Problems sending SYSLOG to Solarwinds


I have pointed our Extreme switches to send SYSLOG messages to Solarwinds. We get IOS and IOS-XR messages OK, but for some reason we do not see the SYSLOG messages come into Solarwinds. I have opened a TAC case with Solarwinds and they determined that there were issues with the syslog messages as they apparently were "not formatted according to RFC 5424"

I am skeptical about this since I have had some modicum of success with other syslog servers capturing syslog messages from XOS, so I just want to verify that there should be no troubles with this and review the configuration so I ensure it is correct.

Here is the way I have our XOS devices configured:

create log filter solarwindscreate log filter memorybuffer
configure log filter solarwinds add events ISIS.NFSM.AdjChg
configure log filter solarwinds add events ospf.neighbor.ChgState
configure log filter solarwinds add events vlan.msgs.portLinkStateUp
configure log filter solarwinds add events vlan.msgs.portLinkStateDown
configure log filter memorybuffer add events ISIS.NFSM.AdjChg
configure log filter memorybuffer add events ospf.neighbor.ChgState
configure log filter memorybuffer add events vlan.msgs.portLinkStateUp
configure log filter memorybuffer add events vlan.msgs.portLinkStateDown
configure log filter memorybuffer add events cli.logRemoteCmd
configure log filter memorybuffer add events AAA.LogSsh
configure log filter memorybuffer add events pim.cache
configure log target memory-buffer filter memorybuffer severity Info
configure log target memory-buffer number-of-messages 20000
configure log target nvram filter DefaultFilter severity Info
configure syslog add 10.253.10.25:514 vr VR-Default local5
enable log target syslog 10.253.10.25:514 vr VR-Default local5
configure log target syslog 10.253.10.25:514 vr VR-Default local5 filter solarwinds severity Info
configure log target syslog 10.253.10.25:514 vr VR-Default local5 match Any
configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none host-name tag-name

Slot-1 CoreSwitch# sh switch | inc Primary
Primary ver: 15.3.2.11 15.3.2.11

Thanks for the consideration

6 replies

Userlevel 4
Hi Evan,

Was the below line of configuration added manually or was it there by default?

"configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none host-name tag-name"
Hello Dorian

This was a manual addition.
Userlevel 4
As a test, could you try removing this line from the configuration to allow the syslog message format to be the default?
Userlevel 7
Hi Evan, Do you still need assistance with this issue?
Hello

I apologize I got busy with other things and I forgot about this! I thank you for the replies.

When I run,
"unconfigure log target syslog 10.253.10.25:514 vr VR-Default local5 format"[/code]Configuration becomes:
# sh configuration "ems" | inc format configure log target syslog 10.253.10.25:514 vr VR-Default local5 format timestamp seconds date Mmm-dd event-name none priority tag-name [/code]
Is this what it should be? I will make these modifications and report back if it works.

Regards,
Userlevel 4
Hi Evan,

Yes, I believe using the default configuration may get the messages to be formatted according to RFC 5424 as mentioned above.

Please let us know if this works.

Regards,

Reply