syslog to splunk

sir_yrwins · ‎11-19-2024

I have switch that need to send SYSLOG all the logs to splunk.

the switch current configuration is:

logging on
logging host X.X.X.X
logging trap notifications

at splunk I can see the logs from up and
only log 1 and 2 but not 3.

at the switch this is the logs.
1. Nov 19 11:52:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/25, changed state to up
2. Nov 19 11:53:58: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/21, changed state to up
3. Nov 19 13:20:30: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: YYY] [Source: x.x.x.x] [localport: 22] at 13:20:30 CST Tue Nov 19 2024

how can I test the switch to see if it sending all logs from SYSLOG...
SEC_LOGIN-5-LOGIN_SUCCESS:

MHM Cisco World · ‎11-19-2024

try

login on-failure log
login on-success log

sir_yrwins · ‎11-20-2024

I am on version 17.09.03 ... I don't see that.

Jonatan Jonasson · ‎11-19-2024

If that's all the config you have, and not any log discriminator config, you should be getting these logs to splunk.

If you enter and exit the config mode, you should get another lvl5/notification type syslog (SYS-5-CONFIG_I), do you get that to splunk.

I'm assuming you already have the "login on-failure log" command since you're seeing the logs in the buffer.

Using the same config, I've verified that a switch that I have sends the sec_login-5-login_success command to the syslog server.

Maybe a packet capture between splunk and switch to verify what the switch sends to splunk, or is there something on splunks side to verify everything from the switch, not just what splunk is able to parse?

You could also test increasing the logging trap to warning or debugging (won't matter that much for switch anyway), to see if that has any effect.