Syslog display wrong information

  • 0
  • 1
  • Problem
  • Updated 2 months ago
  • In Progress
  • (Edited)

I have configured my switch to send messages to the syslog server (XMC).

configure syslog add <IP-XMC>:514 vr VR-Default local0
configure log target syslog <IP-XMC>:514 vr VR-Default local0 from <IP-SWITCH>
enable log target syslog <IP-XMC>:514 vr VR-Default local0
configure log target syslog <IP-XMC>:514 vr VR-Default local0 filter DefaultFilter severity Info
configure log target syslog <IP-XMC>:514 vr VR-Default local0 match Any
configure log target syslog <IP-XMC>:514 vr VR-Default local0 format timestamp seconds date dd-mm-yyyy event-name none tag-id tag-name

The information I see in syslog is see screencopy

I see the wrong info at source , client an the information isn't right (starts with minutes and seconds).

Photo of Johan Hendrikx

Johan Hendrikx

  • 3,712 Points 3k badge 2x thumb

Posted 2 months ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,620 Points 5k badge 2x thumb
Hi.

I guess you migrated from windows to linux or Virtual machine or opposite or simillar.

The log file where the text syslog is present is parsed based on configured setting = xmc does expect some format.

You can change the parsing . If you go to OneView -> Alarms & Events ~> the last tab (if I remember well Log Manager) -> then you need to find syslog and edit the format.

Regards

Z.
Photo of Johan Hendrikx

Johan Hendrikx

  • 3,712 Points 3k badge 2x thumb
nop. did not help for the syslog messages that XMC receive from switches.
(Edited)
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,620 Points 5k badge 2x thumb
Is the issue present also for new messages comming?
Do you have kind of syslog proxy/forward between your switch and XMC?
Photo of Johan Hendrikx

Johan Hendrikx

  • 3,712 Points 3k badge 2x thumb
We just finished changing hardware to G2 switches and I ve migrate XMC from windows to an apliance.

Firmware is 22.4.1.4
.
I don't use a syslog proxy

Messages from EWC looks oke
(Edited)
Photo of Johan Hendrikx

Johan Hendrikx

  • 3,712 Points 3k badge 2x thumb

Logging from syslog:

How come ther is a difference in format ??

EWC:

<6>Jul 27 15:25:19 10.2.112.3(10.2.112.3) events: Radius Client Radius Response:  Accepted: UserID:48:43:7C:2A:DB:3C, Client MAC:[48:43:7C:2A:DB:3C] 3
<6>Jul 27 15:25:19 10.2.112.3(10.2.112.3) events: Radius Client RADIUS server authenticated login (Access Accepted). 3
<6>Jul 27 15:25:19 10.2.112.3(10.2.112.3) dhcpd: DHCPREQUEST for 10.254.16.11 from 48:43:7c:2a:db:3c via csi6

Switch: (firm. 16.1.2.14)

<5>Jul 27 15:25:55 27-07-2018(10.2.112.209) 15:21:31 vlan.ms[1476]: Port 5 link down
<5>Jul 27 15:26:24 27-07-2018(10.2.112.209) 15:22:01 vlan.ms[1476]: Port 5 link down
<5>Jul 27 15:26:36 27-07-2018(10.2.112.209) 15:22:12 vlan.ms[1476]: Port 5 link down

(Edited)
Photo of Johan Hendrikx

Johan Hendrikx

  • 3,712 Points 3k badge 2x thumb

I noticed that when you change the syntax the output is different.

configure log target syslog 10.2.112.1:514 vr VR-Default local0 format timestamp seconds date none event-name none tag-id tag-name.


<5>Jul 30 08:22:56 10.2.128.250(10.2.128.250) 08:18:30 vlan.ms[1933]: Port 3 link down


What is the right syntax
(Edited)