Configuring remote syslog from routers, switches, & network devices

Configure logging on network devices based on Cisco IOS, PIX-OS (ASA), and other network device operating systems.

Papertrail Setup

Papertrail supports 2 ways of identifying a device:

These 2 methods cover nearly all network devices. If neither are suitable, please let us know via support@papertrailapp.com.

Device Setup

Papertrail can receive logs from nearly all network devices. We’ve documented setup processes for a few popular ones here. If yours is missing, just tell us via support@papertrailapp.com or try other devices.

Table of Contents

Don’t see your device below? If it can send logs, Papertrail almost certainly can receive them. Here’s how.

Aruba Networks Mobility Controller

Since this device only supports logging to the default syslog port (514), explicitly register the device’s IP. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.

Papertrail will provide a hostname to use with the Aruba controller’s “logging” command. For example:

configure terminal
  logging logs.papertrailapp.com
  exit
write memory

Barracuda Spam Firewall

Barracuda Spam Firewall can send its Mail Syslog (SMTP activity) and Web Syslog (GUI activity) to Papertrail.

Per Syslog and the Spam Firewall, browse to Advanced, then Troubleshooting. As of this writing, Barracuda Spam Firewall supports non-default syslog ports but only supports logging to a destination IP address, not a DNS hostname. To log to Papertrail, use the settings shown on Add Systems. Instead of configuring a hostname (such as logs.papertrailapp.com), resolve that hostname into IP addresses using nslookup. Configure the device to log to any 1 of the IP addresses returned by nslookup.

Configure each of the 2 message types, like this:

Barracuda Spam Firewall syslog logging configuration

Cable/DSL Modems, Wireless Routers

Most home wireless access points and cable/DSL routers can be configured to transmit events. In the device’s Web management interface, set the log or event destination to the hostname and port provided by Papertrail. If the device can only log to the default syslog port, 514, visit Add Systems and click the “Sender requires port 514” link.

Cisco IOS

To send from Cisco IOS-based devices, connect via SSH or telnet and run enable to become administrator. Enter the following:

    configure terminal
      logging host <host>.papertrailapp.com transport udp port 11111
      logging facility syslog
      logging trap debugging
      exit
    write memory

Replace <host>.papertrailapp.com and 11111 with the details provided by Papertrail . Most IOS releases after 12.2 support user-supplied ports. The configuration assumes that the router has been told about DNS servers.

For older IOS versions which only support logging to the default port, the configuration could be:

logging logs.papertrailapp.com

If the device does not have DNS enabled, check the Papertrail account’s log destinations to see which hostname has been assigned, then replace <host>.papertrailapp.com with its IP address from nslookup.

We recommend the following to make IOS messages interoperate better with the syslog protocol. Disable an extra timestamp and sequence numbers:

no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime

Cisco ASA and PIX

logging enable
logging host outside <host>.papertrailapp.com udp/11111
logging trap informational
logging severity 5

outside is the name of the Internet-facing interface on the device.

Important: Informational and debug log levels can be extremely verbose (often multiple messages per NAT fixup or connection through the device). After verifying that logging is functioning, we strongly suggest changing to a less verbose setting like:

logging trap notification

In devices which support rate-limited logging (such as FWSM), this will rate-limit the log volume to 10 debug-level messages per 30 second interval:

logging rate-limit 10 30 level debugging

If you explicitly register the device with Papertrail so that it can log to the default syslog port, this will work:

logging host outside logs.papertrailapp.com

DD-WRT

The DD-WRT firmware package provides two different methods for configuring syslog to send log messages to Papertrail: the User Interface and via a startup script on boot.

The User Interface

Since this device only supports logging to the default syslog port (514), explicitly register the device’s IP. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.

In the DD-WRT Web interface:

  1. Choose the “Services” tab. Enable the “Syslog” service.
  2. Enter the hostname provided above, such as logs.papertrailapp.com.

Device requires an IP address, not a hostname?

Instead of configuring a hostname (such as logs.papertrailapp.com), resolve that hostname into IP addresses using nslookup. Configure the device to log to any 1 of the IP addresses returned by nslookup.

Configure Syslog on Boot

To configure syslog to use a port other than 514, create a startup script via the router’s telnet/SSH connection and enter the following set of commands:

  killall syslogd
  /sbin/syslogd -l <SEVERITY> -L -R <LOG DESTINATION IP ADDRESS>:<PORT>

DD-WRT firmware versions other than “micro” can also send security events. To enable security events, visit the “Security” tab, scroll to “Log Management,” and enable desired options.

Cisco CatOS

Since this device only supports logging to the default syslog port (514), explicitly register the device’s IP. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.

For Cisco Catalyst OS devices, connect via SSH or telnet and run enable to become administrator. Enter the following:

set logging server enable
set logging server logs.papertrailapp.com
set logging level all 5
set logging server severity 6

Device doesn’t have DNS enabled?

Instead of configuring a hostname (such as logs.papertrailapp.com), resolve that hostname into IP addresses using nslookup. Configure the device to log to any 1 of the IP addresses returned by nslookup.

F5 BIG-IP (TMOS)

F5 BIG-IP runs the syslog-ng daemon as its native local log collector. Its syslog-ng can be configured to send to Papertrail. To add Papertrail as the only destination for TMOS logs (using UDP), run:

tmsh modify sys syslog remote-servers add {papertrail {host 1.2.3.4 remote-port 11111}}

Important: replace 1.2.3.4 with an IP address of the log destination hostname provided by Papertrail. It can be found with nslookup. Replace 11111 with the log destination port provided by Papertrail.

More: syslog in TMOS 9.x/10.x, syslog in TMOS 11.x, TMOS concepts

Fortigate FortiOS

Excerpting from page 29 of FortiOS Logging & Reporting:

To configure FortiOS to log to a syslog server via the management Web interface:

Alternatively, to configure syslog via the FortiOS command line, run:

config log syslogd setting
  set status enable
  set server <host>.papertrailapp.com
  set port 11111
end

Replace <host> and 11111 with the name and port number provided by Papertrail.

More: FortiOS Logging & Reporting, log message reference

Hitachi SAN (HDS VSP)

Instead of configuring a hostname (such as logs.papertrailapp.com), resolve that hostname into IP addresses using nslookup. Configure the device to log to any 1 of the IP addresses returned by nslookup.

Set syslog server in Storage Navigator

Summarizing VSP Audit Log User Guide section 2-5 (“Transferring audit log files to syslog servers”):

  1. Start Storage Navigator and go to Settings > Security > Syslog
  2. For “Output to Primary Server,” click “Enable”
  3. For “Primary Server Setting,” type the IP address and port provided by Papertrail
  4. For “Location Identification Name,” type a name for this array
  5. For “Output Detailed Information,” click “Enable”
  6. Click “Apply”

More: VSP Audit Log User Guide (section 2-5 on page 39)

Juniper Junos

To configure Papertrail in Junos, run:

configure

to enter configuration mode. Enter these configuration commands, replacing <host> and 11111 with the name and port provided by Papertrail:

set system syslog host <host>.papertrailapp.com any notice
set system syslog host <host>.papertrailapp.com authorization info
set system syslog host <host>.papertrailapp.com port 11111
commit and-quit

Confirm the settings with:

show system syslog host <host>.papertrailapp.com | display set

Juniper NetScreen

To configure Papertrail in ScreenOS, enter these configuration commands, replacing <host> and 11111 with the name and port provided by Papertrail:

set syslog config "<host>.papertrailapp.com"
set syslog config "<host>.papertrailapp.com" facilities local7 local7
set syslog config "<host>.papertrailapp.com" port 11111
set syslog enable
set syslog backup enable
set log serial-number enable

MikroTik RouterOS

MikroTik RouterOS supports logging to syslog. To configure syslog via the RouterOS command line, run:

system logging action add bsd-syslog=yes name=papertrail remote=IP_ADDRESS remote-port=PORT target=remote

Check the Papertrail account’s log destinations to see which host has been assigned (it should appear as <host>.papertrailapp.com), use nslookup to find its IP address, then replace IP_ADDRESS with that value. Replace PORT with the port number.

Once that’s been configured, send all or nearly all topics to the newly-created target:

system logging add action=papertrail disabled=no prefix="" topics=!async

To confirm it, run /system logging export. You should see an entry like this

/system logging action add bsd-syslog=yes name=papertrail remote=IP_ADDRESS remote-port=PORT target=remote
/system logging add action=papertrail topics=!async

More: RouterOS logging actions, MikroTik Wiki

OpenWrt

To configure OpenWrt to send to Papertrail, connect via SSH and then run the following:

uci set system.@system[0].log_ip=IP_ADDRESS
uci set system.@system[0].log_port=XXXXX
uci commit

Check the Papertrail account’s log destinations to see which host has been assigned (it should appear as <host>.papertrailapp.com), use nslookup to find its IP address, then replace IP_ADDRESS with that value.

To confirm the configuration, execute: uci show system

Ruckus ZoneDirector

Since this device only supports logging to the default syslog port (514), explicitly register the device’s IP. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.

Papertrail will provide a destination hostname for your router to log to. In the ZoneDirector Web management interface, browse to Configure > System. Scroll to “Log Settings.” Enable “Remote Syslog.” Instead of configuring a hostname (such as logs.papertrailapp.com), resolve that hostname into IP addresses using nslookup. Configure the device to log to any 1 of the IP addresses returned by nslookup.

Vyatta VyOS

Since this device only supports logging to the default syslog port (514), explicitly register the device’s IP. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.

Papertrail will provide a destination hostname for your router to log to. Provide that hostname to the VyOS router with:

 set system syslog host <hostname>

You may also want to set the log facility and/or level of log messages which are sent to Papertrail. See Brocade Vyatta 5400 manual or VyOS user guide:

ZyXEL ZyWALL

To configure ZyWALL to send to Papertrail, connect via SSH or telnet and then run:

enable
configure terminal
logging syslog 1 port <PORT>
logging syslog 1 format cef
logging syslog 1 address <HOSTNAME>
exit
write
exit

Replace <PORT> and <HOSTNAME> with Papertrail-provided values.

See ZyXEL Knowledge Base.

Other device

Papertrail supports the industry standard remote syslog protocol, which is the protocol used by nearly all network devices.

To send logs from a device not shown here, consult the device manual under “Logging” or “Syslog,” or search Google for the device name plus the word “syslog.” For example, juniper qfx syslog or hp procurve syslog. Most device manufacturers publish this documentation.

Follow the manufacturer’s instructions for remote logging. Use the Papertrail hostname and port shown on Add Systems.

Port 514: A few devices are only capable of sending logs to the default syslog port, 514, rather than to the non-default port recommended above. For those devices, Papertrail can receive logs on port 514. Visit Add Systems, then click the “Not shown here?” tab. Under “Less common setup methods,” click “My syslog daemon only sends to port 514.” Provide Papertrail with this device’s Internet-facing public (external NAT) IP.