
>> > If possible, please use Network Monitor on the SL4NT computer to
>> > capture
>> > the
>> > syslog messages (UDP/514) sent to the SL4NT computer, save the captured
>> > packets to a file and then send the .CAP file to me for further
> analysis.
>>
>>
>> I'll check for Network Monitor , i may have to install it.
>>
>> In the mean time i made some other tests , replacing WhatsUp with
> tftp32
>> syslog , so i can get
>> the logs in a text file.
>>
>> The Cisco concentrator is configured to send the messages to both
>> servers.
>> It also propose
>> two formats , Original or Cisco IOS Compatible . I tried both .
>> My test is to establish a vpn connection , first i enter a wrong
>> password
> ,
>> then the good password,
>> then i disconnect. This will generate 3 messages of Severitie 3 -4 and
>> 5.
>>
>> Here are the results,
>>
>> ****TEST1****
>> 3010 Syslog format: Original
>>
>>
>> Received by tftp32 syslog
>>
>> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5
>> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle
>> =
>> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>
>>
>> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25
>> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote
> Proxy
>> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0
>>
>> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4
>> AUTH/28
>> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:
>> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv:
>> 624
>> Reason: User Requested
>>
>> Received by SL4NT
>>
>> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004
>> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:
>> Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,
>> domain = <not specified>
>>
>> ****TEST2*****
>> 3010 Syslog format: Cisco IOS Conpatible
>>
>> Received by tftp32 syslog
>> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00
>> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =
>> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =
>> <not specified>
>>
>> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00
>> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]
> Received
>> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,
> Port
>> 0
>>
>> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00
>> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]
>> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0
>> Bytes rcv: 416 Reason: User Requested
>>
>> Received by SL4NT
>>
>> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22
>> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication
>> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =
>> mcaissie, domain = <not specified>
>>
>>
>>
>> ps: i replaced some IPs with x.x
>>
>> thanks
>> Michel Caissie
>> >
>> > Thanks,
>> > Franz
>> >
>> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
>> > news:tqyKt4bzEHA.4892@is1.netal.com...
>> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages but
> log
>> >> SEV 3 messages.
>> >>
>> >> mcaissie
>> >>
>> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
>> >> news:s7nF6zbzEHA.4892@is1.netal.com...
>> >> > Hi,
>> >> >
>> >> > is there any known problem for SL4NT 3.1 to receive syslog
>> >> > messages
>> >> > from a cisco 3010 concentrator.
>> >> >
>> >> > I first tested the concentrator with my pc running WhatsUp syslog ,
>> >> > and
>> >> > once i got the setup working
>> >> > i transfer the syslog to a SL4NT server already running and
>> > functionnal
>> >> > . I have a general rule "Log to file" triggering an action "Log to
>> > File"
>> >> > wich is a Log to File Type, and as you can guess log each message to
> a
>> >> > file , whatever the Source - Severity -time etc,...
>> >> >
>> >> > For some reason it doesn't receive all messages , but curiously
>> > receive
>> >> > some of them .
>> >> >
>> >> > Just to be sure , i configure the concentrator to send the messages
> to
>> >> > both the WhatsUp and SL4NT
>> >> > syslog server, and effectively some message are received by both
>> > and
>> >> > others only by WhatsUp.
>> >> >
>> >> > If you need i can send you Print Screen from WhatsUp ( cannot
> CopyPaste
>> >> > the report page) , along with
>> >> > SL4NT log file .
>> >> >
>> >> > thanks
>> >> >
>> >> > Michel Caissie
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>


Guest
  • Guest
  • Guest Topic Starter
2004-11-22T22:35:05Z
Date parsed: 11/22/2004 10:35:05 PM
Date: Mon, 22 Nov 2004 22:35:05 +0100

Michel,

are you using TCP as transport for sending/receiving syslog messages?

If yes, please take a look at the thread "TCP Syslog from Netscreen ScreenOS
5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed
version of SL4NTSVC, solvind a problem with receiving messages over TCP.

Franz

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
news:fCGvWpN0EHA.1280@is1.netal.com...
>
> > can you tell me more about the properties of SEV3-5 messages?
> >
> > If possible, please use Network Monitor on the SL4NT computer to capture
> > the
> > syslog messages (UDP/514) sent to the SL4NT computer, save the captured
> > packets to a file and then send the .CAP file to me for further
analysis.
>
>
> I'll check for Network Monitor , i may have to install it.
>
> In the mean time i made some other tests , replacing WhatsUp with
tftp32
> syslog , so i can get
> the logs in a text file.
>
> The Cisco concentrator is configured to send the messages to both servers.
> It also propose
> two formats , Original or Cisco IOS Compatible . I tried both .
> My test is to establish a vpn connection , first i enter a wrong password
,
> then the good password,
> then i disconnect. This will generate 3 messages of Severitie 3 -4 and 5.
>
> Here are the results,
>
> ****TEST1****
> 3010 Syslog format: Original
>
>
> Received by tftp32 syslog
>
> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5
> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle =
> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>
>
> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25
> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote
Proxy
> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0
>
> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4 AUTH/28
> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:
> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv: 624
> Reason: User Requested
>
> Received by SL4NT
>
> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004
> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:
> Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,
> domain = <not specified>
>
> ****TEST2*****
> 3010 Syslog format: Cisco IOS Conpatible
>
> Received by tftp32 syslog
> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00
> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =
> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =
> <not specified>
>
> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00
> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]
Received
> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,
Port
> 0
>
> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00
> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]
> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0
> Bytes rcv: 416 Reason: User Requested
>
> Received by SL4NT
>
> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22
> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication
> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =
> mcaissie, domain = <not specified>
>
>
>
> ps: i replaced some IPs with x.x
>
> thanks
> Michel Caissie
> >
> > Thanks,
> > Franz
> >
> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> > news:tqyKt4bzEHA.4892@is1.netal.com...
> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages but
log
> >> SEV 3 messages.
> >>
> >> mcaissie
> >>
> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> >> news:s7nF6zbzEHA.4892@is1.netal.com...
> >> > Hi,
> >> >
> >> > is there any known problem for SL4NT 3.1 to receive syslog messages
> >> > from a cisco 3010 concentrator.
> >> >
> >> > I first tested the concentrator with my pc running WhatsUp syslog ,
> >> > and
> >> > once i got the setup working
> >> > i transfer the syslog to a SL4NT server already running and
> > functionnal
> >> > . I have a general rule "Log to file" triggering an action "Log to
> > File"
> >> > wich is a Log to File Type, and as you can guess log each message to
a
> >> > file , whatever the Source - Severity -time etc,...
> >> >
> >> > For some reason it doesn't receive all messages , but curiously
> > receive
> >> > some of them .
> >> >
> >> > Just to be sure , i configure the concentrator to send the messages
to
> >> > both the WhatsUp and SL4NT
> >> > syslog server, and effectively some message are received by both
> > and
> >> > others only by WhatsUp.
> >> >
> >> > If you need i can send you Print Screen from WhatsUp ( cannot
CopyPaste
> >> > the report page) , along with
> >> > SL4NT log file .
> >> >
> >> > thanks
> >> >
> >> > Michel Caissie
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
>
>


Guest
  • Guest
  • Guest Topic Starter
2004-11-22T23:20:01Z
Date parsed: 11/22/2004 11:20:01 PM
Date: Mon, 22 Nov 2004 23:20:01 +0100

> is it still revelant to apply the patch if i am only udp ?

No, if you're using UDP.

- Please take a capture of the syslog traffic and send it to me.

- Also, use SL4NT perf counters to monitor how many messages are received
when you generate the 3 three messages ( 1 or 3 ?).

- Also, please export your configuration to a file (using SL4NT Manager) and
send it to me.

Thanks,
Franz


"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
news:R7jCQ4N0EHA.1296@is1.netal.com...
>
> "Franz Krainer" <franzk@netal.com> wrote in message
> news:wg9AYuN0EHA.1280@is1.netal.com...
> > Michel,
> >
> > are you using TCP as transport for sending/receiving syslog messages?
>
> udp , and i don't see anywhere in the concentrator config to switch to
tcp
>
> >
> > If yes, please take a look at the thread "TCP Syslog from Netscreen
> > ScreenOS
> > 5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed
> > version of SL4NTSVC, solvind a problem with receiving messages over TCP.
>
> is it still revelant to apply the patch if i am only udp ?
>
> Michel
>
> >
> > Franz
> >
> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> > news:fCGvWpN0EHA.1280@is1.netal.com...
> >>
> >> > can you tell me more about the properties of SEV3-5 messages?
> >> >
> >> > If possible, please use Network Monitor on the SL4NT computer to
> >> > capture
> >> > the
> >> > syslog messages (UDP/514) sent to the SL4NT computer, save the
captured
> >> > packets to a file and then send the .CAP file to me for further
> > analysis.
> >>
> >>
> >> I'll check for Network Monitor , i may have to install it.
> >>
> >> In the mean time i made some other tests , replacing WhatsUp with
> > tftp32
> >> syslog , so i can get
> >> the logs in a text file.
> >>
> >> The Cisco concentrator is configured to send the messages to both
> >> servers.
> >> It also propose
> >> two formats , Original or Cisco IOS Compatible . I tried both .
> >> My test is to establish a vpn connection , first i enter a wrong
> >> password
> > ,
> >> then the good password,
> >> then i disconnect. This will generate 3 messages of Severitie 3 -4 and
> >> 5.
> >>
> >> Here are the results,
> >>
> >> ****TEST1****
> >> 3010 Syslog format: Original
> >>
> >>
> >> Received by tftp32 syslog
> >>
> >> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3
AUTH/5
> >> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified
handle
> >> =
> >> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>
> >>
> >> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5
IKE/25
> >> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote
> > Proxy
> >> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0
> >>
> >> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4
> >> AUTH/28
> >> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:
> >> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv:
> >> 624
> >> Reason: User Requested
> >>
> >> Received by SL4NT
> >>
> >> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004
> >> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:
> >> Reason = Unspecified handle = 889, server = x.x.125.157, user =
mcaissie,
> >> domain = <not specified>
> >>
> >> ****TEST2*****
> >> 3010 Syslog format: Cisco IOS Conpatible
> >>
> >> Received by tftp32 syslog
> >> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660
EST -5:00
> >> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =
> >> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain
=
> >> <not specified>
> >>
> >> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030
EST -5:00
> >> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]
> > Received
> >> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,
> > Port
> >> 0
> >>
> >> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680
EST -5:00
> >> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]
> >> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt:
0
> >> Bytes rcv: 416 Reason: User Requested
> >>
> >> Received by SL4NT
> >>
> >> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22
> >> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication
> >> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user
=
> >> mcaissie, domain = <not specified>
> >>
> >>
> >>
> >> ps: i replaced some IPs with x.x
> >>
> >> thanks
> >> Michel Caissie
> >> >
> >> > Thanks,
> >> > Franz
> >> >
> >> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> >> > news:tqyKt4bzEHA.4892@is1.netal.com...
> >> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages
but
> > log
> >> >> SEV 3 messages.
> >> >>
> >> >> mcaissie
> >> >>
> >> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message
> >> >> news:s7nF6zbzEHA.4892@is1.netal.com...
> >> >> > Hi,
> >> >> >
> >> >> > is there any known problem for SL4NT 3.1 to receive syslog
> >> >> > messages
> >> >> > from a cisco 3010 concentrator.
> >> >> >
> >> >> > I first tested the concentrator with my pc running WhatsUp syslog
,
> >> >> > and
> >> >> > once i got the setup working
> >> >> > i transfer the syslog to a SL4NT server already running and
> >> > functionnal
> >> >> > . I have a general rule "Log to file" triggering an action "Log
to
> >> > File"
> >> >> > wich is a Log to File Type, and as you can guess log each message
to
> > a
> >> >> > file , whatever the Source - Severity -time etc,...
> >> >> >
> >> >> > For some reason it doesn't receive all messages , but curiously
> >> > receive
> >> >> > some of them .
> >> >> >
> >> >> > Just to be sure , i configure the concentrator to send the
messages
> > to
> >> >> > both the WhatsUp and SL4NT
> >> >> > syslog server, and effectively some message are received by
both
> >> > and
> >> >> > others only by WhatsUp.
> >> >> >
> >> >> > If you need i can send you Print Screen from WhatsUp ( cannot
> > CopyPaste
> >> >> > the report page) , along with
> >> >> > SL4NT log file .
> >> >> >
> >> >> > thanks
> >> >> >
> >> >> > Michel Caissie
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>


Similar Topics