Switching

Any one else having issues shipping syslogs to a syslog server from the EX series? I am using the same syslog config statements on our SRX equipment and the syslogs ship of just fine but no dice with the EX seriess. I can scp files from the EX VC stack to the syslog server just fine. Here is my config: I am doing something wrong or is this a known issue?

show configuration system syslog

archive size 100k files 3;
user * {
    any emergency;
}
host xxx.xxx.xxx.xxx {
    any any;
}
file messages {
    any notice;
    authorization info;
}
file interactive-commands {
    interactive-commands any;
}
file default-log-messages {
    any any;
    structured-data;
}
;

Are you certain that the EX stack has a route to the syslog server?

Yeah i can ping and scp files from the VC stack to the syslog server

Is it possible that your EX/VC is presenting a particular source address to the syslog server?

For example, I have a switch setup to send syslog to a FreeBSD box running syslog-ng. The nature of the switch's connectivity was such that the IP address/hostname that I told the syslog server to expect from the switch was different than what the switch was actually presenting.

So my syslog server was expecting something like '192.168.1.1' or 'blue' and the switch syslog traffic was actually appearing to come from '192.168.2.1' so the net result was that nothing was actually logged.

I fixed this via something like this on the switch:

    syslog {
        user * {
            any emergency;
        }
        host 172.30.0.14 {
            any any;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        source-address 192.168.249.1;
   }

Where my syslog server is '172.30.0.14' and the switch will send syslog traffic as originating from '192.168.1.1'

Any firewalls or anything between the switch VC and syslog server?

If the syslog system is Unix can you run tcpdump, snoop, etc or Wireshark if Windows to verify that the syslog packets are actually coming in to the syslog server from this VC/switch?

I did try the source address statement in my syslog config with no success. There are no firewall between the VC stack and the syslog server. The syslog server is ubuntu server 10.04. I'll try tcpdump and see what a packet capture tells me.

hi,

tcpdump on the Linux should confirm if EX  sends the syslog. Additionally look monitor traffic at EX  monitor traffic no-resolve matching "udp and port 514"

Sorry for basic question: have you enabled syslog to accept remote messages ? In case of Ubuntu look at /etc/rsyslog.conf  and uncomment lines:

$ModLoad imudp
$UDPServerRun 514

jtb

---

@jtb wrote:

hi,

 

tcpdump on the Linux should confirm if EX  sends the syslog. Additionally look monitor traffic at EX  monitor traffic no-resolve matching "udp and port 514"

Sorry for basic question: have you enabled syslog to accept remote messages ? In case of Ubuntu look at /etc/rsyslog.conf  and uncomment lines:

 

$ModLoad imudp
$UDPServerRun 514

 

jtb

 

 

 

 

---

Yes I have this same syslog server logging all cisco equipment as well as our SRX logs

After running tcp dump on the server i didn't capture and packets from the stack to the server on port 514 but the switch can talk to the server becuase I also have nagios on the same server and I was able to see snmp traffic.

This is what I got on the switch stack when I ran monitor traffic no-resolve matching "udp and port 514"

09:12:53.904050 Out IP truncated-ip - 45 bytes missing! xx.xxx.xxx.xxx.514 > xx.xxx.xxx.xxx.514: SYSLOG local7.info, length: 71

hi,

use  monitor traffic no-resolve matching "udp and port 514" layer2-headers print-ascii size 1500  to see the full message and verify the next-hop MAC address.

Check the path EX<>Linux again - no filters ? No firewall filters on EX (lo0 output) ? Can you access (~ssh)  the Linux from EX ?

jtb