Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6355
Views
9
Helpful
3
Replies

Syslog Traffic Monitoring

Go to solution
heemalb13
Level 1
Level 1

‎03-19-2013 05:15 AM - edited ‎03-07-2019 12:20 PM

hi

i am new to cisco and was trying to export syslog from my 3845 router interface G0/1/0.

i inserted the following but i am still not being able to receive sysllogs from my interface.

RTR-CIS-LIV-502(config)#interface gigabitEthernet 0/1/0

RTR-CIS-LIV-502(config-if)#ip flow ingress

RTR-CIS-LIV-502(config-if)#ip flow egress

RTR-CIS-LIV-502(config-if)#ip route-cache flow

Also i have set the following on conf t mode

ip flow-cache timeout active 1

ip flow-export source GigabitEthernet0/1/0

ip flow-export version 5

ip flow-export destination 192.168.20.72 2025

But still i cannot receive any syslog traffic on my server - Syslog Watcher 4

RTR-CIS-LIV-502#show ip flow export

Flow export v5 is enabled for main cache

  Export source and destination details :

  VRF ID : Default

    Source(1)       192.168.159.1 (GigabitEthernet0/1/0)

    Destination(1)  192.168.20.72 (2025)

  Version 5 flow records

  7942482 flows exported in 322095 udp datagrams

  0 flows failed due to lack of export packet

  0 export packets were sent up to process level

  0 export packets were dropped due to no fib

  5 export packets were dropped due to adjacency issues

  0 export packets were dropped due to fragmentation failures

  0 export packets were dropped due to encapsulation fixup failures

RTR-CIS-LIV-502#show ip cache flow

IP packet size distribution (402971229 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .001 .438 .045 .013 .008 .006 .003 .005 .001 .000 .000 .000 .000 .001 .001

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .002 .000 .001 .013 .453 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

  0 active, 4096 inactive, 7942412 added

  113115482 ager polls, 0 flow alloc failures

  Active flows timeout in 1 minutes

  Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 34056 bytes

  0 active, 1024 inactive, 7616347 added, 7616347 added to flow

  0 alloc failures, 0 force free

  1 chunk, 3 chunks added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet        2329      0.0        96   140      0.0      22.9      11.2

TCP-FTP            455      0.0        15    75      0.0      11.4       9.0

TCP-FTPD           428      0.0       210   712      0.0       2.5       1.4

TCP-WWW          10684      0.0         5   415      0.0       3.5       3.4

TCP-SMTP             2      0.0         6    48      0.0      21.8      15.4

TCP-X                1      0.0         3    50      0.0       9.0      15.4

TCP-other      6990239      1.6        57   690     92.9       2.4       7.7

UDP-DNS          46576      0.0         1    61      0.0       0.1      15.4

UDP-other       693094      0.1         2    97      0.3       0.8      15.4

ICMP            198604      0.0         7    64      0.3      17.3      12.4

Total:         7942412      1.8        50   685     93.8       2.6       8.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

Please anyone can help.

Heemal...

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Edwin Summers
Level 3
Level 3

‎03-19-2013 05:32 AM

Are you trying to export syslog notifications, or netflow flow information?  Your message indicates that you want syslog, but your configurations are for a netflow record export.

If you are trying to send syslog messages to a logging server, try the information described in this document:

https://supportforums.cisco.com/docs/DOC-4788

A search on "Cisco logging" or "Cisco syslog" should also produce additional details.

Best of luck!

Ed

View solution in original post

Go to solution
Don Jacob
Level 1
Level 1

‎03-22-2013 09:53 AM

Ed is right. You have enabled NetFlow export on your router but you are using a Syslog tool to capture the data. NetFlow and syslog and 2 different technologies and so the syslog tool will not work with NetFlow.

Your options are:

1. If your intention was to find the bandwidth usage, IP Address using bandwidth, applications are involved and other traffic analytics purposes, simply install a NetFlow collector. There are many in the market including SolarWinds NPM with NetFlow Traffic Analyzer, ManageEngine, Plixer Scrutinizer or even the SolarWinds free Real-Time NetFlow Analyzer.

2. If you really wanted syslog for fault notification and auditing, use the same syslog tool and reconfigure the router to export syslogs using the link Ed had provided.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the required information

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

View solution in original post

3 Replies 3

Go to solution
Edwin Summers
Level 3
Level 3

‎03-19-2013 05:32 AM

Are you trying to export syslog notifications, or netflow flow information?  Your message indicates that you want syslog, but your configurations are for a netflow record export.

If you are trying to send syslog messages to a logging server, try the information described in this document:

https://supportforums.cisco.com/docs/DOC-4788

A search on "Cisco logging" or "Cisco syslog" should also produce additional details.

Best of luck!

Ed

Go to solution
Don Jacob
Level 1
Level 1

‎03-22-2013 09:53 AM

Ed is right. You have enabled NetFlow export on your router but you are using a Syslog tool to capture the data. NetFlow and syslog and 2 different technologies and so the syslog tool will not work with NetFlow.

Your options are:

1. If your intention was to find the bandwidth usage, IP Address using bandwidth, applications are involved and other traffic analytics purposes, simply install a NetFlow collector. There are many in the market including SolarWinds NPM with NetFlow Traffic Analyzer, ManageEngine, Plixer Scrutinizer or even the SolarWinds free Real-Time NetFlow Analyzer.

2. If you really wanted syslog for fault notification and auditing, use the same syslog tool and reconfigure the router to export syslogs using the link Ed had provided.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the required information

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Go to solution
heemalb13
Level 1
Level 1
In response to Don Jacob

‎03-24-2013 11:16 PM

Well noted. Thnx a lot Ed and Don.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card