Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2832
Views
10
Helpful
11
Replies

Not successful Forwarding all logs in UCS to syslog server

Mohammad Ramadan A.Hafiez
Level 1
Level 1

‎11-25-2018 03:02 AM

Hello Bros'

             I have UCS system with Fabric interconnect 6248UP - Chassis 5108AC2.IFTA-FI - UCS Manager 3.1(3a).

I have tried to send all system logs to a remote syslog server but still not receiving any.

how syslog for the UCS works "UDP or TCP, default port or can be changed to another".

Config snapshot attached.

 what stopping the logs to be forwarded please?

TIA

 

Preview file
97 KB
0 Helpful
11 Replies 11

Kirk J
Cisco Employee
Cisco Employee

‎11-25-2018 06:56 AM - edited ‎11-25-2018 07:01 AM

Greetings.

The UCSM will use UDP over port 514.

As the syslog traffic will come from the UCSM 1Gb mgmt interfaces, you can sniff that with the built in nxos ethanalyzer tool:

Log into UCSM vip IP via putty/ssh:

#connect nxos

nxos#ethanalyzer local interface mgmt capture-filter "port 514" limit-captured-frames 0 detail

 

 

If you don't see any frames show up here, then try changing the Remote Destination level from you current setting to "information", which should trigger some syslog entries.  Don't forget to change it back after testing, or your syslog server will get spammed.

 

If your ethanalyzer output shows traffic to your destination, but you are not seeing it on your syslog server, then you need to check with your network folks to chase down ACLs/firewall rules, to see what is filtering out the traffic.

 

Thanks,

Kirk...

 

 

0 Helpful

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Kirk J

‎12-02-2018 05:50 AM

Hello.

         I have used the commands as you told and information level debugging but still no output at all.!!!

is there any commands to check syslog service up/down from the gui?

0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to Mohammad Ramadan A.Hafiez

‎12-02-2018 06:29 AM

If you log into the CLI, we can confirm the settings, that should mirror the GUI settings:

SSH into UCSM VIP:

#scope monitoring

monitoring#show syslog

 

You can also see some of the events that 'should' be sent/processed to syslog server by checking fault list

monitoring#show fault

Note the severity category for the entries.

You may also want to temporarily change the 'level' to debug as well, and see if your ethanalyzer sessions starts to display frames.

 

Thanks,

Kirk...

 

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Kirk J

‎12-03-2018 10:38 AM

Hi.

   Thank you for the commands, very helpful.

I have checked and the last log in the fabric was more than 10 days.

is it possible to initiate an action that creates a log to check it's recipient at the syslog server?

0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to Mohammad Ramadan A.Hafiez

‎12-03-2018 11:16 AM

Trying configuration a FI port as a network uplink, one that doesn't have a SFP plugged in.

You should get alerts, assuming the port is admin enabled.

 

Thanks,

Kirk...

0 Helpful

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Kirk J

‎12-06-2018 02:10 AM

Finally I have received some logs " was some Linux intervention needed and port redirection" but I have two notices:

1- all the logs received from the subordinate not the primary fabric IP or the virtual IP? why that ? is this normal behavior?

2- most of the logs with message "..... 5 18:55:55 UTC: last message repeated 1 time", where is the original log that was repeated? is it possible to disable this repetition log and send the original message?

Thank you IA

M.Ramadan

0 Helpful

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Mohammad Ramadan A.Hafiez

‎12-08-2018 11:18 PM

Hi,

 Now am receiving logs from both fabrics, but i still need to stop this kind of message logs " 5 18:55:55 UTC: last message repeated 1 time" because it's so vague and make it sends the actual log message "unless this will effect the performance".

TIA

0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to Mohammad Ramadan A.Hafiez

‎12-09-2018 05:37 AM

Sounds like you need to raise the 'level' back to critical or error.  If you have it set to debug or informational, you are going to get spammed with alerts like that.

When you turn on syslog forwarding, it starts forwarding alerts as they are generated in real time.  It does not re-forward all previous syslog events.

 

Thanks,

Kirk...

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Kirk J

‎12-12-2018 01:00 PM

About the second paragraph I agree with you.
But for the first paragraph I think you mean as my logging level is informational or warning I will get this kind of logs and repetition meaning. And to avoid that I need to set it as error or cretical ? And this is the only way?
0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to Mohammad Ramadan A.Hafiez

‎12-12-2018 04:52 PM - edited ‎12-15-2018 03:55 PM

Please take a look at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/ucsm_syslog/b_Monitoring_Cisco_UCSM_Using_Syslog/b_Monitoring_Cisco_UCSM_Using_Syslog_chapter_01.html

This has some samples of the types of alerts that the various logging levels would generate, and explanations of the levels.

Most customers do not set the levels lower than Warning (level 4), or you end up spamming your alert systems.

Thanks,

Kirk...

0 Helpful

Mohammad Ramadan A.Hafiez
Level 1
Level 1
In response to Kirk J

‎12-14-2018 01:59 AM

Th you Kirk so much.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card