I have the following setup:
PMI_4510_COR2(config)#do sh log
Syslog logging: enabled (0 messages dropped, 99 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 129996 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 130094 messages logged, xml disabled,
filtering disabled
Exception Logging: size (2147483647 bytes)
Count and timestamp logging messages: enabled
Trap logging: level debugging, 130096 message lines logged
Logging to 10.1.2.20, 10201 message lines logged, xml disabled,
filtering disabled
and on my syslog server I got a few logs for a bit:
root@logserver:/var/log/cisco# tail -f core1.log
Jul 20 17:36:20 10.1.2.2 15625: Jul 20 17:36:15: %SYS-5-CONFIG_I: Configured from console by nmradmin on vty0 (10.1.58.10)
Jul 20 19:35:12 10.1.2.2 15626: Jul 20 19:35:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/4, changed state to down
Jul 20 19:35:12 10.1.2.2 15627: Jul 20 19:35:08: %LINK-3-UPDOWN: Interface FastEthernet4/4, changed state to down
Jul 20 19:35:14 10.1.2.2 15628: Jul 20 19:35:09: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa4/4, operational port trust state is now untrusted.
Jul 20 21:13:38 10.1.2.2 15629: Jul 20 21:13:33: %C4K_REDUNDANCY-5-CALENDAR_RATELIMIT: The calendar has been successfully synchronized to the standby supervisor24 times since last calendar syslog
Jul 21 07:56:31 10.1.2.2 15630: Jul 21 07:56:27: %LINK-3-UPDOWN: Interface FastEthernet4/4, changed state to up
Jul 21 07:56:31 10.1.2.2 15631: Jul 21 07:56:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/4, changed state to up
Jul 21 07:56:45 10.1.2.2 15632: Jul 21 07:56:41: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa4/4, port's configured trust state is now operational.
but it stopped without any change on either system.
I have the following syslog-ng configuration on my 10.1.2.20 linux server:
source s_net { tcp();
udp(); };
#Cisco devices
destination d_core1 { file("/var/log/cisco/core1.log"); };
#Cisco Core 1 Switch
filter f_core1 { host("10.1.2.2"); };
# All messages send to a remote site
log { source(s_net); filter(f_core1); destination(d_core1); };
I have restarted syslog-ng multiple times to no availabe. I have other devices that are logging to that server successfully.
Any help would be appreciated
I'd couble check the config on the 4510. If there had been an unexpected reload or something and the logging configs hadn't been written to memory, then it would have reverted to a previous setting. I know it's a reach, but without a full config to reference, that's pretty much what I'm thinking.
Antonio,
Thanks for the reply, I turned off the rate-limit and it doesn't appear to have changed the message rate in sh log, it also didn't start logging to syslog either:
PMI_4510_COR2(config)#no logg rate-limit
PMI_4510_COR2(config)#logg reload
PMI_4510_COR2(config)#do sh logg
Syslog logging: enabled (0 messages dropped, 99 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 131379 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 131477 messages logged, xml disabled,
filtering disabled
Exception Logging: size (2147483647 bytes)
Count and timestamp logging messages: enabled
Trap logging: level debugging, 131479 message lines logged
Logging to 10.1.2.20, 11584 message lines logged, xml disabled,
filtering disabled
Any other ideas?
This is an odd one, I see that your trap logging (syslog) count has increased. If neither of these devices has changed, was there anything in between that could affect traffic?
Your first post:
Trap logging: level debugging, 130096 message lines logged
Your second post:
Trap logging: level debugging, 131479 message lines logged
no the syslog server is directly connected to the switch. I was thinking of putting an ACL on the port that the syslog server is connected to and see if I see UDP 514 traffic going out to the server.
ok, I put the ACL in on the server facing port and saw the traffic flowing through, I also so the issue, since I was running the vlan in standby mode it was using the standby IP and not the primary IP. Once I change it, all was well. Hopefully someone else will benefit from my pain
Also, I noticed that you have 99 messages rate-limited, so disable log rate-limiting for grins:
PMI_4510_COR2(config)#no logging rate-limit