11 Replies Latest reply: May 21, 2012 1:10 PM by kindbro RSS

Not getting logs from Cisco into NPM Syslog

kindbro

Not sure what is going on here. Ive been trying to get my bgp logs into syslog and it just isnt working. I am getting %SYS-5-CONFIG_I: Configured from console by user on vty0 (x.x.x.x), so this confirms my logging is working. But when I clear ip bgp x.x.x.x, my syslog does not report %BGP-5-ADJCHANGE: neighbor x.x.x.x Down User reset and %BGP-5-ADJCHANGE: neighbor x.x.x.x Up. Am I missing something here? Does the syslog not receive the change because the connection is disrupted during the reset? If this is the case, how do log the changes?

 

Current router logging config:

 

logging buffered 50000 notifications

logging console notifications

logging source-interface Loopback0

logging x.x.x.x

 

Thans in advance!

Bret

 
  • Re: Not getting logs from Cisco into NPM Syslog
    netlogix

    have you checked (from cmd):

    sc query SolarwindsSyslogService (Solarwinds Syslog service running?)

    netstat -ano | find "514"  (You should get a line like: " UDP    [::]:514               *:*                                    2212" if it is listening)

    tasklist | find "SyslogService.exe"  (Make sure the PID is the same on this line and the previous - maybe something else is listening on syslog port)

    sc stop MpsSvc (stop windows firewall)

     

     

    Next would be to see if the traffic is getting to the server - a network based firewall might be blocking it.

  • Re: Not getting logs from Cisco into NPM Syslog
    dstj

    Did you enable 'bgp log-neighbor-changes' on the router ?...

     

    http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rbgp.html#wp1018068

     

    eg..

    BGP router 100

    bgp log-neighbor-changes

     

     

    Dave

    • Re: Not getting logs from Cisco into NPM Syslog
      kindbro


      Yes I have log-neighbor-changes. Logs are being greated for BGP to the syslog buffer, but the logs are not being delivered for those logs to the server. Where as, the configuration change logs are being sent to the syslog server.

      • Re: Not getting logs from Cisco into NPM Syslog
        netlogix

        Is there some syslog rule that might being doing something dumb with it?  If it's showing up in the buffer then that mean "notification" level should be good...  I would say do a network capture if you can, that way you can isolate it to either Orion "misplacing" it or if it's the router not sending it.  I like to do yes/no tests to lower the amount of guess work.

        • Re: Not getting logs from Cisco into NPM Syslog
          kindbro

          Ok, so I did a packet capture. My packet capture revealed that I am getting logs from the router. As a test I shut, then no shut a local interface and the proper logs got sent to buffer. Then I did a clear ip bgp x.x.x.x and the logs were written to buffer. But when I look at my packet capture for these logs they are not there.

           

          I believe the problem is when BGP is reset. Because a small moment of network disruption is experienced the log cant be sent. So now the problem exist in how do you send to a syslog when connectivity is restored? Things that make you hmmm.

          • Re: Not getting logs from Cisco into NPM Syslog
            dstj

            Anytime i have syslog issues, it's usually due to improper IP address being used in setup.

             

            So if you can confirm the following...

            • on your Cisco router , ensure that 'logging x.x.x.x' you mentioned above is indeed pointing to your solarwinds server ip address.
            • You also mentioned above that you have 'logging source-interface Loopback0'... so on the Cisco router, do a 'show ip int brief' and ensure that the IP address of Interface 'Loopback0' is the same as the IP address that Solarwinds is using to manage this router/Node.

             

            Dave

            • Re: Not getting logs from Cisco into NPM Syslog
              kindbro

              Thanks Dave, but I have checked and rechecked. I am getting logs to the syslog server. Im just not getting BGP logs. I have marked out the IP's, but in the capture you can see what Im getting and the same info in the capture is also reflected in my syslog buffer. But my syslog buffer contains %BGP-5-ADJCHANGE: neighbor x.x.x.x Down User reset and %BGP-5-ADJCHANGE: neighbor x.x.x.x Up where as my syslog server does not.

              capture.png

              • Re: Not getting logs from Cisco into NPM Syslog
                netlogix

                Ah... dang you stateless connections!!!! (UDP)  So basically the router generates the log and sends it to the buffer, but there isn't a route yet, so it drops it, does that sound like it?

                 

                hmm... so how to get the cisco to hold the syslog packet till it has a route... I don't know how to do that or if it is even possible.  If so, I want that too!

                • Re: Not getting logs from Cisco into NPM Syslog
                  jswan

                  I don't think there's a native way to test reachability to a syslog server and reattempt delivery after an outage. For short outages you might try syslog over TCP. I don't believe NPM does syslog over TCP, but Kiwi does (I wish Solarwinds would roll Kiwi into NPM, actually). I have no idea whether IOS would try redelivery of syslog over TCP after a short outage, but it would be interesting to test.

                   

                  Another way to do this would be to write an IOS EEM applet:

                   

                  event manager applet BGP_WAIT

                  event syslog pattern "BGP-5-ADJCHANGE.*Up"

                  action 1.0 wait 20

                  action 2.0 syslog priority 5 msg "this is a copy of a BGP adjacency up message that you might have missed"

                   

                  That is an unsophisticated version--you could also write a version that would wait until the router can ping the syslog server before sending the second message. Depending on how sophisticated you want to get you might have to write it as a TCL policy.

                • Re: Not getting logs from Cisco into NPM Syslog
                  kindbro


                  I think that about sums it up netlogix.