Not getting expected logs in the external syslog server for Cisco prime infrastructure - Page 3

BhaskarDS · ‎08-01-2018

Our end client has configured an external syslog server(SIEM) in the Cisco prime infrastructure.

And for testing purpose, he has tried login in to the Cisco prime with wrong credentials.

In the syslog server, although he is getting logs for bad authentication, but he is not getting the expected logs (like which User not able to authenticate, username is not showing)

Can any one help me in this.

Below are the prime details -

--------------------------------------------
Cisco Prime Infrastructure
********************************************************
Version : 3.4.0
Build : 3.4.0.0.348
Device Support:
Prime Infrastructure 3.4 Device Pack 1 ( 1.0 )

VM098 · ‎02-20-2019

Hi
I see the very same output you shared when I filter to the device even after selecting a device
What can I do next ?

patoberli · ‎02-20-2019

I never got happy with the syslog functionality on the Prime... Do you get anything if you switch the tab to Historic?
I think you should involve TAC (if not already done) .

If you're a bit more tech savvy, next thing I'd do, would be a tcpdump on the prime with a capture filter for syslog or the router IP, to check if the logs actually arrive at the Prime server. That way you can at least narrow the search circle for the problem.

VM098 · ‎02-20-2019

TAC has not yet responded, how long do they take to respond to people's queries?

patoberli · ‎02-20-2019

I haven't had many TAC, but usually within 1-2 business days for the issues I had open.