2AM syslog messages

rlarkins2015 · ‎05-11-2017

My network management group with QRadar is telling me that my C3650 switches are sending syslogs, not as needed, but as a burst at 2AM in the morning. Seems odd to me. The log on the switches shows what I believe to be a valid attempt to syslog as needed, but continuously get connection refused.

May 10 22:00:20.670: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: xxx-ne] [Source: 10.248.192.75] [localport: 22] at 22:00:20 UTC Wed May 10 2017

May 10 22:00:21.676: %SYS-3-LOGGINGHOST_FAIL: Logging to host 172.16.25.67 port 514 failed

May 10 22:00:26.684: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.25.67 port 514 started – reconnection

Syslog config is fairly straightforward...

logging facility syslog
logging source-interface Vlan2
logging host 172.16.25.67 transport tcp port 514
!

Has anyone else seen a periodic burst of syslog from a switch? Or is this QRadar doing something on it's own?

marce1000 · ‎05-12-2017

- Looks like your syslog-provider always has a short down time during this period.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mark Malone · ‎05-12-2017

Yes I agree with Marce on that as per log syslog server was unreachable

what you could do to prove it is run an ip sla to the syslog to the server you should be able to see if its dropping off and get it to email you when it fails at that time through EEM script

https://supportforums.cisco.com/discussion/11587371/eem-script-alert-ip-sla-failures