Re: Not getting expected logs in the external syslog server for Cisco prime infrastructure - Page 2

BhaskarDS · ‎08-01-2018

Our end client has configured an external syslog server(SIEM) in the Cisco prime infrastructure.

And for testing purpose, he has tried login in to the Cisco prime with wrong credentials.

In the syslog server, although he is getting logs for bad authentication, but he is not getting the expected logs (like which User not able to authenticate, username is not showing)

Can any one help me in this.

Below are the prime details -

--------------------------------------------
Cisco Prime Infrastructure
********************************************************
Version : 3.4.0
Build : 3.4.0.0.348
Device Support:
Prime Infrastructure 3.4 Device Pack 1 ( 1.0 )

VM098 · ‎02-14-2019

It is showing up/up

VM098 · ‎02-14-2019

Or could it be that the Cisco Prime does not take all ranges of catalyst series?

patoberli · ‎02-14-2019

It doesn't, but you can read about the supported devices in the device packs. In the Excel sheet are all supported devices listed.

I'm still a bit confused about the "link down" part of your show logging output. Normally, at least on my Catalyst switches, it shows link up.

VM098 · ‎02-15-2019

What could cause link down status because there is reachability to both 2960 and 3850 devices?

patoberli · ‎02-15-2019

It sounds like somebody else has/had the same problem:

https://www.reddit.com/r/networking/comments/6bwupf/cisco_syslog_link_down/

Can you try the following:

Conf t

No logging host 172.xx.xx.xx

Logging host 172.xx.xx.xx

And then create a syslog message (unplug an active cable if you send trap logs) and check with show logging again if the port is now up.

What software version is running on the two switches?

You also might want to install Patch1 for PI and afterwards Hotfix 1 and then Device Pack 9, for maximum compatibility. Do not install Hotfix2 if you manage wireless and plan to replace APs, there is a bug with the copy&replace function.

VM098 · ‎02-15-2019

Hi the below has been tried several times to no avail

No logging host 172.xx.xx.xx

Logging host 172.xx.xx.xx

patoberli · ‎02-15-2019

In that case I suggest to open a TAC. Please post the solution once you have received it.

VM098 · ‎02-15-2019

Software version for 3850 is 03.06.06E and 2960 is 15.2(2)E7

VM098 · ‎02-19-2019

Hi

I managed to bring the link to up status however the syslog is still not pulling on Cisco prime for 2960 and 3850 series

rap logging: level critical, 270 message lines logged
Logging to X.X.X (udp port 514, audit disabled,
link up),
268 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging to X.X.X (udp port 514, audit disabled,
link up),
270 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging to X.X.X (udp port 514, audit disabled,
link up),
35 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name:

Please help?

patoberli · ‎02-19-2019

What did you do to get it UP? Just in case somebody else is having the same problem.

Which version and device pack is currently running on the Prime?

VM098 · ‎02-20-2019

Hi

I disabled the logs and re-enabled them and the link came back up again

Cisco prime version is 3.4

VM098 · ‎02-20-2019

Hi Any feedback?

patoberli · ‎02-20-2019

And which device pack and patch of version 3.4?

VM098 · ‎02-20-2019

Device Pack 9 for Cisco Prime Infrastructure 3.4

patoberli · ‎02-20-2019

Ok, that's good.

Now, when you are in the Syslog Viewer, make sure you have selected one of the devices in the Filter Criteria in the top right, see attached image.