Solved: Re: FQDN Hostname for Syslog

InfoSecKeks · ‎03-09-2018

Hi All,

I am able to set a logging hostname in my Cisco routers/switches (3xxx, 4xxx), however, this FQDN appears to be instantly resolved (translated) to the IP address sitting behind the FQDN.

When I look at the running config, the logging host is no longer the hostname, but rather the IP address that was resolved when the logging host config line was entered.

I want to ensure that syslog is sent to this FQDN rather than IP address due to DNS redundancy/fail-over configuration we have in place for these syslog collectors.

Is there a way to do this?

Example below:

SWITCH(config)#logging host hostname.domain.com

Translating "hostname.domain.com"...domain server (1.2.3.4) [OK]

SWITCH(config)#

SWITCH(config)#exit

SWITCH#show run | i logging

no logging message-counter syslog

logging buffered 32000 informational

no logging console

no logging monitor

logging enable

logging size 1000

logging trap notifications

logging origin-id hostname

logging source-interface Vlan155

logging host 10.10.10.20 <--This is the current resolved IP of hostname.domain.com

marce1000 · ‎03-09-2018

- Well , what you can do , is if you have multiple syslog servers behind a FQDN, is to list then all 'ip-wise' in the running-config.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎03-09-2018

- Not possible (what you want) ; probably because in a networking environment there could be circumstances that the DNS is not reachable and then the switch wants to be able to keep logging (it is designed) that way.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

InfoSecKeks · ‎03-09-2018

That makes sense. That's unfortunate though... Thanks for the reply.

marce1000 · ‎03-09-2018

- Well , what you can do , is if you have multiple syslog servers behind a FQDN, is to list then all 'ip-wise' in the running-config.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ziqex · ‎11-06-2024

Hi,

Let's say I have 4 syslog servers configured. If I configure syslog with FQDN it instantly translates.

If I list all four servers syslog will be send to 4 servers instead of the "active" one.

Am I right?

Thank you.

Regards

marce1000 · ‎11-06-2024

@ziqex Yes , but the switch won't be able to determine the active one with FQDN if it also translates to 4 addresses (UDP is a connectionless transport) ; anyway the switch can not use that methodology and it is also a security precaution to avoid sensitive information arriving at the wrong place ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ziqex · ‎11-06-2024

Thank you for your reply.

I guess it is the same with Cisco routers.

marce1000 · ‎11-06-2024

- @ziqex wrote : I guess it is the same with Cisco routers.
Yes , it is ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '