Solved: Nexus 3K, It is posible to hange log sending from udp to tcp port 514?

Vicente Miño · ‎10-31-2023

Hello everyone,

At my job I was asked to configure the sending of logs to some SIEM servers within our infrastructure (Internal Servers) so we have Catalyst 9000 series Switches, Firepower 2100, FMC 1600 and Nexus 3k.

In both the FMC/FTD and the 9000 series Switches, I was able to perform the configuration, the indicated port was UDP 514, but the sending was not constant, it did not generate events unless a logout was performed, authentication error, successful login or even crashes of some interface, but in any case they were not constant. That is until I made the change to TCP on port 514.

Everything was fine and I was able to solve that problem, but another problem occurred with the Nexus 3k, which, even guided by the official Cisco documentation, I could not find a command that would modify the protocol to which to send the logs.

My question is associated with whether there is any way to send Logs via TCP and not via UDP?

The official command would be:

logging server [IP Address] [Severity Level] use-vrf [vrf]

In the Catalysts 9000 series the command can be carried out with the modification of the protocol:

logging host [IP address] vrf [vrf] transport tcp port 514

Beforehand thank you very much.

Vicente Miño · ‎12-13-2023

Hey! Sorry for the late response, regarding this, the solution was a bit ambiguous, but the problem was that since they are fiber switches that are not used or generate as many events as access or edge switches, they must be assigned a higher keep alive on the destination server, reviewing the logs. They had a range between approximately 1 to 6 days, so the keep alive had to be modified on the destination server so that it kept the devices on the Syslog server "current" so to speak.

View solution in original post

M02@rt37 · ‎10-31-2023

Hello @Vicente Miño,

On N3k you cannot switch to TCP_514 for syslog.

Note that beginning with Cisco NX-OS Release 9.2(1), you can configure the syslog server with support for a secure TLS transport connectivity to remote logging servers. This feature supports TLSv1.1 and TLSv1.2.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/92x/b-cisco-nexus-3000-series-nx-os-system-management-configuration-guide-92x/b-cisco-nexus-3000-series-nx-os-system-management-configuration-guide-92x_chapter_01000.h...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Vicente Miño · ‎10-31-2023

Hi M02@rt37 ,

Perfect, im gonna check this option and I'll tell you if it worked.

Btw, does this cause any change in the port it uses to communicate from the N3k to the Syslog server? or is it still using port UDP 514? I consult this because it may be necessary to enable these permissions on the network at the Firewall.

Regards,

M02@rt37 · ‎10-31-2023

@Vicente Miño,

The default port for syslog over TLS is typically 6514. However, you can configure your syslog server and clients to use a different port if needed.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Vicente Miño · ‎12-13-2023

Hey! Sorry for the late response, regarding this, the solution was a bit ambiguous, but the problem was that since they are fiber switches that are not used or generate as many events as access or edge switches, they must be assigned a higher keep alive on the destination server, reviewing the logs. They had a range between approximately 1 to 6 days, so the keep alive had to be modified on the destination server so that it kept the devices on the Syslog server "current" so to speak.