Problems sending SYSLOG to Solarwinds

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
I have pointed our Extreme switches to send SYSLOG messages to Solarwinds. We get IOS and IOS-XR messages OK, but for some reason we do not see the SYSLOG messages come into Solarwinds. I have opened a TAC case with Solarwinds and they determined that there were issues with the syslog messages as they apparently were "not formatted according to RFC 5424"

I am skeptical about this since I have had some modicum of success with other syslog servers capturing syslog messages from XOS, so I just want to verify that there should be no troubles with this and review the configuration so I ensure it is correct.

Here is the way I have our XOS devices configured:

create log filter solarwindscreate log filter memorybuffer
configure log filter solarwinds add events ISIS.NFSM.AdjChg 
configure log filter solarwinds add events ospf.neighbor.ChgState 
configure log filter solarwinds add events vlan.msgs.portLinkStateUp 
configure log filter solarwinds add events vlan.msgs.portLinkStateDown 
configure log filter memorybuffer add events ISIS.NFSM.AdjChg 
configure log filter memorybuffer add events ospf.neighbor.ChgState 
configure log filter memorybuffer add events vlan.msgs.portLinkStateUp 
configure log filter memorybuffer add events vlan.msgs.portLinkStateDown 
configure log filter memorybuffer add events cli.logRemoteCmd 
configure log filter memorybuffer add events AAA.LogSsh 
configure log filter memorybuffer add events pim.cache 
configure log target memory-buffer  filter memorybuffer severity Info
configure log target memory-buffer number-of-messages 20000
configure log target nvram  filter DefaultFilter severity Info
configure syslog add 10.253.10.25:514 vr VR-Default local5
enable log target syslog 10.253.10.25:514 vr VR-Default local5
configure log target syslog 10.253.10.25:514 vr VR-Default local5 filter solarwinds severity Info
configure log target syslog 10.253.10.25:514 vr VR-Default local5 match Any
configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none host-name tag-name

Slot-1 CoreSwitch# sh switch | inc Primary
Primary ver:      15.3.2.11                    15.3.2.11 

Thanks for the consideration
Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
Hi Evan,

Was the below line of configuration added manually or was it there by default?

"configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none host-name tag-name"
Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
Hello Dorian

This was a manual addition. 
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
As a test, could you try removing this line from the configuration to allow the syslog message format to be the default?
Photo of Drew C.

Drew C., Community Manager

  • 39,442 Points 20k badge 2x thumb
Hi Evan, Do you still need assistance with this issue?
Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
Hello

I apologize I got busy with other things and I forgot about this! I thank you for the replies. 

When I run,
"unconfigure log target syslog 10.253.10.25:514 vr VR-Default local5 format"
Configuration becomes:
# sh configuration "ems" | inc format
configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none priority tag-name 

Is this what it should be? I will make these modifications and report back if it works. 

Regards,
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
Hi Evan,

Yes, I believe using the default configuration may get the messages to be formatted according to RFC 5424 as mentioned above.

Please let us know if this works.

Regards,