cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
420
Views
0
Helpful
33
Replies
Highlighted
Beginner

Not getting expected logs in the external syslog server for Cisco prime infrastructure

Our end client has configured an external syslog server(SIEM) in the Cisco prime infrastructure.

And for testing purpose, he has tried login in to the Cisco prime with wrong credentials.

 

In the syslog server, although he is getting logs for bad authentication, but he is not getting the expected logs (like which User not able to authenticate, username is not showing)

 

This is the logs which they are getting in the syslog server -

 

07 09 2018 14:15:18 10.47.134.224 <LOC6:WARN> 07/09/18 19:15:18.230 WARN  [clitransport] [XDE ThreadPool 5] Failed to match expected device output due to expect timeout, current expect timeout 60000ms, expect time 60001ms, minimal matching length 0.\nCurrent output : **********\nCurrent expects : % Access denied\n% Bad passwords\n% Login invalid\n% Authentication failed\n% Bad secrets\nassword[:\s]*\z\nogin[:\s]*\z\name[:\s]*\z\nUser[:\s]*\z\n[\(\)\d\w\{\}]\s?[#>\$]\s*\z

 

Can any one help me in this.

Below are the prime details -

--------------------------------------------
Cisco Prime Infrastructure
********************************************************
Version : 3.4.0
Build : 3.4.0.0.348
Device Support:
        Prime Infrastructure 3.4 Device Pack 1 ( 1.0 )

 

33 REPLIES 33
VIP Advisor

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Hi

 Prime send log from managed device's but the test you did refers to the Prime itself. This must be login but not send to the external receiver.

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

But I see in the Cisco Guide where it is mentioned Logins and Logouts. So this login and logout is for the managed devices or the prime itself ?

 

Configuring Syslog Message Receivers for System Changes

In addition to sending JMS notifications, Prime Infrastructure can send syslog messages to specified receivers to notify you of changes in the following Prime Infrastructure features:

  • Device management
  • Device community strings and credentials
  • User management
  • Configuration templates management
  • Monitoring templates management
  • Job management
  • Logins and logouts
  • Image distribution
  • Configuration changes
  • Inventory changes

You can specify as many receivers as you wish for these specialized syslog messages.

Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Hi Support

 

Please assist, I have just added 2690 and 3850 series of witches on Cisco Prime but logs are not pulling compared to 3750 series, what could be the issue?

 

I await your immediate response.

 

Kind regards

VM098

 

 

 

 

Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

I await a quick feedback on the solution of his issue?
VIP Engager

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Check the configuration of the switches, is the syslog server set to send the Prime?
Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Hi Patoberli

Yes it is configured and it's currently showing down when I check the logs.

Please see the below output:

Logging to ***** (udp port 514, audit disabled,
link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

Best regards
VM098



VIP Engager

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

I don't like the "link down" part of the output you have provided.

On what device and with what command did you create this output?

Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Hi

I used the below command to allow the logging on 3850

"Logging host 172.xx.xx.xx"

I have allowed the cisco prime on access-list as well.
VIP Engager

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Can you please post the full output of show logging (until the first actual log message)?
Can you 'ping 172.xx.xx.xx' successfully from the 3850?
Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Hi

Full output of the show logging:

Logging to 172.xx.xx.xx (udp port 514, audit disabled,
link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
Loopback10

Log Buffer (48795 bytes):
nged state to down
002285: .Feb 6 07:21:33.061 ZA: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/33, changed state to up
002286: .Feb 6 07:21:34.066 ZA: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/33, changed state to up
002287: .Feb 6 07:21:59.625 ZA: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/33, changed state to down

Yes I am able to ping the cisco prime from the switch:

GRD-STACK1#ping 172.xx.xx.xx
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.xx,xx,xx, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

And I get a successful ping from the cisco prime when pinging the switch
VIP Engager

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Ah you're using possibly more than one Loopback.

Can you repeat the ping, but this time, do an extended one. For this, simply type ping and press enter. Then you should get the option to select the source interface (say y to Extended commands), enter there Loopback10. Is this also successful?

If not, change the logging source interface in the configuration, to one that is Up.


Beginner

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Kindly see below:

GRD-STACK1#ping ip
Target IP address: 172.xx.xx.xx
Repeat count [5]: 20
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback10
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 172.xx.xx.xx, timeout is 2 seconds:
Packet sent with a source address of 172.xx.xx.x
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/5/10 ms
VIP Engager

Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

Interresting. And I guess a 'show int loopback10' will also correctly show it as up/up?
If yes, then I have no idea why it's not working.
CreatePlease to create content
Content for Community-Ad
June's Community Spotlight Awards