Re: C9300-24T send the user-generated traffic to syslog server.

ShahAlizada · ‎10-17-2025

Hi all,

I have a scenario where I really need immedaite support.

Now we want to send the user generated traffic to a cloud-based syslog server for analytics and reporting . Now sending the user-generated traffic from a Palo Alto or FortiGate is pretty straight-forward.

But when configuring logging for Cisco Devices we have two actually:
1. C9300-24T
2. C3650

If II have to configure logging straight forward it will only send system-events, but my question is how should I configure the two switches to send the User-Generated logs to the syslog server's IP Address.

Do I need additional configuration of any services for this?

I will be looking forward to hear from a community member on this soon.

Thank you all.

Enes Simnica · ‎10-17-2025

hello @ShahAlizada Cisco switches only generate and send system and network-related logs to Syslog by default, they don’t log user-generated traffic like firewalls do.

SO, If u need user traffic visibility, you’ll need to enable NetFlow or Flexible NetFlow and export that data to a collector or analytics platform. Which means that syslog alone won’t provide per-user traffic info.

Hope this helps

-Enes
CCNP x2 Enterprise
Your Friendly Networking Ninja

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

ShahAlizada · ‎10-17-2025

HI @Enes Simnica

So you mean I enable NetFlow or Flexible NetFlow on the incoming and outgoing interface of my switch for collect user-generated traffic, then send them across to the syslog server for monitoring?

Thank you.

Enes Simnica · ‎10-17-2025

@ShahAlizada Almost.... But yes, u’re right about enabling NetFlow or Flexible NetFlow on the switch interfaces, cause that’s how u collect user traffic data.
BUUUUT, NetFlow data isn’t sent to the Syslog server; it should be exported to a NetFlow collector instead some like SolarWinds, PRTG or more.......

Hope it helps!!

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Wassim Aouadi · ‎10-22-2025

@Enes Simnica wrote:
it should be exported to a NetFlow collector instead some like SolarWinds, PRTG or more.......
-Enes

.. or Cisco Secure Network Analytics

Forum Tips: 1. Paste images inline - don't attach. 2. If you find a post helpful, please give it a thumbs up or mark it as a correct solution.

M02@rt37 · ‎10-17-2025

Hello @ShahAlizada

-> see netflow as Mr Simnica suggest since syslog is not ideal for trafic visibility, exactly !

--

> 2 things to note :

If your goal is full user traffic visibility, so use netflow ; not syslog.
If your goal is user identity corelation, enable RADIUS accounting with syslog export !

--

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-13/configuration_guide/nmgmt/b_1713_nmgmt_9300_cg/configuring_flexible_netflow.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

zunairmajeed · ‎10-22-2025

You are correct - Cisco switches like the C9300-24T and C3650 only send system logs to a syslog server by default. They do not log user-generated traffic the same way firewalls do.

If you need to analyze user traffic, you will want to set up NetFlow or Flexible netflow instead. These tools export detailed traffic data such as source/destination IPs, ports, and protocols to a flow collector.

In short:

Syslog = System Events

NetFlow = User traffic analytics

You can run both together for complete visibility.

cooperolivia919 · ‎10-22-2025

You will need to enable NetFlow or Flexible NetFlow to export user traffic data to the collector, and then forward or analyze it from there.