Syslog server - to check if events are really being logged to server

Keshav Boodhun · ‎06-23-2022

Hello Guys,

Actually I have received a show tech output, and from show running it has configured logging x.x.x.x for syslog.

I wanted to know from show tech, will I be able to know if it's really sending logs to the server x.x.x.x.

Models: WS-3750X & WS-2960X

Thanks

Flavio Miranda · ‎06-23-2022

Hi

If you attach the show tech here we can take a look. It is impossible to remember all information present in show tech to afirm this.

But, what you really should do is look at syslog server. Does the logs gets there?

for you reference

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swlog.html

Keshav Boodhun · ‎06-23-2022

Unfortunately, I don't have hands on the syslog server. PFA.

balaji.bandi · ‎06-23-2022

You do not need show tech to view that.

show logging is good enough to show is the logs are send to Log server ( you can see how many logs shipped ?)

can you post

show run | in logging

show logging

to assists better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Keshav Boodhun · ‎06-23-2022

------------------ show logging ------------------

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 24936486 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 24936486 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 24936491 message lines logged
Logging to 10.0.1.21 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
24936491 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled

Log Buffer (4096 bytes):
NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi1/0/5 and port Gi2/0/4
*Jun 2 22:41:21.378: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi1/0/16 and port Gi2/0/17
*Jun 2 22:41:27.417: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:41:32.979: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1b03.e604 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:41:36.485: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 6 is flapping between port Gi2/0/4 and port Gi2/0/6
*Jun 2 22:41:36.485: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 8 is flapping between port Gi2/0/16 and port Gi2/0/17
*Jun 2 22:41:36.485: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi2/0/17 and port Gi1/0/16
*Jun 2 22:41:36.494: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi2/0/4 and port Gi1/0/5
*Jun 2 22:41:43.859: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1341.2c04 in vlan 4 is flapping between port Gi2/0/10 and port Gi1/0/14
*Jun 2 22:41:44.262: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:41:51.585: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 8 is flapping between port Gi2/0/17 and port Gi2/0/16
*Jun 2 22:41:51.585: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 6 is flapping between port Gi2/0/6 and port Gi2/0/4
*Jun 2 22:41:51.585: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi1/0/5 and port Gi2/0/4
*Jun 2 22:41:51.585: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi1/0/16 and port Gi2/0/17
*Jun 2 22:41:58.220: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:42:06.668: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi2/0/17 and port Gi1/0/16
*Jun 2 22:42:06.676: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi2/0/4 and port Gi1/0/5
*Jun 2 22:42:06.684: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 8 is flapping between port Gi2/0/17 and port Gi2/0/16
*Jun 2 22:42:06.684: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 6 is flapping between port Gi2/0/6 and port Gi2/0/4
*Jun 2 22:42:16.608: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:42:21.784: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 6 is flapping between port Gi2/0/4 and port Gi2/0/6
*Jun 2 22:42:21.784: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 8 is flapping between port Gi2/0/16 and port Gi2/0/17
*Jun 2 22:42:21.826: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi2/0/17 and port Gi1/0/16
*Jun 2 22:42:21.834: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi2/0/4 and port Gi1/0/5
*Jun 2 22:42:27.505: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:42:34.962: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1b03.e604 in vlan 4 is flapping between port Gi2/0/10 and port Gi1/0/14
*Jun 2 22:42:37.043: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 6 is flapping between port Gi2/0/6 and port Gi2/0/4
*Jun 2 22:42:37.043: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c01 in vlan 8 is flapping between port Gi2/0/16 and port Gi2/0/17
*Jun 2 22:42:37.043: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 8 is flapping between port Gi1/0/16 and port Gi2/0/17
*Jun 2 22:42:37.043: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.0c00 in vlan 6 is flapping between port Gi2/0/4 and port Gi1/0/5
*Jun 2 22:42:39.039: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1e1f.c904 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10
*Jun 2 22:42:49.827: %SW_MATM-4-MACFLAP_NOTIF: Host faa4.1341.2c04 in vlan 4 is flapping between port Gi1/0/14 and port Gi2/0/10

Leo Laohoo · ‎06-23-2022

@Keshav Boodhun wrote:

Logging to 10.0.1.21

Logs are sent to this IP address.

balaji.bandi · ‎06-23-2022

Logging to 10.0.1.21 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
24936491 message lines logged,

Do you have syslog server running and listening on port 514 UDB - do you have any FW in bettwen which stop shipping the logs to syslog server from device ?

Do you see any other device can send Logs to syslog Server ?

what is the Device IP address ? can you able to ping syslog server ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Keshav Boodhun · ‎06-23-2022

Unfortunately I don't have any access to the network at the client.

And as per my last network scan, it did not detect the syslog server.

The device IP is 10.100.100.51.

balaji.bandi · ‎06-23-2022

10.100.100.51 and syslog server not in same VLAN so i am sure something in the middle stopping

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Keshav Boodhun · ‎06-24-2022

Yes there is a communication between these 2 networks on the firewall.

My question: From the logs, is there any way to confirm whether it's failing to reach the syslog server ? Or the way only way to check is looking on the syslog server itself.