We have two switches we would like to collect audit logs from. We see logs (though not audit logs) from the 3750X on our log collector, but none at all from the 3850 switch. Our setup:
Topology setup:
Cisco 3750X and Cisco 3850 ( both on network A) -> Firewall A
Firewall A -> Firewall B
Firewall B -> Juniper Switch -> Red Hat log collector on network B (syslog-ng listening on UDP 514)
3750X: 15.0(2)SE1
3850: 16.3.6
- The 3750X is already logging, but right now, I only see interface status messages (up/down), but no login successes or failures. We want to see usernames, successful and failed login attempts and changes to configuration, if possible.
- The 3850 is a replacement switch for another Cisco switch which had been logging successfully before the swap. It is configured to send logs to the Red Hat host, but the Red Hat server has not even created a folder for logs and thus we have not seen any. We are using syslog-ng on that Red Hat server listening on UDP port 514. Other systems are logging successfully.
- There are firewall rules on both firewalls that were unchanged and permit the log traffic to the Red Hat host
- The logging configs appear to be the same on both switches
3750X logging config:
login on-failure log
login on-success log
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
logging trap errors
logging host [IP of logging host on network B]
3850 logging config:
login on-failure log
login on-success log
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
logging trap errors
logging host [IP of logging host on network B]