Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
2
Replies

Problem collecting log from CAT 4500 with Syslog-ng

fgravalos
Level 1
Level 1

‎10-10-2017 02:35 AM - edited ‎03-08-2019 12:19 PM

Hi,

I have a Syslog Server with Syslog-ng 3.6 witch receives logs from different Cisco SW and RT from all over my Network.

Configuration is pretty simple:

 

/etc/syslog-ng/syslog-ng.conf
#############################
source s_net {
        tcp(ip(0.0.0.0) port(514));
        udp(ip(0.0.0.0) port(514));
};

destination d_host-specific {


file("/var/log/remotos/$HOST/$YEAR/$MONTH/$HOST-$YEAR-$MONTH-$DAY.log");
};

log {
        source(s_net);
        destination(d_host-specific);
};
#############################

All SW and RT have a very similar configuration if not exactly the same:

logging trap debugging

logging XX.XX.XX.XX

But here's the thing, Syslog-ng receives logs from most of the devices but Cisco Cat4500.

All the documentation I've found about configuring Cisco CAT4500 to send logs is for simple Syslog, and not Syslog-ng.

 

I've can't manage to receive logs from a CAT4500 but I do from several WS-C296 and other devices which are in the same network.

I've tried to add a filter with the Host IP to no avail:

filter f_SW1_MSS_SRVs { host( "XX.XX.XX.XX" ); };

destination df_SW1_MSS_SRVs { file("/var/log/remotos/SW1_MSS_SRVs.log"); };

log { source( s_net ); filter( f_SW1_MSS_SRVs ); destination ( df_SW1_MSS_SRVs ); };

Don't know if I'm missing something in the CAT4500 configuration or if it's the Syslog Server.

Any help would be apreciated.

Regards,

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-10-2017 04:27 AM

Hello,

 

what do you have configured on the 4500 under 'logging facility' ? Check the link below for available keywords:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sg/configuration/guide/conf/log.html#wp1084288

0 Helpful

fgravalos
Level 1
Level 1
In response to Georg Pauwen

‎10-10-2017 06:25 AM

Hi,

 

"logging facility" is set to "local7"

 

Heres the output of "show loggin":

 

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 16662 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 16662 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level debugging, 16650 message lines logged
Logging to XX.XX.XX.XX (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
16612 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled

 

Regards, 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card