MDS 9000 Secure Syslog Configuration

patrikmattern · ‎01-29-2025

Hi Community,

I'm currently trying to setup secure syslog on our MDS 9000 series.

That is what I've done so far:

Generated a RSA key "crypto key generate rsa label NAME.LOCAL modulus 4096"

Created a Trustpoint for the CA "crypto ca trustpoint myCA" and mapped the RSA key "rsakeypair NAME.LOCAL"

Installed the Root CA certificate "crypto ca authenticate myCA"

Configured the Syslog Server to use secure connection "logging server IP-ADDRESS 7 port 1234 secure"

Before I configured the switch like above, it was working in normal unsecure mode.

After the reconfiguration no messages are logged now to the syslog server.

I followed the documentation Cisco MDS 9000 Series System Management Configuration Guide, Release 9.x - Configuring System Message Logging [Cisco MDS 9000 NX-OS and SAN-OS Software] - Cisco

Cisco MDS 9000 Series Security Configuration Guide, Release 9.x - Configuring Certificate Authorities and Digital Certificates [Cisco MDS 9000 NX-OS and SAN-OS Software] - Cisco

I believe I missed some configuration to make it work...

Maybe some of you can help me here or have an advise !?

Thanks!

Patrik

marce1000 · ‎01-29-2025

- Verify your settings with : switch # show logging server

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

patrikmattern · ‎01-30-2025

Hi marce1000,

The output seems ok.

SWITCHNAME# show logging server
Logging server: enabled
{IP-ADDRESS}
server severity: information
server facility: local7
server VRF: default
server port: 1234
server transport: secure

BR,

Patrik

marce1000 · ‎01-30-2025

- Not sure why it is not working ; is the (secure) syslog server configured to listen at that port because TCP port 6514 is the default port for syslog over TLS ?
Also have a look at https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-5/system-security/configuration/guide/b-system-security-cg-asr9000-75x/implementing-secure-logging.pdf
It discusses another platform , but is useful in terms of explanations and concepts ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

patrikmattern · ‎01-30-2025

Hi marce1000,

Port 1234 is a placeholder. The syslog team gave me the correct port which I have to use. For other systems than cisco it works on the customized port and just importing the CA certificate like I did for my cisco device.

I had a look on the documentation you gave to me. Seems very similiar to what I have done so far. I also had a look in the following community article: Configuring SYSLOG TLS on Catalyst 9000 - Cisco Community

They are refering to Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community for correct certificate installation. It seems that they created also a CSR for their devices and let the CA countersign it. I don't know if that is necessary for me aswell!?

Thanks and regards,

Patrik

marce1000 · ‎01-30-2025

- Not sure on that , examine the logs on the MDS after trying any configuration, it might give hints , or use the command terminal monitor before you start configuring,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎01-31-2025

- Also make sure that there is no intranet firewalling blocking the path to the TLS syslog port from the MDS, or try another port as a kind of 'integrity check'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '