Ask the ACI Experts: Syslog in the ACI Fabric

Tomas de Leon · ‎08-18-2016

The purpose of this BLOG is to discuss Questions, Concerns, and Issues with the Syslog Feature functionality in the ACI Fabrics. Since this is Feature focused we can monitor your feedback and push for improvements and enhancements if requested. Also, this forum allows you to ask questions and hopefully we can assist you and your questions.

Thank you again for participating in the Cisco Support Forum!

T.

Claudia de Luna · ‎10-20-2016

These feature focused threads are a great idea! Tomas, do you have a syslog equivalent of your SNMP Configuration/Troubleshooting guide?

Tomas de Leon · ‎10-20-2016

In progress, just finishing up the troubleshooting part. I will post here next week.

Thanks

T.

brettkugler · ‎10-28-2016

Hi Tomas,

Hopefully this is still being monitored. I am trying to setup syslog to a remote syslog server in the APIC. I created a Syslog Monitoring Destination Group with a remote destination. I entered the IP address and port for the remote system - but noticed after creating the group that it's showing the standard syslog port/protocol of 514 and UDP.

Two things here - I would expect the port to align with the port I configured for the Remote Destination (1517 in this case) and I don't see anywhere where I can specify the protocol (I'd prefer TCP over UDP).

Any guidance would be appreciated.

Brett

Claudia de Luna · ‎10-28-2016

Hi Brett, Tomas indicated last week that he would have an updated guide this week.

I too am having issues with getting syslog working. You might try looking at the OOB Management Contract where you add the SNMP filters.

Tomas de Leon · ‎10-28-2016

Brett,

Please provide the output of the following CLI commands from the APIC:

show running syslog
show running logging server-group < name of your syslog destination group >

In Regards to the port changes, if you creat a new policy with a different port then that should work. If you created a policy and then you decide to make a change to the existing policy, the changes may not be deployed and applied correctly. This may due to a known issue listed below:

CSCvb92115 - [apic syslog] Danube: Changes to existing Syslog Remote Destination config requires mgmt restart

The temporary workaround is to run "acidiag mgmt restart" from the APIC CLI.

The port configuration is for UDP Only.

I hope this helps and Thank you again for participating in the Cisco Support Forum!

T.

Tomas de Leon · ‎03-27-2017

SYSLOG in ACI

Overview, Configuration, Troubleshooting, and Caveats\Issues

ACI SYSLOG Overview

About System Messages
Fault Syslogs
Event Syslogs
ACI System Message Structure
Management Contracts required for SYSLOG
About this Technote on SYSLOG in ACI

ACI SYSLOG Configuration

Configuring the SYSLOG Feature using the APIC iNXOS CLI
Configuring the SYSLOG Feature using the APIC Admin GUI "Advanced Mode”
Verify SYSLOG Configuration using “CLI Show Commands”
Test the SYSLOG Configuration using the “CLI Syslog” Test feature

Troubleshooting ACI SYSLOG Configuration (cont.)

Verify ACI SYSLOG Configuration using “CLI commands”
Verify ACI SYSLOG Configuration using “moquery”
Verify ACI SYSLOG Configuration using “VISORE”
Verify ACI SYSLOG Configuration checking the “REST API”
Verify ACI SYSLOG Configuration checking the “Logical Model”
Verify SYSLOG Messages are being sent by the LEAF\SPINE\APIC
Troubleshooting the ACI SYSLOG Configuration on the APIC
Troubleshooting the ACI SYSLOG Configuration on the LEAF & SPINE nodes

ACI SYSLOG Configuration Caveats - Issues
References & Resources

avanzaadmin · ‎05-18-2017

Hi Tomas,

Great work with the syslog in ACI!

Me and my colleagues just have one concern with the logging. We can't get "fraction of seconds" (%N in linux) remote logging to work in aci without manipulating the remote server and add timestamps as the packet reaches the server.

We can see milliseconds with the "show events" command in the apic, so the timestamps exists but are not exported to the remote server.

Are "fraction of seconds" logging feature on the roadmap for ACI remote syslogging or is it already implemented and we've missed it?

Regards Marcus

Tomas de Leon · ‎05-19-2017

Marcus,

Thanks for your comments. Yes, as you are aware we are not using "TIME-SECFRAC". I will create an enhancement request to add this. There may be a reason why we did not use this when programming the feature. "TIME-SECFRAC" is not required by the RFC. They use "SHOULD" and not must. Clock accuracy and performance impact are key factors for considering "TIME-SECFRAC".

Let's see what the developers say and I will post the relevant comments here.

Thanks again for using the Cisco Support Forum for ACI!

T.

avanzaadmin · ‎05-22-2017

Hi Tomas,

Thanks for the info! :)

Alisha_Rascon · ‎05-18-2018

Great Work!!!

SYSLOG in ACI Overview, Configuration, Troubleshooting, and Caveats\Issues Created by Tomas de Leon......Thanks For Sharing.

Ask the ACI Experts: Syslog in the ACI Fabric

Cisco ACI Inter VRF/Tenant Route Leaking Design – Simplified!

Connecting Physical Servers To Cisco ACI Fabric - Simplified!

VXLAN/EVPN Configuration Example (N9k / p2p)