# ADSL, ADSL 2, ADSL 2+  και  Broadband Hardware > Cisco  ADSL modems και routers >  Cisco Syslog σε αυτόνομο AP1142n

## d.stathopoulos

Καλημέρα, 

Έχω configurάρει rsyslog server σε ένα linux box για να μαζεύω όλα τα logs από τα cisco devices:
- Router
- Switch L3
- Switch L2
- Αυτόνομο Access Point 

Έχω 1 log file για το κάθε device 
Tα logs μαζεύονται κανονικά όμως έχω 2 πρόβληματα με το log file του access point. 
 Τα logs στο access point δεν μαζεύονται σύγχρονα (παρότι έχω βάλει logging syncrhonous σε vty 0 4) Το format των logs γίνεται σε 1 γραμμή εν αντιθέση με τα υπόλοιπα devices που γίνεται σε 1 γραμμή για το κάθε message 

Το config του access point είναι:


```

!
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname antenna-ph-rc2
!
logging userinfo
no logging queue-limit
no logging buffered
no logging rate-limit
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
clock timezone EET 2
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
ip domain name mine.com
ip name-server 192.168.1.117
!
!
dot11 syslog
!
dot11 ssid myssid1
   vlan 14
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 xxx
!
dot11 ssid myssid2
   vlan 18
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 xxx
!
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 
  quit
username root privilege 15 secret 
!
!
ip ssh authentication-retries 2
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 14 mode ciphers aes-ccm
 !
 encryption vlan 18 mode ciphers aes-ccm
 !
 ssid myssid1
 !
 ssid myssid2
 !
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 14
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
 encapsulation dot1Q 12 native
 no ip route-cache
!
interface Dot11Radio0.4
 encapsulation dot1Q 18
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.2
 encapsulation dot1Q 14
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface GigabitEthernet0.4
 encapsulation dot1Q 18
 no ip route-cache
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface GigabitEthernet0.5
 encapsulation dot1Q 12 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.1.120 255.255.255.240
 ip helper-address 192.168.1.126
 no ip route-cache
!
ip default-gateway 192.168.1.126
ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging history debugging
logging trap debugging
logging origin-id ip
logging host 192.168.1.117 transport tcp port 514
access-list 111 permit tcp any any neq telnet
radius-server host 192.168.1.117 auth-port 1812 acct-port 1813 key 7 xxx
bridge 1 route ip
!
!
!
line con 0
 access-class 111 in
 logging synchronous
line vty 0 4
 access-class 111 in
 logging synchronous
 transport input ssh
!
sntp server 192.168.1.117
end
```

Παράδειγμα των logs που παίρνω από το access point:



```
Jul 21 23:35:02 thenticating Station 74e1.b6e7.a031 Reason: Sending station has left the BSS <190>167: 0.0.0.0: 000162: Jul 21 19:12:29.118 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   74e1.b6e7.a031 Associated KEY_MGMT[WPAv2 PSK]<190>168: 0.0.0.0: 000163: Jul 21 19:12:53.714 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 74e1.b6e7.a031 Reason: Sending station has left the BSS <190>169: 0.0.0.0: 000164: Jul 21 19:13:08.169 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   74e1.b6e7.a031 Associated KEY_MGMT[WPAv2 PSK]<188>170: 0.0.0.0: 000165: Jul 21 19:50:55.933 EEST: %DOT11-4-MAXRETRIES: Packet to client 4843.7c6b.ec3e reached max retries, removing the client<190>171: 0.0.0.0: 000166: Jul 21 19:50:55.933 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4843.7c6b.ec3e Reason: Previous authentication no longer valid <188>172: 0.0.0.0: 000167: Jul 21 19:50:55.937 EEST: %DOT11-4-MAXRETRIES: Packet to client 4843.7c6b.ec3e reached max retries, removing the client<190>173: 0.0.0.0: 000168: Jul 21 20:45:52.752 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station antenna-ph-rc2 3402.86c4.994c Associated KEY_MGMT[WPAv2 PSK]<190>174: 0.0.0.0: 000169: Jul 21 20:49:27.078 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 3402.86c4.994c Reason: Sending station has left the BSS <190>175: 0.0.0.0: 000170: Jul 21 21:13:43.061 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 88cb.87a1.5d93 Reason: Previous authentication no longer valid <190>176: 0.0.0.0: 000171: Jul 21 23:00:28.240 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 74e1.b6e7.a031 Reason: Sending station has left the BSS <190>177: 0.0.0.0: 000172: Jul 21 23:00:29.255 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   74e1.b6e7.a031 Associated KEY_MGMT[WPAv2 PSK]<190>178: 0.0.0.0: 000173: Jul 21 23:05:24.586 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   4843.7c6b.ec3e Associated KEY_MGMT[WPAv2 PSK]<190>179: 0.0.0.0: 000174: Jul 21 23:
Jul 22 21:17:22 192.168.1.120 35: 01.039 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   88cb.87a1.5d93 Associated KEY_MGMT[WPAv2 PSK]<190>180: 0.0.0.0: 000175: Jul 21 23:45:26.958 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   1030.4746.76b7 Associated KEY_MGMT[WPAv2 PSK]<190>181: 0.0.0.0: 000176: Jul 21 23:46:37.557 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 1030.4746.76b7 Reason: Sending station has left the BSS <190>182: 0.0.0.0: 000177: Jul 22 00:03:06.280 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4843.7c6b.ec3e Reason: Sending station has left the BSS <190>183: 0.0.0.0: 000178: Jul 22 00:47:11.112 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 74e1.b6e7.a031 Reason: Previous authentication no longer valid <190>184: 0.0.0.0: 000179: Jul 22 05:18:43.690 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   74e1.b6e7.a031 Associated KEY_MGMT[WPAv2 PSK]<190>185: 0.0.0.0: 000180: Jul 22 05:50:03.192 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 88cb.87a1.5d93 Reason: Previous authentication no longer valid <190>186: 0.0.0.0: 000181: Jul 22 07:42:41.551 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   4843.7c6b.ec3e Associated KEY_MGMT[WPAv2 PSK]<190>187: 0.0.0.0: 000182: Jul 22 08:04:48.032 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4843.7c6b.ec3e Reason: Previous authentication no longer valid <190>188: 0.0.0.0: 000183: Jul 22 15:50:24.448 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   4843.7c6b.ec3e Associated KEY_MGMT[WPAv2 PSK]<190>189: 0.0.0.0: 000184: Jul 22 19:32:49.416 EEST: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 4843.7c6b.ec3e Reason: Previous authentication no longer valid <189>190: 0.0.0.0: 000185: Jul 22 20:01:13.500 EEST: %SYS-5-CONFIG_I: Configured from console by myuser on vty0 (192.168.1.117)<190>191: 0.0.0.0: 000186: Jul 22 21:17:20.011 EEST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   4843.7c6b.ec3e Associated KEY_MGMT[
```

Παράδειγμα των logs που παίρνω από το switch:


```
Jul 21 13:49:14 192.168.1.114 57694: Jul 21 13:49:13.730 EEST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: myuser] [Source: 192.168.1.117] [localport: 22] [Reason: Login Authentication Failed] at 13:49:13 EEST Tue Jul 21 2015
Jul 21 13:49:24 192.168.1.114 57695: Jul 21 13:49:23.467 EEST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: myuser] [Source: 192.168.1.117] [localport: 22] [Reason: Login Authentication Failed] at 13:49:23 EEST Tue Jul 21 2015
Jul 21 13:49:32 192.168.1.114 57696: Jul 21 13:49:31.499 EEST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: myuser] [Source: 192.168.1.117] [localport: 22] [Reason: Login Authentication Failed] at 13:49:31 EEST Tue Jul 21 2015
Jul 21 13:49:36 192.168.1.114 57697: Jul 21 13:49:35.002 EEST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: myuser] [Source: 192.168.1.117] [localport: 22] [Reason: Login Authentication Failed] at 13:49:35 EEST Tue Jul 21 2015
Jul 21 13:49:45 192.168.1.114 57698: Jul 21 13:49:44.984 EEST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: myuser] [Source: 192.168.1.117] [localport: 22] at 13:49:44 EEST Tue Jul 21 2015
```


Καμιά ιδέα για το πως μπορώ να διορθώσω το batching και το formatting των logs του access point;

Ευχαριστώ πολύ !

----------


## lacacitos

Δεν το έχω ξαναδεί, αλλά πιστεύω ότι σχετίζεται με το ότι χρησιμοποιείς TCP για το logging.... Μπορεί να έχει σχέση με την επιλογή DisableLFDelimiter στο rsyslog

----------


## d.stathopoulos

Καλημέρα, 

1) Στα υπόλοιπα devices χρησιμοποιώ TCP και δεν έχω πρόβλημα
2) To rsyslog config μου είναι:



```
$ModLoad imuxsock.so  
$ModLoad imklog.so      
$ModLoad imudp.so
$UDPServerRun 514
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device1.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device2.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device3.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device4.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device5.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device6.log
if $fromhost-ip == 'xxx.xxx.xxx.xxx' then /var/log/device7.log
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
```

----------


## lacacitos

Πιθανόν να είναι κάποιο bug στο συγκεκριμένο IOS.
Πιστεύω ότι αν το γυρίσεις σε udp θα δουλεύει κανονικά, αλλά όπως και να έχει αν κάνεις tcpdump (πχ tcpdump -x -s 0 port 514 and host 192.168.1.120) θα δεις τι διαχωριστικό στέλνει για την αλλαγή γραμμής.. αν δεν στέλνει διαχωριστικό, λογικά είναι bug ή τέλος πάντων το πρόβλημα είναι στο ap.

----------

