Solved: 3560 Not sending logs to syslog server

erasedhammer · ‎09-13-2020

My switch appears to not be sending logs to my syslog server. I've done pcaps on the local vlan and on the syslog server vlan and there is NO syslog traffic anywhere.

Does the switch send its logs to the router first to get to the other vlan, or will it send it out the port that the syslog server is connected to? (both these vlans are connected to this switch, but are routed by my firewall)

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 862 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 863 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level debugging, 679 message lines logged
Logging to 172.20.25.3 (udp port 514, audit disabled,
link up),
156 message lines logged,

0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

!
logging trap debugging
logging host 172.20.25.3

Richard Burts · ‎09-14-2020

We know only a very little bit about this environment:

- there is a 3560 switch

- there is a firewall

- there is a syslog server

- the address of the server is 172.20.25.3

I believe that we can assume these things, if anything here is not right please clarify

- the 3560 is operating as a layer 2 switch

- there are at least 2 vlans configured and operating on the switch

- the firewall is providing routing between vlans

There are some things that we do not know that would be helpful if we did know

- which switch interface is the server connected on?

- what vlan is the interface connecting to the server in?

- which switch interface is the firewall connected on?

- what vlan is the interface connecting to the firewall on?

- Does the switch have a vlan interface with an IP address? If so, what is it?

- Does the switch have a default-gateway configured? If so, what is it?

- Can the switch ping the address of the syslog server?

HTH

Rick

View solution in original post

balaji.bandi · ‎09-13-2020

is the Syslog server directly connected to Switch?

try using source to use interface

logging source-interface XXX

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎09-13-2020

The syslog server is virtual, but yes it is directly connected.

New config:

!
logging trap debugging
logging source-interface GigabitEthernet0/2
logging host 172.20.25.3

!

If the switch ip address is on a different vlan, does it still just send it out a different vlan interface?

Packet capture on the syslog server shows nothing hitting it...

balaji.bandi · ‎09-14-2020

as long as the routine available to the Syslog server from the device ships the logs to the Syslog server. regardless of VLAN.

the source mentioned if you have any VRF or OOB Setup.

make sure the Syslog server listening on 514 port check? what Syslog server is this?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎09-14-2020

I have double checked all the settings on the rsyslog server (running on debian). I'll post some rsyslog and conf files later today.

Firewall is allowing 514 in, and rsyslog is listening on 514 (its already accepting logs from my firewall).

I'm using tcpdump on the syslog server to see if any traffic is even hitting it, which I am not seeing.

erasedhammer · ‎09-14-2020

On the rsyslog server:

514/udp ALLOW IN 172.20.5.3

udp 0 0 0.0.0.0:514 0.0.0.0:* 631/rsyslogd

Log Configuration:

$template SwitchLog, "/var/log/lansw.log"
:fromhost-ip, isequal, "172.20.5.3" -?SwitchLog
& ~

Richard Burts · ‎09-14-2020

We know only a very little bit about this environment:

- there is a 3560 switch

- there is a firewall

- there is a syslog server

- the address of the server is 172.20.25.3

I believe that we can assume these things, if anything here is not right please clarify

- the 3560 is operating as a layer 2 switch

- there are at least 2 vlans configured and operating on the switch

- the firewall is providing routing between vlans

There are some things that we do not know that would be helpful if we did know

- which switch interface is the server connected on?

- what vlan is the interface connecting to the server in?

- which switch interface is the firewall connected on?

- what vlan is the interface connecting to the firewall on?

- Does the switch have a vlan interface with an IP address? If so, what is it?

- Does the switch have a default-gateway configured? If so, what is it?

- Can the switch ping the address of the syslog server?

HTH

Rick

erasedhammer · ‎09-14-2020

Just added the default gateway, syslog traffic is now getting through. Thank you for running through this with me.

Richard Burts · ‎09-14-2020

You are welcome. I am glad that my suggestions pointed you to the solution. Glad that it now is working.

HTH

Rick