Cisco switches does not log enough

erwin.daul · ‎07-15-2016

Hello,

We have a few Cisco switches here. And since we installed a new Graylog server recently, we thought it would be a good idea to redirect all of our switches' logs to this server. I followed documentation, and logs are indeed redirected to our Graylog server. Though not enough logs are coming. My goal is to set logging to "informal" level. To test things, it is set to "debugging" on most switches. We have some 2960 and 3750.

Here some conf on a 2960 :

switch01#show logging

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 274 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 275 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level debugging, 278 message lines logged
Logging to 1.1.1.1 (udp port 514, audit disabled,
link up),
8 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

switch01#show conf

service timestamps debug datetime msec
service timestamps log datetime msec

logging facility local6
logging 1.1.1.1

logging trap level 7

The switch mentions that 8 lines have been logged to our server. Indeed, that's the case, but it's not enough, it's just interfaces that have gone up or down the past few days...

Do you think I am forgetting something? Can someone recommend me something?

Thanks!

Philip D'Ath · ‎07-16-2016

What else were you expecting to be logged?

erwin.daul · ‎07-22-2016

I don't want anything particular to be logged, but surely more info than just up/downs of ports and connexions to switches.

lpassmore · ‎02-05-2017

is there anything in the local buffer that is not in the syslog? If a switch is operating normally I would not expect more than up/down messages unless you have turned on some debugging. Really, unless there are problems or you have configured some features that do log messages (such as NAC, remote polling by an nms) I would not expect too much more.

Julio E. Moisa · ‎01-29-2017

Hi

I'm not sure what you want to log but you could increase the buffer size

logging buffered <4096-2147483647>

regards.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Richard Burts · ‎01-31-2017

The original post is clearly about sending syslog to their new Graylog server. I do not see what the relationship might be between sending syslog to a server and the size of the logging buffer.

My question to the original poster is whether you are sure that there have been events that should have generated log messages. In working with customer switches I frequently see logs that contain only interface up and down messages. If the switch is running in a stable environment there might not be much else to log.

You might try going into config mode and then exiting config mode (no need to actually change anything). This should generate a syslog message and you could look for that on the server.

HTH

Rick

HTH

Rick