Syslog Server, with translation

Scenario 2: Syslog Server -> Detailed Switch Logs

Problem  Description

A company running a switch stack needs to be able to save detailed logs for debugging, intruder detection, and basic troubleshooting purposes. They are running a stack of Cisco 2950 switches, with several edge switches as well. Their current syslog system records the switch logs, but the logs are difficult to read, and more difficult to search. While it is possible to back trace and find out which devices are connecting, the process is lengthy and prone to user errors.


The switches are all capable of sending logging information to a UDP logging service, such as syslog. All devices can talk to each other. The IT department keeps track of all the computer names and their mac addresses.


The log entries are specialized. Switch log entries show mac addresses rather than IP addresses. In order to trace which device is connected to which switch port, manual reading must be done. Given that at any time there can be literally thousands of log entries, this quickly becomes a time consuming chore.


We installed Universal Data Relay on a PC used by the networking department. We set up a SOURCE as a UDP Listener, on port 514. We then went to each switch and programmed the IP address of the PC running UDR. We set up two DESTINATIONS as a FILES located on the PC. One destination would collect every single log entry. The other file would only collect exceptions…devices that were attempting to connect to the network that had never connected before. We created an excel sheet, one that had every device name and corresponding mac address. We exported this to CSV format, and saved it in the LIBRARIES folder for Universal Data Relay. We then set up a filter that would look up mac addresses on every syslog captured, replacing it with the matching device name. We then setup two ROUTES. One route put all the entries into the Log file. The other route inspected the data, and any time a raw mac address was detected, that log entry was written to the exceptions file.


The IT department now has a detailed file log showing all switch information. It also has a file that shows unapproved devices, and the switch port that the attempt to connect the device occurred. This enabled better service, and detection of when a device tried to connect to the network that had not been approved by the IT department.

News & Comments!