cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1748
Views
4
Helpful
10
Replies

WLC 9800L Send empty logs to Syslog Server

Vicente Miño
Level 1
Level 1

Hello everyone,

I have a specific problem with the configuration of some Syslog servers on a WLC 9800L, between the WLC and the Syslog servers the communication permissions between them have already been configured at the Firewall level and they are configured to reach each other correctly, the provider informs me that it receives the logs but the problem is that it receives them empty, with a Length 0.

Checking I have not been able to find the reason why this may occur. In any case, I share the configuration in the WLC GUI, plus the photograph showing the logs received by the Syslog server. As for the Firewalls through which this communication passes, both are Firepower 2100, in the packet capturer you can see the communication pass without problems, I believed that it could be due to a SNORT problem that sometimes causes denials, but all are allowed with no problem.

I have not ruled out that it could also be a problem with the type of message or the configured buffer, the truth is I don't know what the ideal configuration could be, the destinations are SIEM servers. It could even be something from the same destination server, but I want to rule out possibilities at the communications level.

Please if someone could assist me with any possible reason why the logs are being sent but empty to the destination, it would be very helpful.

Beforehand thank you very much.

1 Accepted Solution

Accepted Solutions

@marce1000 Hey! sorry for the late response, in the end the only solution I managed to find was to configure the Syslog server in Informational (Severity lvl 6) and pointing to the external Syslog servers both through UDP and TCP, it was the only way they managed to send the logs as they should, that is, without the Length 0.

View solution in original post

10 Replies 10

marce1000
VIP
VIP

 

 - Most likely the problem is due to the in between firewalls and not the 9800 ; to verify that simply test with a 'local' syslog server 'close' to the 9800 and verify the operational status of sending syslog messages , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi @marce1000 ,

Thank you for the quick response.

Perfect, I'm going to check this, I haven't checked the communication between the Firewalls, these go through an MPLS so some loss may occur along the way or deny.

As for the local syslog, I would have to see if my company allows me to use any resources, but in any case I am going like you, for the option of it being something from the Firewall.

I'll tell you any news.

Best regards,

can you more clear here, 
you receive empty syslog or you not receive syslog at all ??

Thanks A Lot
MHM

@MHM Cisco World  @Vicente Miño provided a screenshot of a tcpdump output saying "length 0".

@marce1000 Hey! sorry for the late response, in the end the only solution I managed to find was to configure the Syslog server in Informational (Severity lvl 6) and pointing to the external Syslog servers both through UDP and TCP, it was the only way they managed to send the logs as they should, that is, without the Length 0.

That definitely sounds like a bug.  What version of IOS-XE are you using on the 9800-L?

It was in version 17.3.5.(b), but on November 16 we updated it to version 17.6.5 and the problem continues, I think it may be a communication problem, but it is strange at the FW level that both are enabled ports passing through the same rules in the policy, but the WLC can reach certain Syslog server addresses by UDP and the others only by TCP.

I will continue to see how to solve it 100% but at least the logs can now be sent to the destination. One detail is that if port 514 is tested via telnet to the servers, the WLC reaches them without problems.

See the TAC recommended link below - current recommended version is 17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP(as needed) for all deployments.

Perfect, im gonna check this out. But unfortunately, since they are devices that are constantly productive, I cannot update them except in a controlled environment and in update cycles that are done once a semester, but in any case I will have this version in mind for the next cycle. Anyway, thank you very much for the information provided.

Rich R
VIP
VIP

@Vicente Miño it can be any local server - it doesn't have to be a syslog server - just one that you can run tcpdump on to view the incoming syslogs.

The way I see it, you run a packet capture on the WLC and confirm that the WLC is sending the syslogs correctly,  If the WLC is sending the logs correctly then it's not your problem - it's up to the security people to configure their equipment correctly.

Buffer size determines how much is stored for you to see using "show log" - I would never configure less than 200K (200000) with debug level (but you might not want debug level events) even on smaller devices but for 9800 I'd recommend 2M (2000000).  4096 is so small you might as well not even have it because when something happens you'll lose most of the interesting logs.  Syslog is still handy for capturing all of those events but for troubleshooting having the info readily available on CLI is invaluable.

What version of software are you running on the 9800L?
Take note of the TAC recommended versions in the link below.

Review Cisco Networking for a $25 gift card