01-20-2021 03:43 PM - edited 01-20-2021 03:45 PM
i have a 2921 router; pointing at a syslog server. the router has a loopback interface configured as the source of syslog. the router's gigabit0/0 interface has been flapping. i can see the up and down events for link and line protocol in the router's log, but on the syslog server, i only see the down events. 16 times in the past two weeks.
show log says "link up" in the trap logging description area.
Trap logging: level debugging, 682 message lines logged
Logging to [an.ip.address] (udp port 514, audit disabled,
link up),
show log also says "3 messages rate-limited," but show run | include log says there is no logging rate-limit
show run | include logging
no logging queue-limit
logging buffered 10000000
no logging rate-limit
no logging console
no logging monitor
vxml logging-tag
logging trap debugging
logging origin-id string [router_name]
logging source-interface Loopback0
logging host [syslog.ip.address]
as a crude test to see if it was somehow related to the source being the loopback address, i shut down the flapping interface g0/0, and i could still ping the syslog server from source L0.
any ideas where else i should look?
01-20-2021 10:33 PM
Hello,
what else are you logging ? I somewhere recall the access lists have a rate limit on the amount of messages that are logged, possible the 3 rate limited log entries originate there.
Either way, what are you using as syslog server ? Turn on 'debug snmp detail' to check what message are actually sent to the server.
01-21-2021 12:34 AM
As per your description - are you able to see logs when the interface go down logs in syslog server, and not able to see when interface come up logs - is this correct ?
check the on the interface below command enable or not.
logging event link-status
interface g0/0 - what is this interface - is this connected to network where you reaching syslog server, you mentioned you can reach syslog server using loopback, what interface it take path to reach syslog server?
01-21-2021 12:46 PM
i added "logging event link-status" to g0/0. no change. the local log shows both up and down messages, but the syslog server only shows "down" messages. the syslog server is splunk, and it is logging both up and down messages from other cisco routers and switches.
when i Turn on 'debug snmp detail', everything in the local log looks the same when i shut/no shut g0, as far as the up/down messages. but there are also a bunch of "snmpd: couldn't get a lock on the Q"
01-21-2021 01:29 PM
I use the below on all switches and all send the logs as expected open-source syslog server
service timestamps log datetime
service timestamps debug datetime
service sequence-numbers
logging host x.x.x.x
logging trap 5
01-21-2021 01:46 PM
Hello,
try and change the source interface to something different than the loopback interface, and check if that makes a difference...
01-21-2021 02:05 PM
i changed the logging source interface to g0/1, same results in syslog server when i shut/no shut g0/0.
i'd wonder if it was something on the splunk server, except other routers and switches are logging both link up and link down messages.
01-21-2021 02:26 PM
check on Splunk config also.
01-23-2021 09:49 AM
Could you provide some information about this router?
- If other interfaces go down and back up do you see both down and up in the syslog server? (is this problem unique to g0/0 or does it happen on other interfaces).
- What interfaces does this router have? (perhaps the output of show ip interface brief)
- If you traceroute to the syslog server with source as the loopback, then shut g0/0, and traceroute again to syslog server with source as the loopback does the traceroute output change?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide