Cisco 4510 switch syslog-ng issues

mpugina63 · ‎07-21-2011

I have the following setup:

PMI_4510_COR2(config)#do sh log

Syslog logging: enabled (0 messages dropped, 99 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 129996 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 130094 messages logged, xml disabled,

filtering disabled

Exception Logging: size (2147483647 bytes)

Count and timestamp logging messages: enabled

Trap logging: level debugging, 130096 message lines logged

Logging to 10.1.2.20, 10201 message lines logged, xml disabled,

filtering disabled

and on my syslog server I got a few logs for a bit:

root@logserver:/var/log/cisco# tail -f core1.log

Jul 20 17:36:20 10.1.2.2 15625: Jul 20 17:36:15: %SYS-5-CONFIG_I: Configured from console by nmradmin on vty0 (10.1.58.10)

Jul 20 19:35:12 10.1.2.2 15626: Jul 20 19:35:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/4, changed state to down

Jul 20 19:35:12 10.1.2.2 15627: Jul 20 19:35:08: %LINK-3-UPDOWN: Interface FastEthernet4/4, changed state to down

Jul 20 19:35:14 10.1.2.2 15628: Jul 20 19:35:09: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa4/4, operational port trust state is now untrusted.

Jul 20 21:13:38 10.1.2.2 15629: Jul 20 21:13:33: %C4K_REDUNDANCY-5-CALENDAR_RATELIMIT: The calendar has been successfully synchronized to the standby supervisor24 times since last calendar syslog

Jul 21 07:56:31 10.1.2.2 15630: Jul 21 07:56:27: %LINK-3-UPDOWN: Interface FastEthernet4/4, changed state to up

Jul 21 07:56:31 10.1.2.2 15631: Jul 21 07:56:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/4, changed state to up

Jul 21 07:56:45 10.1.2.2 15632: Jul 21 07:56:41: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa4/4, port's configured trust state is now operational.

but it stopped without any change on either system.

I have the following syslog-ng configuration on my 10.1.2.20 linux server:

source s_net { tcp();

udp(); };

#Cisco devices

destination d_core1 { file("/var/log/cisco/core1.log"); };

#Cisco Core 1 Switch

filter f_core1 { host("10.1.2.2"); };

# All messages send to a remote site

log { source(s_net); filter(f_core1); destination(d_core1); };

I have restarted syslog-ng multiple times to no availabe. I have other devices that are logging to that server successfully.

Any help would be appreciated

Antonio Knox · ‎07-21-2011

I'd couble check the config on the 4510. If there had been an unexpected reload or something and the logging configs hadn't been written to memory, then it would have reverted to a previous setting. I know it's a reach, but without a full config to reference, that's pretty much what I'm thinking.

mpugina63 · ‎07-21-2011

Antonio,

Thanks for the reply, I turned off the rate-limit and it doesn't appear to have changed the message rate in sh log, it also didn't start logging to syslog either:

PMI_4510_COR2(config)#no logg rate-limit

PMI_4510_COR2(config)#logg reload

PMI_4510_COR2(config)#do sh logg

Syslog logging: enabled (0 messages dropped, 99 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 131379 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 131477 messages logged, xml disabled,

filtering disabled

Exception Logging: size (2147483647 bytes)

Count and timestamp logging messages: enabled

Trap logging: level debugging, 131479 message lines logged

Logging to 10.1.2.20, 11584 message lines logged, xml disabled,

filtering disabled

Any other ideas?

Antonio Knox · ‎07-21-2011

This is an odd one, I see that your trap logging (syslog) count has increased. If neither of these devices has changed, was there anything in between that could affect traffic?

Your first post:

Trap logging: level debugging, 130096 message lines logged

Your second post:

Trap logging: level debugging, 131479 message lines logged

mpugina63 · ‎07-21-2011

no the syslog server is directly connected to the switch. I was thinking of putting an ACL on the port that the syslog server is connected to and see if I see UDP 514 traffic going out to the server.

mpugina63 · ‎07-21-2011

ok, I put the ACL in on the server facing port and saw the traffic flowing through, I also so the issue, since I was running the vlan in standby mode it was using the standby IP and not the primary IP. Once I change it, all was well. Hopefully someone else will benefit from my pain

Antonio Knox · ‎07-21-2011

Also, I noticed that you have 99 messages rate-limited, so disable log rate-limiting for grins:

PMI_4510_COR2(config)#no logging rate-limit