Configuring a Syslog Server on CentOS 6.3 for Dell Force10 Switches

In this lab I’m going to demonstrate how to configure a syslog server to use with Dell Force10 switches. A syslog server can be used to store log files remotely on an external server. Syslog servers can be invaluable when troubleshooting. If a switch ever fails or reboots, no worries your logs are still available via the syslog server, and you can now analyse them to troubleshoot. An engineer can have multiple network devices write to one syslog file, or, if desired, a seperate syslog file can be created and stored remotely for each network device.

In this lab I’m going to enable logging to the syslog server on two Del S4810 switches [FTOS 9.1]. I’ll use a Dell S50N [FTOS 8.4.2.7] for the management switch. I have CentOS 6.3 installed on a Dell PowerEdge R620 server and will use rsyslog for the syslog server. Below is the lab network diagram.

First I need to install the rsyslog server on CentOS. I open up a terminal prompt, make sure I’m the ‘root’ user or have the correct permissions to install software, and enter the following command “”yum install rsyslog”. I confirm installation when prompted. Once installed, I navigate to ‘/etc’ and open the ‘rsyslog.conf’ file for editing. I usually use ‘vi’, but feel free to use whatever editor you like. I uncomment the below lines starting with ‘$’. Make sure to only uncomment the below lines as I have already done. I am listing the port the syslog server will open so network devices can send log messages to it.

#Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

Now, I go to the bottom of the file and right below:

# Save boot messages also to boot.log
local7.* /var/log/boot.log

I write the following and save the file:

#Logging for Dell_S4810_A2
:fromhost-ip, isequal, “10.11.129.145” /var/log/dellforce10

Initially I’m going to enable logging just on one switch, ‘Dell_S4810_A2’. I’ll later add the second S4810, ‘Dell_S4810_A1’.

Next, I have to put a hole in the firewall for the UDP communication on port 514. I do this on the terminal CLI with the below command.

– iptables A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT

Finally, I restart both the ‘íptables’and ‘rsyslog’service via the below commands.

– service iptables restart
– service rsyslog restart

If desired, you can edit the ‘/etc/logrotate.d’ to customize rotation of log files.

Now that the syslog server is setup, I’ll go on the ‘Dell_S4810_A2’ switch and configure it to write to the syslog server. The commands are as follows:

– enable
– config
– logging 10.11.129.100
– logging trap debugging
– do write

Note that above I’m setting the logging level to ‘debugging’, however, you are free to change this as desired. The available logging levels are shown below.

Now if I take a look at my syslog file, ‘dellforce10’, with the ‘tail -f /var/log/dellforce10’ command on the CentOS terminal, I see the below (Note, I connected some devices to the switch, disconnected cables, and configured some protocols to get some interesting syslog messages).
Now, I’m going to have the other S4810, ‘Dell_S4810_A1’, also send log messages to the syslog server. The main thing I need to do is edit the ‘/etc/rsyslog.conf’ file. I can accomplish what I need by editing my initial S4810 switch entry to the following:

#Logging for Dell_S4810_A2
:fromhost-ip, isequal, “10.11.129.145” /var/log/dellforce10
& ~
#Logging for Dell_S4810_A1
:fromhost-ip, isequal, “10.11.129.147” /var/log/dellforce10

Note, I’m writing to the same file, but you are free to write to different files if desired. I also could have used something like the below to enable logging for a range of servers where the IP address starts with ‘10.11.129.’.

#Logging for multiple Dell switches
:fromhost-ip, startswith, “10.11.129.” /var/log/dellforce10

After making the change to the ‘rsyslog.conf’ file, I restart the syslog server with the ‘service rsyslog restart’ command. I use the same FTOS commands on ‘Dell_S4810_A1’ as I used on the prior switch to enable logging to the syslog server. You can see from the below, the syslog server is now logging messages from both switches.