Multiple SYSLOG Receivers with a Cisco NAC Appliance Manager (CAM)

According to Cisco's documentation on configuring syslog on a CAM, you can only forward the NAC logs to a single external log server. If you're willing to get down and dirty with the Linux operating system underneath, then this document will show you that this is simply not the case.

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I'm sending the syslog to the local host as local6 messages, this change will send a copy of the "normal" NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it's just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk - this will allow us to see what events the "NAC application" is sending. The second change we'll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers - which was our original intention :)
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*    /var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.*     @loghost1
# Forward all syslog messages to host2
*.*     @loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It's good practice once we've made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn't just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the "#") .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it's important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco's TAC not wanting to support you because of the changes made!