- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2022 05:42 AM
Greetings!
I have several 9300 series switches running IOS XE 17.x that forward SYSLOG to a central logging server. We recently stood up another logging server for HA/redundancy, but an issue we are running into is log duplication.
I know that with RADIUS setup, you can create a RADIUS group where the device will query each RADIUS server in order and if the first server fails to respond, it will move on to the next until it has exhausted all servers in the list before moving to local authentication (if configured as such).
Is it possible to configure the same with SYSLOG servers?
Solved! Go to Solution.
- Labels:
-
Catalyst 9000
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2022 06:07 AM
Hello,
you could use an IP SLA in combination with two simple EEM scripts:
Let's say your primary and backup syslog servers are:
Syslog server 1: 192.168.1.10
Syslog server 2: 192.168 2.10
The configuration would look like this (change the source interface for the IP SLA to reflect the one you are actually using):
track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 192.168.1.10 source-interface GigabitEthernet0/0
!
ip sla schedule 1 start-time now life forever
!
event manager applet SYSLOG_1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no logging host 192.168.1.10"
action 3.0 cli command "logging host 192.168.2.10"
action 4.0 cli command "end"
!
event manager applet SYSLOG_1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no logging host 192.168.2.10"
action 3.0 cli command "logging host 192.168.1.10"
action 4.0 cli command "end"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2022 06:07 AM
Hello,
you could use an IP SLA in combination with two simple EEM scripts:
Let's say your primary and backup syslog servers are:
Syslog server 1: 192.168.1.10
Syslog server 2: 192.168 2.10
The configuration would look like this (change the source interface for the IP SLA to reflect the one you are actually using):
track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 192.168.1.10 source-interface GigabitEthernet0/0
!
ip sla schedule 1 start-time now life forever
!
event manager applet SYSLOG_1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no logging host 192.168.1.10"
action 3.0 cli command "logging host 192.168.2.10"
action 4.0 cli command "end"
!
event manager applet SYSLOG_1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no logging host 192.168.2.10"
action 3.0 cli command "logging host 192.168.1.10"
action 4.0 cli command "end"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2022 06:12 AM
Hi
For syslog the switch will send the same information to as many server as you point to.
