NetSight: Syslog source ip is missing

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Our switches are sending syslog events to the netsight server.
In the file /var/log/syslog/ I can see, that the messages being received - but in the NetSight Console, I can't see the source-ip.
Without the IP it's hard to find the right events :)

Does anyone have ideas?

NetSight 7.0.6.27
EXOS 16.1.3.6
Summit X460

Syslog conf:
Log Target      : syslog; <netsight>:514 (vr VR-Mgmt), local0 from <mgmt-ip>
    Enabled     : yes
    Filter Name : DefaultFilter
    Match regex : Any
    Severity    : Debug-Data (through Critical)
    Format      : PRI Mmm DD HH:MM:SS HOSTNAME TAG:
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,632 Points 5k badge 2x thumb
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Oscar,

perfect - that was my problem.
After removing the "host-name" from the format-string, everything works fine.
A thing you need to know...

Many thanks

Best Regards
Chacko
Photo of OscarK

OscarK, ESE

  • 7,632 Points 5k badge 2x thumb
Hello Chacko, I stumbled on this before and wrote that article so hence I remembered it. Nice to know it fixed it.
Photo of aloeffle

aloeffle

  • 924 Points 500 badge 2x thumb
Dear Oscar, Chacko.
I have the same situation. Removing the "host-name" statement did not help.

NetSight: 7.1.1.9
X450G2 with xos 22.2.1.5

Here is my config:


* X450G2-48p-10G4.5 # show config ems

# Module ems configuration.

configure syslog add 10.0.10.57:514 vr VR-Default local4

configure log target syslog 10.0.10.57:514 vr VR-Default local4 from 10.0.10.55

enable log target syslog 10.0.10.57:514 vr VR-Default local4

configure log target syslog 10.0.10.57:514 vr VR-Default local4 filter DefaultFilter severity Debug-Data

configure log target syslog 10.0.10.57:514 vr VR-Default local4 match Any

configure log target syslog 10.0.10.57:514 vr VR-Default local4 format timestamp seconds date dd-mm-yyyy event-name none tag-id tag-name



* X450G2-48p-10G4.5 # show vlan

Untagged ports auto-move: Off

-----------------------------------------------------------------------------------------------

Name            VID  Protocol Addr       Flags                         Proto  Ports  Virtual

-----------------------------------------------------------------------------------------------

Default         1    10.0.10.55     /24  ------------T---------------  ANY    1 /52  VR-Default

Mgmt            4095 ------------------------------------------------  ANY    0 /1   VR-Mgmt

-----------------------------------------------------------------------------------------------


* X450G2-48p-10G4.6 # show log configuration

Log Target      : syslog; 10.0.10.57:514 (vr VR-Default), local4 from 10.0.10.55

    Enabled     : yes

    Filter Name : DefaultFilter

    Match regex : Any

    Severity    : Debug-Data (through Critical)

    Format      : DD-MM-YYYY HH:MM:SS TAG[PID]:

    Port Type   : UDP





EMS shows as source "22" !? instead of 10.0.10.55.

Whats wrong with my config?

thanks for your help.
Alex
(Edited)
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Is there a reason why you are using the syslog-facility local4?
I'm aware of the syslog-facilities in general, but I haven't found information regarding that by Extreme.
Anyway, I think I found your problem: The format of your syslog-target is wrong:    
        Format      : DD-MM-YYYY HH:MM:SS TAG[PID]:

Maybe you should use a command like this:
       configure log target syslog 10.58.36.210 format timestamp seconds date yyyy-mm-dd  tag-id tag-name
https://gtacknowledge.extremenetworks.com/articles/Solution/Syslog-from-XOS-devices-have-no-source-I...

Best Regards
Chacko
Photo of aloeffle

aloeffle

  • 924 Points 500 badge 2x thumb
Hi Chacko.

you point me to the right way.
I need to remove the "date" statement.

configure log target syslog 10.0.10.57:514 vr VR-Default local4 format timestamp seconds date none event-name none tag-id tag-name
Now the correct source is shown in netsight.

thanks
Alexander