My connection to the boundless cache of information called the “internet” is handled by my trusty Cisco 678. Unfortunately, the phone infrastructure in my building is less than top quality and my connection quality degrades over time. Part of my solution to this problem involves monitoring my 678 (running CBOS 2.4).
The Cisco 67x has a built-in syslog facility, but it has limited memory and can be cumbersome to access. The Cisco has the capability to send syslog messages to a central syslog server, and I just happen to maintain such a server on my network. My syslog server currently runs Ubuntu Server 12.04.2 LTS (Precise Pangolin) and I use the provided rsyslogd (5.8.6). To configure it, edit /etc/rsyslog.conf and ensure UDP support is enabled (I had to uncomment the following lines).
$ModLoad imudp $UDPServerRun 514
I also had to add a firewall rule to allow the traffic.
iptables -A INPUT -i eth1 -s <cisco ip>/32 -p udp --dport 514 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -d <cisco ip>/32 -p udp --sport 514 -m state --state RELATED,ESTABLISHED -j ACCEPT
Next, configure the Cisco to send its syslog messages to the remote server. This consists of connecting to the Cisco, configuring syslog, writing the config, rebooting, and testing.
User Access Verification Password:******** cbos>enable Password:******** cbos#set syslog enabled SYSLOG is enabled cbos#set syslog remote <syslog server ip> SYSLOG will now send messages to <syslog server ip> cbos#set syslog port 514 SYSLOG will now use port 514 cbos#write Warning: traffic may pause while NVRAM is being modified NVRAM written. cbos#reboot
Obviously, you need to replace <syslog server ip> with an actual IP. Adjust the port if necessary. Once the reboot is complete, you can test it.
cbos#set syslog test testing syslog from cisco 678 Message: "testing syslog from cisco 678" sent via syslog
You should see the message appear in your logs on the central syslog server.
user@syslog$ tail /var/log/syslog.log May 24 18:29:11 <cisco ip> "testing sysylog from cisco 678"
If the message doesn’t appear in the syslog logs, check for errors on the Cisco.
cbos#show errors - Current Error Messages - ## Ticks Module Level Message 0 000:00:00:00 SYSLOG Alarm Could not send message
If the error “Could not send message” appears, verify that the Cisco was configured correctly. Note: the Cisco will probably fail until the config is written and the device is rebooted.
Messages from the Cisco should now be appearing in your central syslog logs.
The Cisco 678 has built-in support for SNMP, and it’s fairly straight-forward to enable. My goal is to use Net-SNMP to monitor the performance and general health of the Cisco. To setup the 678 to support SNMP, add a ‘manager’ (use “set snmp manager” for details). In my example, <client ip> is the IP of the machine generating SNMP requests, and “internal” is the name of my SNMP ‘community’.
cbos#set snmp manager <client ip> internal read enable all Added SNMP Manager cbos#set snmp enable SNMP enabled cbos#write Warning: traffic may pause while NVRAM is being modified NVRAM written. cbos#reboot
The Cisco should now respond to SNMP requests originating from <client ip>. Net-SNMP includes several tools, such as snmpwalk, that can be used to test the setup. This can be done on an Ubuntu client as follows.
user$ sudo apt-get install -y snmp user$ snmpwalk -r 0 -v1 -c internal <cisco ip>
The output of both commands has been omitted, but the system information for the Cisco should look similar to the following.
user$ snmpwalk -r0 -v1 -c internal <cisco ip> system SNMPv2-MIB::sysDescr.0 = STRING: Cisco CPE SNMPv3 Agent SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.188.8.131.52 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8835020) 1 day, 0:32:30.20 SNMPv2-MIB::sysContact.0 = STRING: Cisco Systems, Inc SNMPv2-MIB::sysName.0 = STRING: CBOS675 SNMPv2-MIB::sysLocation.0 = STRING: Irvine SNMPv2-MIB::sysServices.0 = INTEGER: 72
Note: Net-SNMP 5.4.3 was having problems translating OID numbers into more human-friendly strings. Eventually, Google led me to several articles explaining a bug in 5.4 that caused Net-SNMP to fail when reading MIB files to translate the OID numbers. It was necessary for me to build and install 5.7.1 to resolve this problem. If you’re using 5.4.3, then you may need to change your command, and the result will be different (and more cryptic).
user$ snmpwalk -r0 -v1 -c internal <cisco ip> .184.108.40.206.2.1.1 iso.220.127.116.11.18.104.22.168 = STRING: "Cisco CPE SNMPv3 Agent" iso.22.214.171.124.126.96.36.199 = OID: iso.188.8.131.52.184.108.40.206.1 iso.220.127.116.11.18.104.22.168 = Timeticks: (8887560) 1 day, 0:41:15.60 iso.22.214.171.124.126.96.36.199 = STRING: "Cisco Systems, Inc" iso.188.8.131.52.184.108.40.206 = STRING: "CBOS675" iso.220.127.116.11.18.104.22.168 = STRING: "Irvine" iso.22.214.171.124.126.96.36.199 = INTEGER: 72
Most of the examples I found online use mrtg (along with Apache, cron, and rrdtool) to generate web-accessible graphs of data collected via SNMP. This isn’t the model I’m using, but Google can lead you to the answer; I’m using a custom tool to record specific parameters as part of my overall network monitoring.
A Final Thought
Between syslog and SNMP, it should be relatively easy to keep an eye on a Cisco 678 or 675. It’s worth noting that there are some security trade offs to consider when enabling SNMP. In my setup, I was able to disable my 678’s telnet server, but end up exposing its SNMP functionality. This may or may not be advisable in your environment.