Solved: Re: Switch Logging

Armymanryno · ‎02-11-2019

Is there a command or way to see switch logging? For instance If someone shuts down multiple ports, can I run a command that says At such and such time ports x-x were shut down etc etc. Is there anything like that?

Seb Rupik · ‎02-11-2019

In which case you want this:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/swlog.html#23485

...the commands will be the same for all 15.x versions.

Cheers,

Seb

View solution in original post

Seb Rupik · ‎02-11-2019

Hi there,

Take a look at configuration logging:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/config-mgmt-xe-3s-book/cm-config-logger.html#GUID-90319739-4F98-48BC-8D09-056530BBCE7C

Command syntax is different between OS flavours. What platform are you using?

Cheers,

Seb.

Armymanryno · ‎02-11-2019

c2960

Seb Rupik · ‎02-11-2019

In which case you want this:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/swlog.html#23485

...the commands will be the same for all 15.x versions.

Cheers,

Seb

Armymanryno · ‎02-11-2019

Excellent, thank you for the information.

ayoubblabidi@gmail.com · ‎04-30-2019

Hello everyone,
I use Graylog 2.5 Please , in the case of switch Logs meesage , how can i see the log source with the name of Switch not his address IP ? is there a configuration to do in the switch cisco ?

Seb Rupik · ‎04-30-2019

Hi there,

try adding the following to your cisco device:

!
logging origin-id hostname
!

cheers,

Seb.

ayoubblabidi@gmail.com · ‎05-01-2019

Thank you for you answer. I will try this order in the switch
#logging origin-id hostname

ayoubblabidi@gmail.com · ‎05-21-2019

Hello Cisco community,

I ask for help please, I collect the logs of a switch cisco c3650 with graylog, I find a difficulty in reading switch logs. Can anyone help me to explain this logs, I want a clear interpretation of this logs.

Thanks,

Ayoub Labidi

Giuseppe Larosa · ‎05-21-2019

Hello Ayoud,

CDP native vlan mismatch means that a switch port connected to another switch has detected that the two ports belong to two different Vlans.

IF the two ports are in access mode you are joining two Vlans that should stay isolated at layer2.

If the two ports are trunk ports using 802.1Q encapsulation a mismatch in native Vlan may have impacts on IP connectivity.

Usually the message refers to access ports.

the CDP protocol allows to discover a Cisco device directly connected to the local device.

CDP carries some information about the neighbor device including the native Vlan number.

You should fix this issue by putting both ports in the same Vlan if they are access ports, by configuring the same native vlan if they are 802.1Q trunk.

Hope to help

Giuseppe

ayoubblabidi@gmail.com · ‎05-21-2019

Hello Mr.Giuseppe Larosa,
Thank you very much for your attention. Now it's clear, I wanted to interpret this logs of what it is . In addition I have no hand on the switch, I i can't configure or even read configs of switch . On the web interface of graylog I see this logs from switch facility : local 7 ?? , level 4 ?? , message ? ; sequence ? timestampp 2019-04-12T15:39:01.405z )
Thanks,
Ayoub Labidi

Giuseppe Larosa · ‎05-22-2019

Hello Ayoub,

if you have no control on the switch you should report the notes to the people that control it so that they can make corrections to configuration and /or cabling.

About your other questions:

in syslog messages there are some fields that are used to classify messages.

By default Cisco devices send log messages with facility = local 7.

So nothing to care about it.

The level tells how important is the message.

levels are 0 to 7

lowest level means more important.

A device can be configured to send log messages up to a specified level.

This for example avoids to send messages created by debug ( level 7) to the syslog server as they can be a lot and this saves cpu usage on device during troubleshooting.

By default devices should send log messages up to level 5 if I remember correctly.

The sequence is actually the sequence number of the log message as recorded in the device. This should increment by 1 for each log message from device last reboot.

The timestamp provides the date, time, and can include the msecs of the log message using the clock on the network device itself.

The clock is usually synchronized using NTP protocol.

Hope to help

Giuseppe

ayoubblabidi@gmail.com · ‎05-22-2019

Hello Mr.Giuseppe Larosa,

With all my heart , thanks a lot, now reading Cisco switch logs it's clear to me. I understood well what you said. ( facility,level,sequence_number,source,timestamp). All the logs of the switch cisco switch c3650, are "level4", level 4 it meaning = warnings ?? also sir , how can i see the log source with the name of Switch not his address IP ? is there a configuration to do in the switch cisco ?
#logging origin-id hostname Is it with this command ? my problem for the moment I don't have access to the switch to configure it. ("I just have the ip address and the cisco switch port number")

Thanks a lot.

Best regards,
Ayoub Labidi

ayoubblabidi@gmail.com · ‎06-01-2019

Hello everyone,
I collect the logs of a Cisco switch with Graylog, to have the switch logs, I made a script "Prerouting - iptables - graylog- 514-1514 " (Redirect Graylog traffic) ..in graylog I put "input" under port 514, it didn't work, the switch sends the logs on port 514, so it requires a redirect...now i can have switch logs but why graylog does not accept logs under port 514 in the case of switch cisco. Please I want to know exactly why ??
Thanks.

ayoubblabidi@gmail.com · ‎09-12-2019

hello everyone,

Can anyone help me to understand this log message that comes from Switch cisco.

(DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: ............................)

Best Regards,

Ayoub Labidi