Version 2.1.2.5

Do i need Kibana to be installed for it to work?

I mean DNAC as syslog has limited functional information it hold as i remember only 2GB file and overwrite.

internall DNAC use rsyslog - you can view the logs /var/log/syslog

This syslog good for audit logs, suggested personally use external syslog Server if you have big infra looking logs to be stored.

Having logged into the VIP of my cluster, I don't have a folder for syslog under /var/log/

Does this mean I don't have log collection enabled on my DNAC cluster?

DNAC version 2.2.2.5

the system should  default log configured for to store process logs.

can you post ls -al /var/log

How do i get to the shell to execute ls command?

I don't have a folder for syslog under /var/log/

The same way you have checked above and confirmed there is no Syslog  in ./var/log  ( syslog is file not folder.)

I've just been using win scp to login and view files/folders.

Hi,

All syslog from the network devices is collected by the syslog service within DNAC: collector-syslog

If you want to look into these logs you have to get into the service and look at the service.

As you can see here all external syslog messages to the DNAC on UDP port 514 is forwarded to the syslog collector service. /var/log/syslog only contains the log messages from the DNAC itself.

$ kubectl get svc --all-namespaces | grep 514
ndp                        collector-syslog-ext                    NodePort    10.240.255.74    <none>        514:514/UDP  

You're saying DNA doesn't store any device logs?

Hi, 

I have asked a couple of times on how to find the syslogs DNAC receives, but every time i get the answer that it does not retain this information after it has been handled by the services that uses it.

If you look in Device 360 you will sometimes see a syslog message, but I am not sure you can get the complete log.

To find that you need to dig around in the services. But PLEASE DONT do that.

$ sudo iptables-save | egrep "syslog|514"
-A KUBE-NODEPORTS -s 127.0.0.0/8 -p udp -m comment --comment "ndp/collector-syslog-ext:comm" -m udp --dport 514 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p udp -m comment --comment "ndp/collector-syslog-ext:comm" -m udp --dport 514 -j KUBE-XLB-N5GI6L3INWUEK5QW
-A KUBE-SEP-2KOFCNR2S7SDDLAH -p udp -m udp -j DNAT --to-destination 169.254.35.189:10514
-A KUBE-SERVICES ! -s 169.254.32.0/20 -d 169.254.49.96/32 -p tcp -m comment --comment "ndp/collector-syslog:api cluster IP" -m tcp --dport 8000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 169.254.49.96/32 -p tcp -m comment --comment "ndp/collector-syslog:api cluster IP" -m tcp --dport 8000 -j KUBE-SVC-J27CZZFDENYB5PH5
-A KUBE-SERVICES ! -s 169.254.32.0/20 -d 169.254.62.189/32 -p udp -m comment --comment "ndp/collector-syslog-ext:comm cluster IP" -m udp --dport 514 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 169.254.62.189/32 -p udp -m comment --comment "ndp/collector-syslog-ext:comm cluster IP" -m udp --dport 514 -j KUBE-SVC-N5GI6L3INWUEK5QW
-A KUBE-XLB-N5GI6L3INWUEK5QW -m comment --comment "masquerade LOCAL traffic for ndp/collector-syslog-ext:comm LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ
-A KUBE-XLB-N5GI6L3INWUEK5QW -m comment --comment "route LOCAL traffic for ndp/collector-syslog-ext:comm LB IP to service chain" -m addrtype --src-type LOCAL -j KUBE-SVC-N5GI6L3INWUEK5QW
-A KUBE-XLB-N5GI6L3INWUEK5QW -m comment --comment "Balancing rule 0 for ndp/collector-syslog-ext:comm" -j KUBE-SEP-2KOFCNR2S7SDDLAH

$ magctl service attach collector-syslog-

Attaching to 'ndp/collector-syslog-db97c5f8-w2xnt'
root@collector-syslog-db97c5f8-w2xnt:/# ip a
4: eth0@if535: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default
    link/ether 5e:ae:f8:1f:67:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.35.189/32 scope global eth0
       valid_lft forever preferred_lft forever

root@collector-syslog-db97c5f8-w2xnt:/# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::8079                 :::*                    LISTEN      -
udp6       0      0 :::10514                :::*                                -

Sorry if I asked again, but it is still not clear for me here. I understand network devices send syslog to DNAC. There is Kibana but Kibana seem to be for internal message. For syslog from network devices there is no GUI. It also seem there is no syslog stored on DNAC from network devices because it is send to DNAC from network device, used by services in DNAC but not real store like in Cisco Prime to read through syslog from Network devices ?

To my understanding that is correct. The DNAC receives the syslog and a service handles them and sendt an event with the information on to the other services, but does not store it permanently.

But I am not a Cisco Employee so this is only what I have been able to figure out. If it is true or not, I don't know.