IOS Syslog: Weird prefix when using discriminator

Johannes Luther · ‎03-06-2023

Hi board,
I want to use logging discriminators for certain syslog destinations (not for console or buffer logging).

Currently my configuration is pretty simple

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging trap warnings
logging host 192.0.2.1

Buffer, monitor and console logging are default.

When I enable monitor logging, enter configuration mode and leave it again, my log format looks like:

2960X_switch1#terminal monitor
2960X_switch1#conf t
2960X_switch1(config)#end
2960X_switch1#
Mar 6 09:46:14.892 UTC: %SYS-5-CONFIG_I: Configured from console by joe on vty0 (10.1.2.3)

Now I create a logging discriminator for remote syslog use and a remote syslog server:

configure terminal
logging discriminator NAC-MON facility includes AUTHMGR|MAB|SESSION_MGR|DOT1X
logging host 192.0.2.3 discriminator NAC-MON

As soon as I did this, the format for the other logging messages (buffer, monitor, console) changed:

2960X_switch1#terminal monitor
2960X_switch1#conf t
2960X_switch1(config)#end
2960X_switch1#
[syslog@9 s_sn="375" s_tc="4979"]: Mar 6 09:50:44.892 UTC: %SYS-5-CONFIG_I: Configured from console by joe on vty0 (10.1.2.3)

So I did not change anything on my monitor, console and buffer logging. Just added a named discriminator and added it to a new syslog host. However, now some prefix in the format "[syslog@9 s_sn="375" s_tc="4979"]" is prefixed to all logging messages.

Also when doing the same on a Cat9k, this issue does not happen.

The described behavior is on a Catalyst 2960X using 15.2(7)E7.

Anybody has an idea? I don't want this prefix to my logging messages.

balaji.bandi · ‎03-06-2023

The described behavior is on a Catalyst 2960X using 15.2(7)E7.

Can you post the syslog config ?

what syslog server you using ?

can you post complete log message here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Johannes Luther · ‎03-06-2023

Hi BB,

thank you for your answer. Regarding your questions:

>> Can you post the syslog config ?

Did it in my initial post. There is no specific syslog / logging config except the lines I posted above

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging trap warnings
logging host 192.0.2.1

>> what syslog server you using ?

None at the moment. The logging messages above are from monitor logging. However I verified the format for the remote syslog messages using tcpdump / tshark. In fact, the remote syslog server is not further relevant regarding this issue, because the configuration of the remote syslog target with a discriminator alters the local logging somehow...

>> can you post complete log message here ?

As stated above... before the config change:

Mar 6 09:46:14.892 UTC: %SYS-5-CONFIG_I: Configured from console by joe on vty0 (10.1.2.3)

after the config change:

[syslog@9 s_sn="375" s_tc="4979"]: Mar 6 09:50:44.892 UTC: %SYS-5-CONFIG_I: Configured from console by joe on vty0 (10.1.2.3)

balaji.bandi · ‎03-08-2023

Not sure where this is coming from may be bug (but no evidence in bug list)

Catalyst 2960X using 15.2(7)E7. - unfortunatly dont have these model any more to test and give you update,

May be contact TAC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-07-2023

Hello,

could be a bug. For some reason, the sequence number is added to the syslog entry. This would usually only happen if you manually configure it as below:

logging host 192.0.2.3 sequence-num-session

Try and disable sequence numbering by globally configuring 'no service sequence-numbers'.

And also:

--> no logging host 192.0.2.3 sequence-num-session