Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
3
Replies

monitoring or fixing show logging "link up / down"

t9sti91
Level 1
Level 1

‎05-21-2024 09:22 AM

hey there - so recently we noticed that almost all cisco catalyst devices have stopped sending logs to our central log servers (more than 1). Upon investigation and google - turns out most of the syslog servers were showing 'down' when doing a "show log" command.

stole this output from another post - but it shows what I'm talking about

Logging to 172.20.1.1  (udp port 514,  audit disabled,

    authentication disabled, encryption disabled, link up),

    28 message lines logged,

    0 message lines rate-limited,

    0 message lines dropped-by-MD,

    xml disabled, sequence number disabled


   I found another post that this happens sometimes (not sure why though?) and the "fix" is to reload the switch - or my more preferred method, turn logging off, set to informational, then back on and to whatever level you want, then the status shows up, and my log server sees the messages.
now the questions:

#1 - anyone know root cause why almost all (20+) catalyst switches sometimes go link down for syslog?

#2 - any way I can monitor that "link up / down" in the show log from my whatsup gold instances? I haven't found a clean way of doing that yet. If I can't find a long term fix for this happening we at least need to be alerted immediately when they stop reporting so we don't lose logs.

 

thanks!

Labels:
0 Helpful
3 Replies 3

t9sti91
Level 1
Level 1

‎05-21-2024 09:24 AM

to my question #1 - yes, I can ping syslog, yes routes are there, no I can't post output from commands :). Thanks for the help!

0 Helpful

Georg Pauwen
VIP
VIP
In response to t9sti91

‎05-21-2024 11:10 PM

Hello,

what is the actual output of the 'show log' command when this issue occurs ? And what is the output when the logging works ? An EEM script might help...

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎05-21-2024 11:54 PM 

 #1 - yes, I can ping syslog

you can ping - but try using source interface if that help to reach syslog

#2 - @Georg Pauwen given option you can use EEM script to Monitor and report back to you if that is not reachable based on syslog messages.

Most important - what is the device model and IOS code running?

again what Logs you trying to send - is there any firewall in the path ?

if all devices not able to send logs to syslog - i suspect syslog server here, what syslog server is this ? (check on syslog server is this gone offline )

ping works if the Ethernet of syslog up and running, if the syslog services going down may not receive the logs (so ping vs syslog service is 2 different things here).

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card