Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure

BhaskarDS · ‎08-01-2018

Our end client has configured an external syslog server(SIEM) in the Cisco prime infrastructure.

And for testing purpose, he has tried login in to the Cisco prime with wrong credentials.

In the syslog server, although he is getting logs for bad authentication, but he is not getting the expected logs (like which User not able to authenticate, username is not showing)

Can any one help me in this.

Below are the prime details -

--------------------------------------------
Cisco Prime Infrastructure
********************************************************
Version : 3.4.0
Build : 3.4.0.0.348
Device Support:
Prime Infrastructure 3.4 Device Pack 1 ( 1.0 )

Flavio Miranda · ‎08-01-2018

Hi

Prime send log from managed device's but the test you did refers to the Prime itself. This must be login but not send to the external receiver.

-If I helped you somehow, please, rate it as useful.-

BhaskarDS · ‎08-03-2018

But I see in the Cisco Guide where it is mentioned Logins and Logouts. So this login and logout is for the managed devices or the prime itself ?

Configuring Syslog Message Receivers for System Changes

In addition to sending JMS notifications, Prime Infrastructure can send syslog messages to specified receivers to notify you of changes in the following Prime Infrastructure features:

Device management
Device community strings and credentials
User management
Configuration templates management
Monitoring templates management
Job management
Logins and logouts
Image distribution
Configuration changes
Inventory changes

You can specify as many receivers as you wish for these specialized syslog messages.

VM098 · ‎02-13-2019

Hi Support

Please assist, I have just added 2690 and 3850 series of witches on Cisco Prime but logs are not pulling compared to 3750 series, what could be the issue?

I await your immediate response.

Kind regards

VM098

VM098 · ‎02-13-2019

I await a quick feedback on the solution of his issue?

patoberli · ‎02-13-2019

Check the configuration of the switches, is the syslog server set to send the Prime?

VM098 · ‎02-14-2019

Hi Patoberli

Yes it is configured and it's currently showing down when I check the logs.

Please see the below output:

Logging to ***** (udp port 514, audit disabled,
link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

Best regards
VM098

patoberli · ‎02-14-2019

I don't like the "link down" part of the output you have provided.

On what device and with what command did you create this output?

VM098 · ‎02-14-2019

Hi

I used the below command to allow the logging on 3850

"Logging host 172.xx.xx.xx"

I have allowed the cisco prime on access-list as well.

patoberli · ‎02-14-2019

Can you please post the full output of show logging (until the first actual log message)?
Can you 'ping 172.xx.xx.xx' successfully from the 3850?

VM098 · ‎02-14-2019

Hi

Full output of the show logging:

Logging to 172.xx.xx.xx (udp port 514, audit disabled,
link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:
Loopback10

Log Buffer (48795 bytes):
nged state to down
002285: .Feb 6 07:21:33.061 ZA: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/33, changed state to up
002286: .Feb 6 07:21:34.066 ZA: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/33, changed state to up
002287: .Feb 6 07:21:59.625 ZA: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/33, changed state to down

Yes I am able to ping the cisco prime from the switch:

GRD-STACK1#ping 172.xx.xx.xx
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.xx,xx,xx, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

VM098 · ‎02-14-2019

And I get a successful ping from the cisco prime when pinging the switch

patoberli · ‎02-14-2019

Ah you're using possibly more than one Loopback.

Can you repeat the ping, but this time, do an extended one. For this, simply type ping and press enter. Then you should get the option to select the source interface (say y to Extended commands), enter there Loopback10. Is this also successful?

If not, change the logging source interface in the configuration, to one that is Up.

VM098 · ‎02-14-2019

Kindly see below:

GRD-STACK1#ping ip
Target IP address: 172.xx.xx.xx
Repeat count [5]: 20
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback10
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 172.xx.xx.xx, timeout is 2 seconds:
Packet sent with a source address of 172.xx.xx.x
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/5/10 ms

patoberli · ‎02-14-2019

Interresting. And I guess a 'show int loopback10' will also correctly show it as up/up?
If yes, then I have no idea why it's not working.