10-31-2023 07:40 AM
Hello everyone,
I have a specific problem with the configuration of some Syslog servers on a WLC 9800L, between the WLC and the Syslog servers the communication permissions between them have already been configured at the Firewall level and they are configured to reach each other correctly, the provider informs me that it receives the logs but the problem is that it receives them empty, with a Length 0.
Checking I have not been able to find the reason why this may occur. In any case, I share the configuration in the WLC GUI, plus the photograph showing the logs received by the Syslog server. As for the Firewalls through which this communication passes, both are Firepower 2100, in the packet capturer you can see the communication pass without problems, I believed that it could be due to a SNORT problem that sometimes causes denials, but all are allowed with no problem.
I have not ruled out that it could also be a problem with the type of message or the configured buffer, the truth is I don't know what the ideal configuration could be, the destinations are SIEM servers. It could even be something from the same destination server, but I want to rule out possibilities at the communications level.
Please if someone could assist me with any possible reason why the logs are being sent but empty to the destination, it would be very helpful.
Beforehand thank you very much.
Solved! Go to Solution.
12-13-2023 01:26 PM
@marce1000 Hey! sorry for the late response, in the end the only solution I managed to find was to configure the Syslog server in Informational (Severity lvl 6) and pointing to the external Syslog servers both through UDP and TCP, it was the only way they managed to send the logs as they should, that is, without the Length 0.
10-31-2023 07:51 AM
- Most likely the problem is due to the in between firewalls and not the 9800 ; to verify that simply test with a 'local' syslog server 'close' to the 9800 and verify the operational status of sending syslog messages ,
M.
10-31-2023 08:16 AM
Hi @marce1000 ,
Thank you for the quick response.
Perfect, I'm going to check this, I haven't checked the communication between the Firewalls, these go through an MPLS so some loss may occur along the way or deny.
As for the local syslog, I would have to see if my company allows me to use any resources, but in any case I am going like you, for the option of it being something from the Firewall.
I'll tell you any news.
Best regards,
11-04-2023 05:20 AM
can you more clear here,
you receive empty syslog or you not receive syslog at all ??
Thanks A Lot
MHM
11-04-2023 06:01 AM
@MHM Cisco World @Vicente Miño provided a screenshot of a tcpdump output saying "length 0".
12-13-2023 01:26 PM
@marce1000 Hey! sorry for the late response, in the end the only solution I managed to find was to configure the Syslog server in Informational (Severity lvl 6) and pointing to the external Syslog servers both through UDP and TCP, it was the only way they managed to send the logs as they should, that is, without the Length 0.
12-13-2023 10:32 PM
That definitely sounds like a bug. What version of IOS-XE are you using on the 9800-L?
12-14-2023 03:09 AM
It was in version 17.3.5.(b), but on November 16 we updated it to version 17.6.5 and the problem continues, I think it may be a communication problem, but it is strange at the FW level that both are enabled ports passing through the same rules in the policy, but the WLC can reach certain Syslog server addresses by UDP and the others only by TCP.
I will continue to see how to solve it 100% but at least the logs can now be sent to the destination. One detail is that if port 514 is tested via telnet to the servers, the WLC reaches them without problems.
12-14-2023 03:35 AM
See the TAC recommended link below - current recommended version is 17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP(as needed) for all deployments.
12-14-2023 06:03 AM
Perfect, im gonna check this out. But unfortunately, since they are devices that are constantly productive, I cannot update them except in a controlled environment and in update cycles that are done once a semester, but in any case I will have this version in mind for the next cycle. Anyway, thank you very much for the information provided.
11-04-2023 05:03 AM
@Vicente Miño it can be any local server - it doesn't have to be a syslog server - just one that you can run tcpdump on to view the incoming syslogs.
The way I see it, you run a packet capture on the WLC and confirm that the WLC is sending the syslogs correctly, If the WLC is sending the logs correctly then it's not your problem - it's up to the security people to configure their equipment correctly.
Buffer size determines how much is stored for you to see using "show log" - I would never configure less than 200K (200000) with debug level (but you might not want debug level events) even on smaller devices but for 9800 I'd recommend 2M (2000000). 4096 is so small you might as well not even have it because when something happens you'll lose most of the interesting logs. Syslog is still handy for capturing all of those events but for troubleshooting having the info readily available on CLI is invaluable.
What version of software are you running on the 9800L?
Take note of the TAC recommended versions in the link below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide