01-13-2010 07:31 AM - edited 03-06-2019 09:16 AM
On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch. However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output). This syslog server is not receiving any syslog traps defined. The logging defined is logging trap warnings. I have verified trap messages are in the log output at the defined severity level and above(error/critical). My assumption is that the link down has something to do with why no syslog is being sent to this server.
Logging to x.x.x.x (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
225 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging to x.x.x.x (udp port 514, audit disabled,
authentication disabled, encryption disabled, link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
thanks,
james
01-13-2010 07:39 AM
fatboyinva wrote:
On a 3560 I have (2) syslog servers defined. Both are up and operational and reachable via ping from the switch. However on the second defined logging server on the output of the sh logging command it states a "link down" (see below for command output). This syslog server is not receiving any syslog traps defined. The logging defined is logging trap warnings. I have verified trap messages are in the log output at the defined severity level and above(error/critical). My assumption is that the link down has something to do with why no syslog is being sent to this server.
Logging to x.x.x.x (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
225 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging to x.x.x.x (udp port 514, audit disabled,
authentication disabled, encryption disabled, link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabledthanks,
james
James
You assumption is correct. For some reason the switch thinks that the second syslog server is not working hence the reason it doesn't send any messages.
I know you said you could ping it but can you confirm that the syslog service is actually up and running on the 2nd server and that there is filtering either
1) on the syslog server itself
2) along the path from the switch to the syslog server that is denying udp port 514
Jon
01-13-2010 07:59 AM
Jon,
To answer your questions:
1) Syslog is running on the server. The windows server is running Kiwi/Solarwinds. When I do a netstat -an I see udp 514 listening:
UDP 0.0.0.0:514 *:*
I am also receiving other syslog data from Cisco switches on this syslog server. In addition windows firewall is turned off.
2) The only device between this Cisco 3560 and the syslog server is another Cisco switch (distribution switch). No firewall or other blocking device exists in addition to any access lists. Here's a sample traceroute;
Type escape sequence to abort.
Tracing the route to
1 x.x.x x msec 0 msec 0 msec
2
thanks for your reply.
06-23-2010 04:50 AM
Hi Folks
Good Afternoon
I am facing the same issue as describe above with a few 4948's switches. I was wondering if any solution was found?
many thanks
06-23-2010 01:18 PM
Hello,
I did not find a fix, but the resolution in our case was to reload the switch. That seemed to clear the ip sockets table. Also, a helpful command that was used is sh ip sockets. Here is a sample output:
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 1.2.1.41 1975 0 0 11 0
17 0.0.0.0 0 1.2.1.41 67 0 0 2211 0
17 0.0.0.0 0 1.2.1.41 2228 0 0 211 0
17 10.1.1.1 60059 1.2.1.41 161 0 0 1 0
17 --listen-- 1.2.1.41 162 0 0 11 0
17 --listen-- 1.2.1.41 60380 0 0 1 0
17 --listen-- --any-- 161 0 0 20001 0
17 --listen-- --any-- 162 0 0 20011 0
17 --listen-- --any-- 64379 0 0 20001 0
17 --listen-- 1.2.1.41 123 0 0 1 0
17 172.17.9.2 514 1.2.1.41 58781 0 0 400201 0
17 172.17.8.2 514 1.2.1.41 55647 0 0 400201 0
thanks,
james
06-23-2010 02:08 PM
thanks James I will try it.
Thanks again for that I do appreciate.
Rommel
On Wed, Jun 23, 2010 at 9:18 PM, jawill47ec <
04-08-2014 07:48 PM
Probably poor form to wake this up from many years ago, but we found today that turning off syslog and turning it back on (after confirming routes are OK) also reset this functionality - tested on a 3750. (It could have been the trap level as well, we changed this at the same time).
Commands:
# no logging trap warnings
# logging trap informational
11-07-2014 07:24 AM
Not at all, this solution worked for us. Thank you for posting!
07-08-2015 01:50 PM
Thank you! This worked for us on a 6509E.
09-20-2016 05:38 AM
This is still a current solution! Used it this morning on a pair of ASR1006 routers. Many thanks.
08-02-2017 07:51 AM
Worked for me for our IE2000s. Changing the logging level is what did it. Changed it to informational the link came up. Changed it back to warning and the link stayed up.
07-29-2018 04:14 AM
I am using IBM Qrador , I was not able to send logs after command i am getting logs
no logging trap warnings
logging trap informational
thanks again for the solution
05-27-2023 01:17 AM
i am using IBM Qrador, Can you send full configuration ?
Thanks
08-31-2018 01:10 PM
Thank you sir, this worked!
02-20-2019 04:07 PM
Hey, worked liked a charm, thanks, better late then never.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide