Solved: Sending informational level logs to only a second Syslog server

jonathannoble · ‎01-31-2013

Hi,

We are setting up a second Syslog server and we are thinking of sending informational level (6) logs to only that second Syslog server. We have a syslog server configured on our devices (routers and switches) and we currently have no severity configured.

Based on the information on configuration guides that I found, all of the logs will be sent to all of the configured syslog servers. We are looking for a way to send the informational level (6) logs to the second syslog server and not to the first one. I'm thinking that this can be done with the use of tcp/udp ports but am really not sure.

Is there a way that we can achieve the separation of logs on 2 servers? Can we do this without having to use the tcp/udp options?

Thanks in advance!

Jason Davis · ‎01-31-2013

Hi Jonathon!

You don't mention the Hardware type or Software/version you're running, so it's hard to give you a definative answer, but many platforms would allow you to specify multiple targets with individual syslog reporting levels.

Note the Nexus 7k example below.

rtpnml-7K-Agg1(config)# logg server 1.2.3.4 ?

<0-7> 0-emerg;1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug

facility Facility to use when forwarding to server

use-vrf Display per-VRF information

rtpnml-7K-Agg1(config)# logg server 1.2.3.4 6

If your platform doesn't allow per-reciever logging levels, you might want to consider using a Syslog message multiplexer like Syslog-NG.

We're using this at CiscoLive London right now. We have all our various network management tools and some vendors that want to receive the show network alerts. We don't want to put a dozen Syslog server statemenst in our 250+ devices(!), so we use Syslog-NG. The devices report to Syslog-NG and it sprays the messages out to the appropriate receiving applications. You can do filtering - very nice.

View solution in original post

Jason Davis · ‎01-31-2013

Hi Jonathon!

You don't mention the Hardware type or Software/version you're running, so it's hard to give you a definative answer, but many platforms would allow you to specify multiple targets with individual syslog reporting levels.

Note the Nexus 7k example below.

rtpnml-7K-Agg1(config)# logg server 1.2.3.4 ?

<0-7> 0-emerg;1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug

facility Facility to use when forwarding to server

use-vrf Display per-VRF information

rtpnml-7K-Agg1(config)# logg server 1.2.3.4 6

If your platform doesn't allow per-reciever logging levels, you might want to consider using a Syslog message multiplexer like Syslog-NG.

We're using this at CiscoLive London right now. We have all our various network management tools and some vendors that want to receive the show network alerts. We don't want to put a dozen Syslog server statemenst in our 250+ devices(!), so we use Syslog-NG. The devices report to Syslog-NG and it sprays the messages out to the appropriate receiving applications. You can do filtering - very nice.

jonathannoble · ‎02-01-2013

Hi Jason,

Thanks for your answer. We have a lot of routers and switches (all Cisco) and most of them have old IOS images. I've tried to configure one of our core switches and it doesn't allow per-receiver logging levels.

We really can't go with the plan of upgrading the versions to support the feature and I'm pretty sure that some of our hardware have reached End-of-Life/End-of-Support.

I'll suggest Syslog Message Multiplexers and that will hopefully be a more feasible plan.

Thanks again!

Jonathan