Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13559
Views
0
Helpful
5
Comments

TECHNOTE OF THE DAY - SYSLOG Configuration for the ACI Fabric

Tomas de Leon
Cisco Employee
Cisco Employee

‎02-05-2015 11:47 PM - edited ‎03-01-2019 06:03 AM

 

The following technote is written against Application Policy Infrastructure Controller

Version: 1.0(2m). The following information may not apply to earlier or later versions of Application Policy Infrastructure Controller firmware versions.

 

 

Table of Contents for this Technote on SYSLOG configuration for the ACI fabric.

 

Note: this is a text representation of the topics discussed in the attached documents for SYSLOG configuration. Attached is a PDF file with the complete Technote information.

 

Chapter 1 - Introduction

  

 

Chapter 2 - Configure Syslog Policy for the ACI Fabric

 

  • Create Syslog Monitoring Destination Group.
  • Configure FABRIC > FABRIC POLICIES to send SYSLOG messages to Syslog Remote Destinations.
  • Configure FABRIC > ACCESS POLICIES to send SYSLOG messages to Syslog Remote Destinations.

 

 

Chapter 3 - Troubleshooting Syslog Policy for the ACI Fabric

 

  • Access the Console of your SYSLOG Server to verify SYSLOG messages are being sent from the Cisco ACI Fabric System & being received by the SYSLOG Server.
  • Verify configuration of Syslog on APIC Controllers.
  • Verify configuration of Syslog on Leaf\Spine Node Switches.

 

Chapter 4 - Reference Material

 

 

Verify configuration of Syslog on APIC Controllers.
CLI Commands

  • cat /etc/rsyslog.conf
  • ps -A | grep rsyslog
  • cat /var/log/external/messages
  • (root) netstat -p | grep syslog
  • (root) tcpdump -i oobmgmt -f port 514

Visore

  • syslogGroup - The syslog destination group, which contains all information required to send syslog messages to a group of destinations.
  • syslogRemoteDest - The syslog remote destination host enables you to specify syslog servers to which messages from the APIC and fabric nodes should be forwarded.
  • syslogProf - Represents the configuration parameters used for this protocol.
  • syslogRtDestGroup - A target relation to the syslog destination group.

REST API

  • /api/node/mo/uni/fabric/slgroup-fab-syslog-destGrp.xml - The syslog destination group, which contains all information required to send syslog messages to a group of destinations.
  • /api/node/class/syslogRemoteDest.xml - The syslog remote destination host enables you to specify syslog servers to which messages from the APIC and fabric nodes should be forwarded.
  • /api/node/class/syslogProf.xml - Represents the configuration parameters used for this protocol.
  • /api/node/class/syslogRtDestGroup.xml - A target relation to the syslog destination group.

 

 

Verify configuration of Syslog on Leaf\Spine Switches.

CLI Commands

  • cat /etc/syslog-startup.conf
  • cat /etc/syslog-startup.conf.busybox
  • cat /etc/syslog.conf
  • cat /var/log/external/messages
  • (root) netstat -p | grep syslog
  • (root) tcpdump -i eth0 -f port 514
  • (root) tcpdump -nnvvXS dst 10.122.254.77

 

 

 

Attached: aci-buzzfeednews-syslog.pdf

 

Labels:
Preview file
3625 KB
0 Helpful
Comments
guillerm
Level 1
Level 1
‎11-14-2016 07:27 AM

Hello

useful document ;

we would like to generate Syslog messages from Contracts ;

there is an existing Log option on Filters associated to Taboo Contracts and you can see Log option exists  only on the deny rules via the show zoning-rule  from a Leaf;

This Log option is now available on permit filters for ACI 2.x (NXOS 12.x) ;

Question is to know if this Log option on filters can generate Syslog messages sent to Syslog servers or not ?

Tomas de Leon
Cisco Employee
Cisco Employee
‎11-14-2016 08:44 AM

After you have created the ACI Fabric's SYSLOG Source in the Fabric Policies "Monitoring Sources" for Fabric Policies - COMMON, configure the SYSLOG SYSTEM MESSAGES POLICY in the COMMON POLICY. The task for this step is to configure th “Facility Filter” for the “default” facility. Changing the Severity to “information” will record %ACLLOG-5-ACLLOG_PKTLOG messages in Syslog.

From the APIC, You can verify the configuration with:

moquery -c syslogGroup
moquery -c syslogRemoteDest
moquery -c syslogProf
moquery -c syslogRtDestGroup
moquery -c syslogSrc
moquery -c syslogFacilityFilter | grep -E "facility|minSev|monPolDn" | grep -A 2 default

or

In later releases of ACI, you can run the CLI commands:

show running syslog
show running logging server-group deadbeef-syslogGrp


ON THE LEAF NODES, you can check the logging levels:

leaf# vsh -c "show logging level acllog"
leaf# cd /var/log/dme/log
leaf# zgrep -E "ACLLOG-5-ACLLOG_PKTLOG" svc_ifc_eventmgr.log*

Cheers!

T.

 

ju.mahieu
Level 1
Level 1
‎05-24-2017 12:27 AM

Hi Thomas,

Could you explain why the Fabric Syslog Sources need to be configured twice :

- in the DEFAULT

- and also in COMMON monitoring policies

in the Fabric Policies configuration ?

Thank you

Ju

Tomas de Leon
Cisco Employee
Cisco Employee
‎05-24-2017 03:29 AM

Ju,

Please look at the updated document here:

Technote: SYSLOG in the ACI Fabric

https://supportforums.cisco.com/document/13181881/technote-syslog-aci-fabric

I explain the differences with the Syslog sources in the latest documents.

Please let me know if you need more explanation after reviewing the latest document.

T.

ju.mahieu
Level 1
Level 1
‎05-24-2017 05:01 AM

Thank you Thomas.

Now it's clear.

Ju

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card