Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
1
Helpful
6
Replies

msec on syslog messages

Go to solution
rasmus.elmholt
Level 7
Level 7

‎03-09-2023 01:26 AM

Hi.

I have a switch where I am testing some STP logging and debugging.

I have enabled STP logging and trap generation on the switch and on links.

Now I want to make sure all messages are with the msec stamp on logs.

I have enabled the msec on the timestamp service(service timestamps log datetime localtime msec) for logs but I don't see the msec on the messages sent to the syslog server.

show logging from the device(msec is working here)

Mar  9 10:12:51: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from forwarding to disabled
Mar  9 10:12:51: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 1000
Mar  9 10:12:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Mar  9 10:12:53: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Mar  9 10:13:05: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Mar  9 10:13:06: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from disabled to blocking
Mar  9 10:13:06: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding
Mar  9 10:13:06: %SPANTREE-5-TOPOTRAP: Topology Change Trap for instance 0
Mar  9 10:13:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Mar  9 10:15:19.947: %PARSER-5-CFGLOG_LOGGEDCMD: User:user  logged command:service timestamps log datetime localtime msec 
Mar  9 10:15:21.223: %SYS-5-CONFIG_I: Configured from console by user on vty1 (10.110.253.126)
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 1
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 201
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 300
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 304
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 309
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 312
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 320
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 331
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 332
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 360
Mar  9 10:15:36.466: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 800
Mar  9 10:15:36.470: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 801
Mar  9 10:15:36.470: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 900
Mar  9 10:15:36.470: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from forwarding to disabled
Mar  9 10:15:36.470: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/1 deleted from Vlan 1000
Mar  9 10:15:37.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Mar  9 10:15:38.476: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
Mar  9 10:15:46.176: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Mar  9 10:15:47.193: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from disabled to blocking
Mar  9 10:15:47.214: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding
Mar  9 10:15:47.225: %SPANTREE-5-TOPOTRAP: Topology Change Trap for instance 0
Mar  9 10:15:48.197: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up

Logs sent to the syslog server:

<190>Mar 9 10:15:47 10.50.20.10 %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding
Without the msec value ^
 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rasmus.elmholt
Level 7
Level 7

‎03-14-2023 04:31 AM

Doing some packet capture on a firewall the syslog messages are going through I can see that the msec is in the syslog packages. So it must be the splunk service not showing it.

#show loggin(on device)
Mar 14 09:45:10.430: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding

# syslog packet information
<190>1005: Mar 14 09:45:10.430: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding

#Splunk data:
<190>Mar 14 09:45:10 10.50.20.10 %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2023 04:00 AM

Can you post syslog config from switch and give us what syslog you using.

I use Cisco Cat 9300 switches and Graylog - I see the below message on Graylog : (is this what you looking ?)

<189>11762: SW01: ]: Oct 19 15:46:15.776 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
rasmus.elmholt
Level 7
Level 7
In response to balaji.bandi

‎03-14-2023 01:07 AM

Hi

We are using splunk. I will have to look into why the value is not shown correct. But I would get the thing I see in splunk is exactly to same as the switch will send.

0 Helpful

Go to solution
rasmus.elmholt
Level 7
Level 7
In response to balaji.bandi

‎03-14-2023 01:29 AM

The configuration is something like this:

logging trap debugging
logging host 8.8.8.8
spanning-tree logging
logging buffered 65535

service timestamps debug datetime localtime
service timestamps log datetime msec localtime
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to rasmus.elmholt

‎03-14-2023 02:24 AM

please try below config, 


service timestamps debug uptime
service timestamps debug datetime
service timestamps debug datetime msec
service timestamps debug datetime msec show-timezone
service timestamps debug datetime msec show-timezone localtime
service timestamps log uptime
service timestamps log datetime
service timestamps log datetime msec
service timestamps log datetime msec show-timezone
service timestamps log datetime msec show-timezone localtime

0 Helpful

Go to solution
rasmus.elmholt
Level 7
Level 7
In response to MHM Cisco World

‎03-14-2023 04:29 AM

I cannot see how those commands would help as they are just overwriting eachother.

0 Helpful

Go to solution
rasmus.elmholt
Level 7
Level 7

‎03-14-2023 04:31 AM

Doing some packet capture on a firewall the syslog messages are going through I can see that the msec is in the syslog packages. So it must be the splunk service not showing it.

#show loggin(on device)
Mar 14 09:45:10.430: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding

# syslog packet information
<190>1005: Mar 14 09:45:10.430: %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding

#Splunk data:
<190>Mar 14 09:45:10 10.50.20.10 %SPANTREE-6-PORT_STATE: Port Gi1/0/1 instance 0 moving from blocking to forwarding
Customers Also Viewed These Support Documents