07-20-2017 07:32 AM - edited 07-05-2021 07:22 AM
Can you send logs to multiple syslog servers?
I have two syslog servers configured, Cisco Prime and a Splunk server. I can view syslog from the prime server but not in Splunk. I'm concerned because when you configure syslog from the cli you get a message that "system logs will be sent to x.x.x.x from now on."
07-20-2017 08:26 AM
Are you referencing sending syslog from a WLC or another Cisco device? I was assuming WLC due the post being in Wireless section but correct me if I am wrong.
You can configure multiple hosts in either scenario.
As an example below for IOS I have multiple logging host commands (not sure on how many are supported in IOS).
logging buffered informational
no logging console
logging enable
logging size 500
logging trap notifications
logging host 10.44.10.31
logging host 10.44.145.242
For WLC - I believe it is up to 3 syslog targets - commands below
(Cisco Controller) >config logging syslog host ?
<ip_addr> dotted IP address of the remote host
I am not clear on exactly what you are referencing though.
07-20-2017 12:39 PM
Yes sending syslog from a wlc to a configured target, in my case Cisco Prime Infrastructure and Splunk.
Yes, you can configure 3 syslog targets.
The statement that popped up on the screen after configuring a syslog target from the cli, "system logs will be sent to x.x.x.x from now on" makes it seem like the wlc will only send syslog to the newly configured target. At least that's how I read it.
07-20-2017 01:16 PM
I 'think' this is just advising the logs will also be sent to this address. It can send a copy for up to 3 servers.
Might be worth configuring them via gui under management tab and test from there.
I can lab the multiple syslog server setup but won't be until tomorrow morning (UK).
What wlc code are you running out of interest?
07-20-2017 03:17 PM
8.2.151.0
Initially, I configured it using the GUI, but when the Splunk guys told me they weren't seeing anything I tried the CLI.
They've since confirmed that they are seeing the data but for some reason Splunk cant parse it.
04-24-2020 11:01 AM
Just happen to hit this thread. I thought I will share some of my observation with respect to Syslog behavior. Code 8.5 and above
Here is my understanding of the syslog behavior from the tests I did. Please correct me if you have observed something different.
IOS AP
COS AP
Checking with DEs about this behavior.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide