I really recommend setting up fluentd, and then routing logging from there - it makes it very easy to keep auditor-appeasing logs, while also having important stuff sending pages. Log aggregation, organization, and search is a hard problem, other people have already done it and provided it as a service, and chances are its NOT a core competency or secret sauce at your organization. Once you get your logs in one routing system, you can do a lot with them, but stop rolling your own. This is a prime area for most companies to buy something that works better, for less than the cost of developing in house. And if you run your own aggregation layer - then you can easily try out a bunch of different systems and add/remove them easily. :) Also, you may want to see one level of logs, but your auditors might wanna see another, and your engineers/sec team might wanna do some analytics on them. Being able to provide a solution for everyone who needs network logs at whatever detail level they ask for will make you popular at your organization. On Sun, Feb 4, 2018 at 12:21 AM, Tarko Tikan <tarko@lanparty.ee> wrote:
hey,
This is done with the 'logging facility'
command on the devices:
After defining your syslog server's IP address and the level of messaging you want (I set it to debug because I want to see everything):
on the routers: logging facility local0 on the switches: logging facility local1
Alternative, and more universal, way to do it is to use multiple IPs for syslog server. Then configure correct syslog server IP on the device.
syslog-ng and others can all do filtering to different destinations based on the IP where message was received.
-- tarko