yes, i can see all the other logs in the syslog from the switch and its working fine, however the only thing that is not working at the moment is these mac address-table information.

WS-C2960CPD-8PT-L with  C2960c405-UNIVERSALK9-M on it its  15.0(2)SE2

the logging output is 

Logging to X.X.X.X (udp port 514, audit disabled,
link up),
148 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

Enable the feature on the global level. I hope this helps. 

Switch(config)#snmp-server enable traps mac-notification

Switch(config)#snmp-server enable traps mac-notification change

Switch(config)#snmp-server enable traps mac-notification move

Switch(config)#snmp-server enable traps mac-notification threshold

You can see other informative syslogs? Post show snmp. 

hey,

thank you for your response. Yes i did the enable the SNMP trap commands in the system to send all the traps to syslog. 

mac address-table notification change interval 10
mac address-table notification change history-size 500
mac address-table notification change
mac address-table notification threshold
mac address-table notification mac-move

even after this nothing came to logging server

at very last step i configured the interface to send any snmp trap mac-notification for any change like add and remove

snmp trap mac-notification change added
snmp trap mac-notification change removed

i am receiving all the syslogs that is configured in the switch and it looks ok to me. the only logs i am unable to get is MAC logs. i tried to change the machines and do different things to trigger it but nothing is sent to syslog

hi, please find the configurations 

SNMP Configurations on switch: all the traps are enabled on switch with mac 

snmp-server enable traps mac-notification change move threshold

global:

mac address-table notification change interval 10
mac address-table notification change history-size 500
mac address-table notification change
mac address-table notification threshold
mac address-table notification mac-move

on two interfaces of switch

snmp trap mac-notification change added
snmp trap mac-notification change removed

I don't see a bug related to this but you can upgrade the code and see if that helps. 

Verify your snmp trap is working with 'debug snmp packets' trigger a mac change on a switch port. If snmp trap looks good, then troubleshoot your syslog server. I hope this helps.  

yes there is something wrong with my switch configurations, as when i start the debug snmp packet and i trigger the change in the switch nothing comes up not a single packet 

Post full config. Try another ios version if possible. 

According to your config, you didn't activate snmp mac notification. 

mac address-table notification change is not snmp-server enable traps mac-notification change. 

Configuring MAC Address Change Notification Traps P:96

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_2960p_2960c_cg.pdf

snmp-serverhost host-addr community-string notification-type { informs | traps } {version{1 | 2c | 3}}
{vrf vrf instance name}
snmp-server enable traps mac-notification change
mac address-table notification change
mac address-table notification change [interval value] [history-size value]
interface interface-id
snmp trap mac-notification change {added | removed}

Hope this helps. 

hi,

i did add the configuration line for

# snmp-server host X.X.X.X traps SnmpUserName mac-notification

and also re-execute the global configuration command to enable the traps and mac-notification

so far no success

i think there is somthing i am not doing right as far as configurations are concern.

i am looking in syslog server for the mac-logs. Am i on right box ?

It seems to me that you are configuring mac-notification via SNMP and then expecting it to arrive via SYSLOG.

SNMP and SYSLOG are independent notification mechanisms. SYSLOG is generally for anything that would display as a message on the console and is controlled by "levels" which range from DEBUG (7) to EMERGENCY (0) with 6 levels in between. Whatever level you choose in the logging trap <n> command (default is ERRORS (3), logging trap 3), you'll get all levels ≤ the specified level. So, by default (3), you will get all messages for EMERGENCY (0), ALERTS (1), CRITICAL (2), and ERROR (3). Messages at level 4 through 7 will be discarded.

The console displays all levels (0-7) by default.

SNMP is a little bit strange in that the client and server roles trade off. In normal monitoring, the network management system operates as an SNMP client and polls the various nodes SNMP server processes to ask about whatever variables are being monitored (interface statistics, power, cpu utilization, etc.). Polling usually happens at regular intervals, often around 5 minutes per interval.

However, as we all know, problems don't happen on a schedule and 5 minutes might be a long time to wait for an important event. In order to address this need for asynchronous notification by devices, there's also the SNMP facility known as "traps". An SNMP trap, therefore, reverses the previous client-server role and the network node which is sending an asynchronous notification becomes a client sending a message to the SNMP server running on the network management system (or other designated trap receiver host).

So, I suspect the answer to your current dilemma is to check for SNMP traps in your SNMP server rather than looking for things in SYSLOG.