05-21-2024 09:22 AM
hey there - so recently we noticed that almost all cisco catalyst devices have stopped sending logs to our central log servers (more than 1). Upon investigation and google - turns out most of the syslog servers were showing 'down' when doing a "show log" command.
stole this output from another post - but it shows what I'm talking about
Logging to 172.20.1.1 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
28 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
I found another post that this happens sometimes (not sure why though?) and the "fix" is to reload the switch - or my more preferred method, turn logging off, set to informational, then back on and to whatever level you want, then the status shows up, and my log server sees the messages.
now the questions:
#1 - anyone know root cause why almost all (20+) catalyst switches sometimes go link down for syslog?
#2 - any way I can monitor that "link up / down" in the show log from my whatsup gold instances? I haven't found a clean way of doing that yet. If I can't find a long term fix for this happening we at least need to be alerted immediately when they stop reporting so we don't lose logs.
thanks!
05-21-2024 09:24 AM
to my question #1 - yes, I can ping syslog, yes routes are there, no I can't post output from commands :). Thanks for the help!
05-21-2024 11:10 PM
Hello,
what is the actual output of the 'show log' command when this issue occurs ? And what is the output when the logging works ? An EEM script might help...
05-21-2024 11:54 PM
#1 - yes, I can ping syslog
you can ping - but try using source interface if that help to reach syslog
#2 - @Georg Pauwen given option you can use EEM script to Monitor and report back to you if that is not reachable based on syslog messages.
Most important - what is the device model and IOS code running?
again what Logs you trying to send - is there any firewall in the path ?
if all devices not able to send logs to syslog - i suspect syslog server here, what syslog server is this ? (check on syslog server is this gone offline )
ping works if the Ethernet of syslog up and running, if the syslog services going down may not receive the logs (so ping vs syslog service is 2 different things here).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide