Re: Not successful Forwarding all logs in UCS to syslog server

Mohammad Ramadan A.Hafiez · ‎11-25-2018

Hello Bros'

I have UCS system with Fabric interconnect 6248UP - Chassis 5108AC2.IFTA-FI - UCS Manager 3.1(3a).

I have tried to send all system logs to a remote syslog server but still not receiving any.

how syslog for the UCS works "UDP or TCP, default port or can be changed to another".

Config snapshot attached.

what stopping the logs to be forwarded please?

TIA

Kirk J · ‎11-25-2018

Greetings.

The UCSM will use UDP over port 514.

As the syslog traffic will come from the UCSM 1Gb mgmt interfaces, you can sniff that with the built in nxos ethanalyzer tool:

Log into UCSM vip IP via putty/ssh:

#connect nxos

nxos#ethanalyzer local interface mgmt capture-filter "port 514" limit-captured-frames 0 detail

If you don't see any frames show up here, then try changing the Remote Destination level from you current setting to "information", which should trigger some syslog entries. Don't forget to change it back after testing, or your syslog server will get spammed.

If your ethanalyzer output shows traffic to your destination, but you are not seeing it on your syslog server, then you need to check with your network folks to chase down ACLs/firewall rules, to see what is filtering out the traffic.

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez · ‎12-02-2018

Hello.

I have used the commands as you told and information level debugging but still no output at all.!!!

is there any commands to check syslog service up/down from the gui?

Kirk J · ‎12-02-2018

If you log into the CLI, we can confirm the settings, that should mirror the GUI settings:

SSH into UCSM VIP:

#scope monitoring

monitoring#show syslog

You can also see some of the events that 'should' be sent/processed to syslog server by checking fault list

monitoring#show fault

Note the severity category for the entries.

You may also want to temporarily change the 'level' to debug as well, and see if your ethanalyzer sessions starts to display frames.

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez · ‎12-03-2018

Hi.

Thank you for the commands, very helpful.

I have checked and the last log in the fabric was more than 10 days.

is it possible to initiate an action that creates a log to check it's recipient at the syslog server?

Kirk J · ‎12-03-2018

Trying configuration a FI port as a network uplink, one that doesn't have a SFP plugged in.

You should get alerts, assuming the port is admin enabled.

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez · ‎12-06-2018

Finally I have received some logs " was some Linux intervention needed and port redirection" but I have two notices:

1- all the logs received from the subordinate not the primary fabric IP or the virtual IP? why that ? is this normal behavior?

2- most of the logs with message "..... 5 18:55:55 UTC: last message repeated 1 time", where is the original log that was repeated? is it possible to disable this repetition log and send the original message?

Thank you IA

M.Ramadan

Mohammad Ramadan A.Hafiez · ‎12-08-2018

Hi,

Now am receiving logs from both fabrics, but i still need to stop this kind of message logs " 5 18:55:55 UTC: last message repeated 1 time" because it's so vague and make it sends the actual log message "unless this will effect the performance".

TIA

Kirk J · ‎12-09-2018

Sounds like you need to raise the 'level' back to critical or error. If you have it set to debug or informational, you are going to get spammed with alerts like that.

When you turn on syslog forwarding, it starts forwarding alerts as they are generated in real time. It does not re-forward all previous syslog events.

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez · ‎12-12-2018

About the second paragraph I agree with you.
But for the first paragraph I think you mean as my logging level is informational or warning I will get this kind of logs and repetition meaning. And to avoid that I need to set it as error or cretical ? And this is the only way?

Kirk J · ‎12-12-2018

Please take a look at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/ucsm_syslog/b_Monitoring_Cisco_UCSM_Using_Syslog/b_Monitoring_Cisco_UCSM_Using_Syslog_chapter_01.html

This has some samples of the types of alerts that the various logging levels would generate, and explanations of the levels.

Most customers do not set the levels lower than Warning (level 4), or you end up spamming your alert systems.

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez · ‎12-14-2018

Th you Kirk so much.

aasim-mohammed · ‎09-19-2024

Hi Kirk,

Greetings

I wanted to confirm if UCS FI syslog forwarding policy can it be configured with TCP ? We have Intersight managed UCS FIs where we need to configure syslog policy but only UDP seems to be forwarding?

Thanks in advance!

Aasim