Privacy Policy

Guest
  • Guest
  • Guest Topic Starter
2004-11-18T11:21:39Z
Date parsed: 11/18/2004 11:21:39 AM

Date: Thu, 18 Nov 2004 17:21:39 -0500

Hi,

is there any known problem for SL4NT 3.1 to receive syslog messages from

a cisco 3010 concentrator.

I first tested the concentrator with my pc running WhatsUp syslog , and

once i got the setup working

i transfer the syslog to a SL4NT server already running and functionnal .

I have a general rule "Log to file" triggering an action "Log to File" wich

is a Log to File Type, and as you can guess log each message to a file ,

whatever the Source - Severity -time etc,...

For some reason it doesn't receive all messages , but curiously receive

some of them .

Just to be sure , i configure the concentrator to send the messages to both

the WhatsUp and SL4NT

syslog server, and effectively some message are received by both and

others only by WhatsUp.

If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste the

report page) , along with

SL4NT log file .

thanks

Michel Caissie

Guest
  • Guest
  • Guest Topic Starter
2004-11-18T11:30:13Z
Date parsed: 11/18/2004 11:30:13 AM

Date: Thu, 18 Nov 2004 17:30:13 -0500

It appears that SL4NT does not log SEV 4 and SEV 5 messages but log

SEV 3 messages.

mcaissie

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

news:s7nF6zbzEHA.4892@is1.netal.com...

> Hi,

>

> is there any known problem for SL4NT 3.1 to receive syslog messages

> from a cisco 3010 concentrator.

>

> I first tested the concentrator with my pc running WhatsUp syslog , and

> once i got the setup working

> i transfer the syslog to a SL4NT server already running and functionnal

> . I have a general rule "Log to file" triggering an action "Log to File"

> wich is a Log to File Type, and as you can guess log each message to a

> file , whatever the Source - Severity -time etc,...

>

> For some reason it doesn't receive all messages , but curiously receive

> some of them .

>

> Just to be sure , i configure the concentrator to send the messages to

> both the WhatsUp and SL4NT

> syslog server, and effectively some message are received by both and

> others only by WhatsUp.

>

> If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste

> the report page) , along with

> SL4NT log file .

>

> thanks

>

> Michel Caissie

>

>

>

Guest
  • Guest
  • Guest Topic Starter
2004-11-19T17:31:06Z
Date parsed: 11/19/2004 5:31:06 PM

Date: Fri, 19 Nov 2004 17:31:06 +0100

Hi,

can you tell me more about the properties of SEV3-5 messages?

If possible, please use Network Monitor on the SL4NT computer to capture the

syslog messages (UDP/514) sent to the SL4NT computer, save the captured

packets to a file and then send the .CAP file to me for further analysis.

Thanks,

Franz

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

news:tqyKt4bzEHA.4892@is1.netal.com...

> It appears that SL4NT does not log SEV 4 and SEV 5 messages but log

> SEV 3 messages.

>

> mcaissie

>

> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> news:s7nF6zbzEHA.4892@is1.netal.com...

> > Hi,

> >

> > is there any known problem for SL4NT 3.1 to receive syslog messages

> > from a cisco 3010 concentrator.

> >

> > I first tested the concentrator with my pc running WhatsUp syslog , and

> > once i got the setup working

> > i transfer the syslog to a SL4NT server already running and

functionnal

> > . I have a general rule "Log to file" triggering an action "Log to

File"

> > wich is a Log to File Type, and as you can guess log each message to a

> > file , whatever the Source - Severity -time etc,...

> >

> > For some reason it doesn't receive all messages , but curiously

receive

> > some of them .

> >

> > Just to be sure , i configure the concentrator to send the messages to

> > both the WhatsUp and SL4NT

> > syslog server, and effectively some message are received by both

and

> > others only by WhatsUp.

> >

> > If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste

> > the report page) , along with

> > SL4NT log file .

> >

> > thanks

> >

> > Michel Caissie

> >

> >

> >

>

>

Guest
  • Guest
  • Guest Topic Starter
2004-11-22T10:29:23Z
Date parsed: 11/22/2004 10:29:23 AM

Date: Mon, 22 Nov 2004 16:29:23 -0500

> can you tell me more about the properties of SEV3-5 messages?

>

> If possible, please use Network Monitor on the SL4NT computer to capture

> the

> syslog messages (UDP/514) sent to the SL4NT computer, save the captured

> packets to a file and then send the .CAP file to me for further analysis.

I'll check for Network Monitor , i may have to install it.

In the mean time i made some other tests , replacing WhatsUp with tftp32

syslog , so i can get

the logs in a text file.

The Cisco concentrator is configured to send the messages to both servers.

It also propose

two formats , Original or Cisco IOS Compatible . I tried both .

My test is to establish a vpn connection , first i enter a wrong password ,

then the good password,

then i disconnect. This will generate 3 messages of Severitie 3 -4 and 5.

Here are the results,

****TEST1****

3010 Syslog format: Original

Received by tftp32 syslog

Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5

RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle =

889, server = x.x.125.157, user = mcaissie, domain = <not specified>

Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25

RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote Proxy

Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0

Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4 AUTH/28

RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:

Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv: 624

Reason: User Requested

Received by SL4NT

11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004

15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:

Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,

domain = <not specified>

****TEST2*****

3010 Syslog format: Cisco IOS Conpatible

Received by tftp32 syslog

Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00

%AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =

Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =

<not specified>

Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00

%IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie] Received

remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0, Port

0

Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00

%AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]

disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0

Bytes rcv: 416 Reason: User Requested

Received by SL4NT

11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22

16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication

rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =

mcaissie, domain = <not specified>

ps: i replaced some IPs with x.x

thanks

Michel Caissie

>

> Thanks,

> Franz

>

> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> news:tqyKt4bzEHA.4892@is1.netal.com...

>> It appears that SL4NT does not log SEV 4 and SEV 5 messages but log

>> SEV 3 messages.

>>

>> mcaissie

>>

>> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

>> news:s7nF6zbzEHA.4892@is1.netal.com...

>> > Hi,

>> >

>> > is there any known problem for SL4NT 3.1 to receive syslog messages

>> > from a cisco 3010 concentrator.

>> >

>> > I first tested the concentrator with my pc running WhatsUp syslog ,

>> > and

>> > once i got the setup working

>> > i transfer the syslog to a SL4NT server already running and

> functionnal

>> > . I have a general rule "Log to file" triggering an action "Log to

> File"

>> > wich is a Log to File Type, and as you can guess log each message to a

>> > file , whatever the Source - Severity -time etc,...

>> >

>> > For some reason it doesn't receive all messages , but curiously

> receive

>> > some of them .

>> >

>> > Just to be sure , i configure the concentrator to send the messages to

>> > both the WhatsUp and SL4NT

>> > syslog server, and effectively some message are received by both

> and

>> > others only by WhatsUp.

>> >

>> > If you need i can send you Print Screen from WhatsUp ( cannot CopyPaste

>> > the report page) , along with

>> > SL4NT log file .

>> >

>> > thanks

>> >

>> > Michel Caissie

>> >

>> >

>> >

>>

>>

>

>

Guest
  • Guest
  • Guest Topic Starter
2004-11-22T10:56:02Z
Date parsed: 11/22/2004 10:56:02 AM

Date: Mon, 22 Nov 2004 16:56:02 -0500

"Franz Krainer" <franzk@netal.com> wrote in message

news:wg9AYuN0EHA.1280@is1.netal.com...

> Michel,

>

> are you using TCP as transport for sending/receiving syslog messages?

udp , and i don't see anywhere in the concentrator config to switch to tcp

>

> If yes, please take a look at the thread "TCP Syslog from Netscreen

> ScreenOS

> 5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed

> version of SL4NTSVC, solvind a problem with receiving messages over TCP.

is it still revelant to apply the patch if i am only udp ?

Michel

>

> Franz

>

> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> news:fCGvWpN0EHA.1280@is1.netal.com...

>>

>> > can you tell me more about the properties of SEV3-5 messages?

>> >

>> > If possible, please use Network Monitor on the SL4NT computer to

>> > capture

>> > the

>> > syslog messages (UDP/514) sent to the SL4NT computer, save the captured

>> > packets to a file and then send the .CAP file to me for further

> analysis.

>>

>>

>> I'll check for Network Monitor , i may have to install it.

>>

>> In the mean time i made some other tests , replacing WhatsUp with

> tftp32

>> syslog , so i can get

>> the logs in a text file.

>>

>> The Cisco concentrator is configured to send the messages to both

>> servers.

>> It also propose

>> two formats , Original or Cisco IOS Compatible . I tried both .

>> My test is to establish a vpn connection , first i enter a wrong

>> password

> ,

>> then the good password,

>> then i disconnect. This will generate 3 messages of Severitie 3 -4 and

>> 5.

>>

>> Here are the results,

>>

>> ****TEST1****

>> 3010 Syslog format: Original

>>

>>

>> Received by tftp32 syslog

>>

>> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5

>> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle

>> =

>> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>

>>

>> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25

>> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote

> Proxy

>> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0

>>

>> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4

>> AUTH/28

>> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:

>> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv:

>> 624

>> Reason: User Requested

>>

>> Received by SL4NT

>>

>> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004

>> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:

>> Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,

>> domain = <not specified>

>>

>> ****TEST2*****

>> 3010 Syslog format: Cisco IOS Conpatible

>>

>> Received by tftp32 syslog

>> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00

>> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =

>> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =

>> <not specified>

>>

>> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00

>> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]

> Received

>> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,

> Port

>> 0

>>

>> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00

>> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]

>> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0

>> Bytes rcv: 416 Reason: User Requested

>>

>> Received by SL4NT

>>

>> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22

>> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication

>> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =

>> mcaissie, domain = <not specified>

>>

>>

>>

>> ps: i replaced some IPs with x.x

>>

>> thanks

>> Michel Caissie

>> >

>> > Thanks,

>> > Franz

>> >

>> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

>> > news:tqyKt4bzEHA.4892@is1.netal.com...

>> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages but

> log

>> >> SEV 3 messages.

>> >>

>> >> mcaissie

>> >>

>> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

>> >> news:s7nF6zbzEHA.4892@is1.netal.com...

>> >> > Hi,

>> >> >

>> >> > is there any known problem for SL4NT 3.1 to receive syslog

>> >> > messages

>> >> > from a cisco 3010 concentrator.

>> >> >

>> >> > I first tested the concentrator with my pc running WhatsUp syslog ,

>> >> > and

>> >> > once i got the setup working

>> >> > i transfer the syslog to a SL4NT server already running and

>> > functionnal

>> >> > . I have a general rule "Log to file" triggering an action "Log to

>> > File"

>> >> > wich is a Log to File Type, and as you can guess log each message to

> a

>> >> > file , whatever the Source - Severity -time etc,...

>> >> >

>> >> > For some reason it doesn't receive all messages , but curiously

>> > receive

>> >> > some of them .

>> >> >

>> >> > Just to be sure , i configure the concentrator to send the messages

> to

>> >> > both the WhatsUp and SL4NT

>> >> > syslog server, and effectively some message are received by both

>> > and

>> >> > others only by WhatsUp.

>> >> >

>> >> > If you need i can send you Print Screen from WhatsUp ( cannot

> CopyPaste

>> >> > the report page) , along with

>> >> > SL4NT log file .

>> >> >

>> >> > thanks

>> >> >

>> >> > Michel Caissie

>> >> >

>> >> >

>> >> >

>> >>

>> >>

>> >

>> >

>>

>>

>

>

Guest
  • Guest
  • Guest Topic Starter
2004-11-22T22:35:05Z
Date parsed: 11/22/2004 10:35:05 PM

Date: Mon, 22 Nov 2004 22:35:05 +0100

Michel,

are you using TCP as transport for sending/receiving syslog messages?

If yes, please take a look at the thread "TCP Syslog from Netscreen ScreenOS

5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed

version of SL4NTSVC, solvind a problem with receiving messages over TCP.

Franz

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

news:fCGvWpN0EHA.1280@is1.netal.com...

>

> > can you tell me more about the properties of SEV3-5 messages?

> >

> > If possible, please use Network Monitor on the SL4NT computer to capture

> > the

> > syslog messages (UDP/514) sent to the SL4NT computer, save the captured

> > packets to a file and then send the .CAP file to me for further

analysis.

>

>

> I'll check for Network Monitor , i may have to install it.

>

> In the mean time i made some other tests , replacing WhatsUp with

tftp32

> syslog , so i can get

> the logs in a text file.

>

> The Cisco concentrator is configured to send the messages to both servers.

> It also propose

> two formats , Original or Cisco IOS Compatible . I tried both .

> My test is to establish a vpn connection , first i enter a wrong password

,

> then the good password,

> then i disconnect. This will generate 3 messages of Severitie 3 -4 and 5.

>

> Here are the results,

>

> ****TEST1****

> 3010 Syslog format: Original

>

>

> Received by tftp32 syslog

>

> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3 AUTH/5

> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified handle =

> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>

>

> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5 IKE/25

> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote

Proxy

> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0

>

> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4 AUTH/28

> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:

> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv: 624

> Reason: User Requested

>

> Received by SL4NT

>

> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004

> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:

> Reason = Unspecified handle = 889, server = x.x.125.157, user = mcaissie,

> domain = <not specified>

>

> ****TEST2*****

> 3010 Syslog format: Cisco IOS Conpatible

>

> Received by tftp32 syslog

> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660 EST -5:00

> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =

> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain =

> <not specified>

>

> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030 EST -5:00

> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]

Received

> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,

Port

> 0

>

> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680 EST -5:00

> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]

> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt: 0

> Bytes rcv: 416 Reason: User Requested

>

> Received by SL4NT

>

> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22

> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication

> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user =

> mcaissie, domain = <not specified>

>

>

>

> ps: i replaced some IPs with x.x

>

> thanks

> Michel Caissie

> >

> > Thanks,

> > Franz

> >

> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> > news:tqyKt4bzEHA.4892@is1.netal.com...

> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages but

log

> >> SEV 3 messages.

> >>

> >> mcaissie

> >>

> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> >> news:s7nF6zbzEHA.4892@is1.netal.com...

> >> > Hi,

> >> >

> >> > is there any known problem for SL4NT 3.1 to receive syslog messages

> >> > from a cisco 3010 concentrator.

> >> >

> >> > I first tested the concentrator with my pc running WhatsUp syslog ,

> >> > and

> >> > once i got the setup working

> >> > i transfer the syslog to a SL4NT server already running and

> > functionnal

> >> > . I have a general rule "Log to file" triggering an action "Log to

> > File"

> >> > wich is a Log to File Type, and as you can guess log each message to

a

> >> > file , whatever the Source - Severity -time etc,...

> >> >

> >> > For some reason it doesn't receive all messages , but curiously

> > receive

> >> > some of them .

> >> >

> >> > Just to be sure , i configure the concentrator to send the messages

to

> >> > both the WhatsUp and SL4NT

> >> > syslog server, and effectively some message are received by both

> > and

> >> > others only by WhatsUp.

> >> >

> >> > If you need i can send you Print Screen from WhatsUp ( cannot

CopyPaste

> >> > the report page) , along with

> >> > SL4NT log file .

> >> >

> >> > thanks

> >> >

> >> > Michel Caissie

> >> >

> >> >

> >> >

> >>

> >>

> >

> >

>

>

Guest
  • Guest
  • Guest Topic Starter
2004-11-22T23:20:01Z
Date parsed: 11/22/2004 11:20:01 PM

Date: Mon, 22 Nov 2004 23:20:01 +0100

> is it still revelant to apply the patch if i am only udp ?

No, if you're using UDP.

- Please take a capture of the syslog traffic and send it to me.

- Also, use SL4NT perf counters to monitor how many messages are received

when you generate the 3 three messages ( 1 or 3 ?).

- Also, please export your configuration to a file (using SL4NT Manager) and

send it to me.

Thanks,

Franz

"mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

news:R7jCQ4N0EHA.1296@is1.netal.com...

>

> "Franz Krainer" <franzk@netal.com> wrote in message

> news:wg9AYuN0EHA.1280@is1.netal.com...

> > Michel,

> >

> > are you using TCP as transport for sending/receiving syslog messages?

>

> udp , and i don't see anywhere in the concentrator config to switch to

tcp

>

> >

> > If yes, please take a look at the thread "TCP Syslog from Netscreen

> > ScreenOS

> > 5.x" (2004/06/21) in this newsgroup. My second reply contains a fixed

> > version of SL4NTSVC, solvind a problem with receiving messages over TCP.

>

> is it still revelant to apply the patch if i am only udp ?

>

> Michel

>

> >

> > Franz

> >

> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> > news:fCGvWpN0EHA.1280@is1.netal.com...

> >>

> >> > can you tell me more about the properties of SEV3-5 messages?

> >> >

> >> > If possible, please use Network Monitor on the SL4NT computer to

> >> > capture

> >> > the

> >> > syslog messages (UDP/514) sent to the SL4NT computer, save the

captured

> >> > packets to a file and then send the .CAP file to me for further

> > analysis.

> >>

> >>

> >> I'll check for Network Monitor , i may have to install it.

> >>

> >> In the mean time i made some other tests , replacing WhatsUp with

> > tftp32

> >> syslog , so i can get

> >> the logs in a text file.

> >>

> >> The Cisco concentrator is configured to send the messages to both

> >> servers.

> >> It also propose

> >> two formats , Original or Cisco IOS Compatible . I tried both .

> >> My test is to establish a vpn connection , first i enter a wrong

> >> password

> > ,

> >> then the good password,

> >> then i disconnect. This will generate 3 messages of Severitie 3 -4 and

> >> 5.

> >>

> >> Here are the results,

> >>

> >> ****TEST1****

> >> 3010 Syslog format: Original

> >>

> >>

> >> Received by tftp32 syslog

> >>

> >> Mon Nov 22 15:53:48 2004: <188>51312 11/22/2004 15:54:56.860 SEV=3

AUTH/5

> >> RPT=234 x.x.56.101 Authentication rejected: Reason = Unspecified

handle

> >> =

> >> 889, server = x.x.125.157, user = mcaissie, domain = <not specified>

> >>

> >> Mon Nov 22 15:58:51 2004: <189>51348 11/22/2004 15:59:59.430 SEV=5

IKE/25

> >> RPT=1431 x.x.56.101 Group [tier4user] User [mcaissie] Received remote

> > Proxy

> >> Host data in ID Payload: Address x.x.128.128, Protocol 0, Port 0

> >>

> >> Mon Nov 22 15:58:56 2004: <189>51370 11/22/2004 16:00:04.840 SEV=4

> >> AUTH/28

> >> RPT=1242 x.x.56.101 User [mcaissie] Group [tier4user] disconnected:

> >> Session Type: IPSec/NAT-T Duration: 0:00:05 Bytes xmt: 0 Bytes rcv:

> >> 624

> >> Reason: User Requested

> >>

> >> Received by SL4NT

> >>

> >> 11/22/2004,3:53:48 PM,x.x.56.136,???,LOCAL7,WARNING,51312 11/22/2004

> >> 15:54:56.860 SEV=3 AUTH/5 RPT=234 x.x.56.101 Authentication rejected:

> >> Reason = Unspecified handle = 889, server = x.x.125.157, user =

mcaissie,

> >> domain = <not specified>

> >>

> >> ****TEST2*****

> >> 3010 Syslog format: Cisco IOS Conpatible

> >>

> >> Received by tftp32 syslog

> >> Mon Nov 22 16:10:42 2004: <188>51417: 2004 Nov 22 16:11:50.660

EST -5:00

> >> %AUTH-4-5: RPT=235: x.x.56.101: Authentication rejected: Reason =

> >> Unspecified handle = 895, server = x.x.125.157, user = mcaissie, domain

=

> >> <not specified>

> >>

> >> Mon Nov 22 16:10:47 2004: <189>51425: 2004 Nov 22 16:11:56.030

EST -5:00

> >> %IKE-6-25: RPT=1433: x.x.56.101: Group [tier4user] User [mcaissie]

> > Received

> >> remote Proxy Host data in ID Payload: Address x.x.128.128, Protocol 0,

> > Port

> >> 0

> >>

> >> Mon Nov 22 16:10:54 2004: <189>51447: 2004 Nov 22 16:12:02.680

EST -5:00

> >> %AUTH-5-28: RPT=1244: x.x.56.101: User [mcaissie] Group [tier4user]

> >> disconnected: Session Type: IPSec/NAT-T Duration: 0:00:06 Bytes xmt:

0

> >> Bytes rcv: 416 Reason: User Requested

> >>

> >> Received by SL4NT

> >>

> >> 11/22/2004,4:10:42 PM,x.x.56.136,???,LOCAL7,WARNING,51417: 2004 Nov 22

> >> 16:11:50.660 EST -5:00 %AUTH-4-5: RPT=235: x.x.56.101: Authentication

> >> rejected: Reason = Unspecified handle = 895, server = x.x.125.157, user

=

> >> mcaissie, domain = <not specified>

> >>

> >>

> >>

> >> ps: i replaced some IPs with x.x

> >>

> >> thanks

> >> Michel Caissie

> >> >

> >> > Thanks,

> >> > Franz

> >> >

> >> > "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> >> > news:tqyKt4bzEHA.4892@is1.netal.com...

> >> >> It appears that SL4NT does not log SEV 4 and SEV 5 messages

but

> > log

> >> >> SEV 3 messages.

> >> >>

> >> >> mcaissie

> >> >>

> >> >> "mcaissie" <mcaissie@nospam.sympatico.ca> wrote in message

> >> >> news:s7nF6zbzEHA.4892@is1.netal.com...

> >> >> > Hi,

> >> >> >

> >> >> > is there any known problem for SL4NT 3.1 to receive syslog

> >> >> > messages

> >> >> > from a cisco 3010 concentrator.

> >> >> >

> >> >> > I first tested the concentrator with my pc running WhatsUp syslog

,

> >> >> > and

> >> >> > once i got the setup working

> >> >> > i transfer the syslog to a SL4NT server already running and

> >> > functionnal

> >> >> > . I have a general rule "Log to file" triggering an action "Log

to

> >> > File"

> >> >> > wich is a Log to File Type, and as you can guess log each message

to

> > a

> >> >> > file , whatever the Source - Severity -time etc,...

> >> >> >

> >> >> > For some reason it doesn't receive all messages , but curiously

> >> > receive

> >> >> > some of them .

> >> >> >

> >> >> > Just to be sure , i configure the concentrator to send the

messages

> > to

> >> >> > both the WhatsUp and SL4NT

> >> >> > syslog server, and effectively some message are received by

both

> >> > and

> >> >> > others only by WhatsUp.

> >> >> >

> >> >> > If you need i can send you Print Screen from WhatsUp ( cannot

> > CopyPaste

> >> >> > the report page) , along with

> >> >> > SL4NT log file .

> >> >> >

> >> >> > thanks

> >> >> >

> >> >> > Michel Caissie

> >> >> >

> >> >> >

> >> >> >

> >> >>

> >> >>

> >> >

> >> >

> >>

> >>

> >

> >

>

>

Similar Topics