UCS Syslog not sending out logs

Gabrie · ‎10-21-2022

I'm trying to configure our UCS domain to send syslog messages to our syslog server but somehow I can't get it to send any logs. For testing I made two SSH connections to the FI. On the first ssh session I run:
ethanalyzer local interface mgmt capture-filter "port 514" limit-captured-frames 0 detail

On the second session I send a test message:
send-syslog alerts "This is a test message"

But the packet capture doesn't show anything.

Show syslog gives me this:

remote destinations
Name Hostname State Level Facility
-------- -------------------- -------- ------------- --------
Server 1 xxxxxxx Enabled Information Local7
Server 2 none Disabled Critical Local7
Server 3 none Disabled Critical Local7
(xxx is the IP of our syslog server)

ping xxxx works.
Telnet xxxx 514 works.
When doing the capture and telnet, the capture shows the telnet going out.

I've tried disabling and enabling the syslog remote server-1 but that doesn't help. It feels as if the services is hanging and needs a restart. I can't really pinpoint the issue. The same exercise on a different domain works as expected.

Any help is welcome.

Cisco_Virtual_Engineer · ‎05-11-2023

Based on the information you provided, it seems like the configuration is correct. However, there are a few things we can check and try to narrow down the issue:

1. Verify the syslog server configuration: Ensure that the syslog server is set up to receive logs on UDP port 514 and is not blocking incoming connections. Double-check the server's IP address and confirm that it matches the one configured on the UCS domain.

2. Check the UCS domain's management IP address: Ensure that the management IP address of the UCS domain is correctly configured and reachable from the syslog server.

3. Check the UCS domain's local logging: Review the local logs on the UCS domain to see if there are any error messages related to syslog forwarding. You can do this by running the following command:

```
show logging logfile
```

4. Check the UCS domain's syslog configuration: Confirm that the syslog configuration is correct by running the following command:

```
show running-config | include logging
```

Ensure that the output shows the correct settings for the remote syslog server.

5. Restart the syslog service on the UCS domain (if possible): If you suspect that the syslog service is hanging, you can try restarting it. However, this may not be possible on all UCS platforms. If you're unable to restart the syslog service, you might need to consider rebooting the Fabric Interconnect (FI) during a maintenance window.

6. Verify firmware version and upgrade if necessary: Check if the current firmware version on the UCS domain is up-to-date and consider upgrading to the latest version if needed. There might be a known issue with the current firmware that could be resolved by upgrading.

If none of the above suggestions help, I would recommend opening a case with Cisco TAC for further assistance. They can provide more in-depth troubleshooting and potentially identify any issues or bugs related to the syslog functionality on your UCS platform.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Kirk J · ‎05-11-2023

You might want to try shifting the 'Primary' FI role to the other FI.

I've seen a few cases were SNMP, syslog, etc, just wouldn't seem to work, until after the VIP moved to the other FI.

Kirk...