Hello Colleagues!

Im trying to configure ACI logging with external syslog server.

I have got 3 APIC controllers with firmware 4.2(6d).

I done all steps from guide https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf, and configured Out-Of-Band communication, Syslog Monitoring Destination Group, 2 Syslog Monitoring Sources (monCommonPol, monEPGPol for tenant common). I set severity level "information".

I tried to sent test message with logit utility and got it correctly. But my main problem with poor logs collection. I didn't get any information from audit logs of tenant (for example contract creation or deletion).

I tried to debug my case, and find some strange points below:

1. I got on my log server strange events like: 

<132>Jan 28 13:08:44.321 UTC+0300 Leaf-123 %LOG_LOCAL0-4-SYSTEM_MSG [E4208898][transition][warning][sys] Number of records of class eventRecord is more than 10% above maximum value. Current value: 54750, max allowed: 10000, purge window: 250

Is it connected with my problem? Where I can check eventRecord's space utilization of leafs?

2. I haven't got any output from APIC Cli with command show running-config syslog, but I have got config in GUI. Is it right?

3. Moquery command on APIC shown me port UDP554 usage, but UDP5554 configured in reality.

APIC-VC# moquery -c syslogProf
Total Objects shown: 2

# syslog.Prof
adminState : enabled
dn : uni/fabric/slgroup-Logstash/prof
extMngdBy :
lcOwn : local
modTs : 2021-01-28T05:12:14.818+03:00
name : syslog
port : 514
rn : prof
status :
transport : udp
uid : 22341

Is it right too?

Thank you in advance!