Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
1
Helpful
1
Replies

Issues with Receiving ACLLOG_PKTLOG Logs after Upgrading to ACI 5.2(8i

Go to solution
kekkophone
Level 1
Level 1

‎07-24-2024 10:48 PM

Hello everyone,

This week, we upgraded ACI from release 4.2(7f) to 5.2(8i). The process was straightforward and went smoothly. However, since the upgrade, we have encountered an issue with log reception.

Without changing any configurations, in the previous release, we received ACLLOG_PKTLOG permit and deny logs related to L3 connections passing through the leafs on our external Syslog server.

Since the upgrade, this no longer occurs. With the configuration unchanged, we currently receive logs related to interfaces up/down, percentages of packet drops in the last connection, and similar logs.

Additional details:

  • The external data collector of the Syslog server is configured to send logs with Severity set to information.
  • The Forwarding Facility is set to local5 with an alert level.

I would like to ask if anyone has more information regarding this issue and how we might resolve it.

Thank you very much for your support.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AshSe
VIP
VIP

‎10-29-2024 02:52 AM

Hello @kekkophone 

It sounds like the upgrade to ACI 5.2(8i) may have introduced changes that affect how ACL logs are generated or forwarded. Here are some steps and considerations to help you troubleshoot and resolve the issue:

1. Verify ACL Logging Configuration

Ensure that the ACL logging configuration is still intact and correctly set up. Sometimes, upgrades can reset or alter configurations.

  1. Check ACL Logging Settings:
    • Navigate to the tenant where your ACLs are configured.
    • Verify that the ACL rules have logging enabled (log keyword in the ACL entries).

2. Check Syslog Configuration

Ensure that the Syslog configuration on the ACI fabric is still correctly set up to forward the desired logs.

  1. Syslog Destination:
    • Go to Admin > External Data Collectors > Syslog.
    • Verify that the Syslog server IP, port, and other settings are correct.
    • Ensure that the severity level is set to informational or lower to capture all relevant logs.

3. Review Changes in ACI 5.2(8i)

Review the release notes and documentation for ACI 5.2(8i) to identify any changes related to logging or ACLs. There might be new features, bug fixes, or changes in behavior that affect log generation or forwarding.

4. Enable Detailed Logging

If the above steps do not resolve the issue, you can enable more detailed logging to diagnose the problem.

  1. Enable Detailed Logging:
    • Go to Admin > Logging > Logging Settings.
    • Increase the verbosity of the logs to capture more detailed information.

5. Check for Known Issues or Bugs

Check Cisco's bug tracker and support forums for any known issues related to ACL logging in ACI 5.2(8i). There might be a known bug or a required patch.

6. Test Log Generation

Create a test ACL with logging enabled and generate traffic that matches the ACL. Check if the logs are generated and forwarded to the Syslog server.

7. Contact Cisco Support

If the issue persists, consider reaching out to Cisco TAC for support. Provide them with detailed information about your configuration and the issue you're facing.

Example Steps to Verify and Configure ACL Logging

Verify ACL Logging Configuration

  1. Navigate to the Tenant:

    • Go to Tenants > Your_Tenant > Security Policies > Contracts > Your_Contract > Filters.

  2. Check ACL Rules:

    • Ensure that the log keyword is present in the ACL entries.

Verify Syslog Configuration

  1. Navigate to Syslog Settings:

    • Go to Admin > External Data Collectors > Syslog.

  2. Check Syslog Server Configuration:

    • Verify the Syslog server IP, port, and other settings.
    • Ensure the severity level is set to informational.

Enable Detailed Logging

  1. Navigate to Logging Settings:

    • Go to Admin > Logging > Logging Settings.

  2. Increase Verbosity:

    • Set the logging level to capture more detailed information.

Example Configuration for Syslog

 

Admin > External Data Collectors > Syslog
- Syslog Server: <Your_Syslog_Server_IP>
- Port: <Syslog_Port>
- Facility: local5
- Severity: informational
 

By following these steps, you should be able to identify and resolve the issue with ACL log reception on your external Syslog server after the ACI upgrade.

View solution in original post

1 Reply 1

Go to solution
AshSe
VIP
VIP

‎10-29-2024 02:52 AM

Hello @kekkophone 

It sounds like the upgrade to ACI 5.2(8i) may have introduced changes that affect how ACL logs are generated or forwarded. Here are some steps and considerations to help you troubleshoot and resolve the issue:

1. Verify ACL Logging Configuration

Ensure that the ACL logging configuration is still intact and correctly set up. Sometimes, upgrades can reset or alter configurations.

  1. Check ACL Logging Settings:
    • Navigate to the tenant where your ACLs are configured.
    • Verify that the ACL rules have logging enabled (log keyword in the ACL entries).

2. Check Syslog Configuration

Ensure that the Syslog configuration on the ACI fabric is still correctly set up to forward the desired logs.

  1. Syslog Destination:
    • Go to Admin > External Data Collectors > Syslog.
    • Verify that the Syslog server IP, port, and other settings are correct.
    • Ensure that the severity level is set to informational or lower to capture all relevant logs.

3. Review Changes in ACI 5.2(8i)

Review the release notes and documentation for ACI 5.2(8i) to identify any changes related to logging or ACLs. There might be new features, bug fixes, or changes in behavior that affect log generation or forwarding.

4. Enable Detailed Logging

If the above steps do not resolve the issue, you can enable more detailed logging to diagnose the problem.

  1. Enable Detailed Logging:
    • Go to Admin > Logging > Logging Settings.
    • Increase the verbosity of the logs to capture more detailed information.

5. Check for Known Issues or Bugs

Check Cisco's bug tracker and support forums for any known issues related to ACL logging in ACI 5.2(8i). There might be a known bug or a required patch.

6. Test Log Generation

Create a test ACL with logging enabled and generate traffic that matches the ACL. Check if the logs are generated and forwarded to the Syslog server.

7. Contact Cisco Support

If the issue persists, consider reaching out to Cisco TAC for support. Provide them with detailed information about your configuration and the issue you're facing.

Example Steps to Verify and Configure ACL Logging

Verify ACL Logging Configuration

  1. Navigate to the Tenant:

    • Go to Tenants > Your_Tenant > Security Policies > Contracts > Your_Contract > Filters.

  2. Check ACL Rules:

    • Ensure that the log keyword is present in the ACL entries.

Verify Syslog Configuration

  1. Navigate to Syslog Settings:

    • Go to Admin > External Data Collectors > Syslog.

  2. Check Syslog Server Configuration:

    • Verify the Syslog server IP, port, and other settings.
    • Ensure the severity level is set to informational.

Enable Detailed Logging

  1. Navigate to Logging Settings:

    • Go to Admin > Logging > Logging Settings.

  2. Increase Verbosity:

    • Set the logging level to capture more detailed information.

Example Configuration for Syslog

 

Admin > External Data Collectors > Syslog
- Syslog Server: <Your_Syslog_Server_IP>
- Port: <Syslog_Port>
- Facility: local5
- Severity: informational
 

By following these steps, you should be able to identify and resolve the issue with ACL log reception on your external Syslog server after the ACI upgrade.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License