11 Replies Latest reply: May 21, 2012 1:10 PM by kindbro RSS

    Not getting logs from Cisco into NPM Syslog

    kindbro

      Not sure what is going on here. Ive been trying to get my bgp logs into syslog and it just isnt working. I am getting %SYS-5-CONFIG_I: Configured from console by user on vty0 (x.x.x.x), so this confirms my logging is working. But when I clear ip bgp x.x.x.x, my syslog does not report %BGP-5-ADJCHANGE: neighbor x.x.x.x Down User reset and %BGP-5-ADJCHANGE: neighbor x.x.x.x Up. Am I missing something here? Does the syslog not receive the change because the connection is disrupted during the reset? If this is the case, how do log the changes?

       

      Current router logging config:

       

      logging buffered 50000 notifications

      logging console notifications

      logging source-interface Loopback0

      logging x.x.x.x

       

      Thans in advance!

      Bret

        • Re: Not getting logs from Cisco into NPM Syslog
          netlogix

          have you checked (from cmd):

          sc query SolarwindsSyslogService (Solarwinds Syslog service running?)

          netstat -ano | find "514"  (You should get a line like: " UDP    [::]:514               *:*                                    2212" if it is listening)

          tasklist | find "SyslogService.exe"  (Make sure the PID is the same on this line and the previous - maybe something else is listening on syslog port)

          sc stop MpsSvc (stop windows firewall)

           

           

          Next would be to see if the traffic is getting to the server - a network based firewall might be blocking it.

          • Re: Not getting logs from Cisco into NPM Syslog
            dstj

            Did you enable 'bgp log-neighbor-changes' on the router ?...

             

            http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rbgp.html#wp1018068

             

            eg..

            BGP router 100

            bgp log-neighbor-changes

             

             

            Dave

              • Re: Not getting logs from Cisco into NPM Syslog
                kindbro


                Yes I have log-neighbor-changes. Logs are being greated for BGP to the syslog buffer, but the logs are not being delivered for those logs to the server. Where as, the configuration change logs are being sent to the syslog server.

                  • Re: Not getting logs from Cisco into NPM Syslog
                    netlogix

                    Is there some syslog rule that might being doing something dumb with it?  If it's showing up in the buffer then that mean "notification" level should be good...  I would say do a network capture if you can, that way you can isolate it to either Orion "misplacing" it or if it's the router not sending it.  I like to do yes/no tests to lower the amount of guess work.

                      • Re: Not getting logs from Cisco into NPM Syslog
                        kindbro

                        Ok, so I did a packet capture. My packet capture revealed that I am getting logs from the router. As a test I shut, then no shut a local interface and the proper logs got sent to buffer. Then I did a clear ip bgp x.x.x.x and the logs were written to buffer. But when I look at my packet capture for these logs they are not there.

                         

                        I believe the problem is when BGP is reset. Because a small moment of network disruption is experienced the log cant be sent. So now the problem exist in how do you send to a syslog when connectivity is restored? Things that make you hmmm.

                          • Re: Not getting logs from Cisco into NPM Syslog
                            dstj

                            Anytime i have syslog issues, it's usually due to improper IP address being used in setup.

                             

                            So if you can confirm the following...

                            • on your Cisco router , ensure that 'logging x.x.x.x' you mentioned above is indeed pointing to your solarwinds server ip address.
                            • You also mentioned above that you have 'logging source-interface Loopback0'... so on the Cisco router, do a 'show ip int brief' and ensure that the IP address of Interface 'Loopback0' is the same as the IP address that Solarwinds is using to manage this router/Node.

                             

                            Dave

                              • Re: Not getting logs from Cisco into NPM Syslog
                                kindbro

                                Thanks Dave, but I have checked and rechecked. I am getting logs to the syslog server. Im just not getting BGP logs. I have marked out the IP's, but in the capture you can see what Im getting and the same info in the capture is also reflected in my syslog buffer. But my syslog buffer contains %BGP-5-ADJCHANGE: neighbor x.x.x.x Down User reset and %BGP-5-ADJCHANGE: neighbor x.x.x.x Up where as my syslog server does not.

                                capture.png

                                  • Re: Not getting logs from Cisco into NPM Syslog
                                    netlogix

                                    Ah... dang you stateless connections!!!! (UDP)  So basically the router generates the log and sends it to the buffer, but there isn't a route yet, so it drops it, does that sound like it?

                                     

                                    hmm... so how to get the cisco to hold the syslog packet till it has a route... I don't know how to do that or if it is even possible.  If so, I want that too!

                                      • Re: Not getting logs from Cisco into NPM Syslog
                                        jswan

                                        I don't think there's a native way to test reachability to a syslog server and reattempt delivery after an outage. For short outages you might try syslog over TCP. I don't believe NPM does syslog over TCP, but Kiwi does (I wish Solarwinds would roll Kiwi into NPM, actually). I have no idea whether IOS would try redelivery of syslog over TCP after a short outage, but it would be interesting to test.

                                         

                                        Another way to do this would be to write an IOS EEM applet:

                                         

                                        event manager applet BGP_WAIT

                                        event syslog pattern "BGP-5-ADJCHANGE.*Up"

                                        action 1.0 wait 20

                                        action 2.0 syslog priority 5 msg "this is a copy of a BGP adjacency up message that you might have missed"

                                         

                                        That is an unsophisticated version--you could also write a version that would wait until the router can ping the syslog server before sending the second message. Depending on how sophisticated you want to get you might have to write it as a TCL policy.

                                        • Re: Not getting logs from Cisco into NPM Syslog
                                          kindbro


                                          I think that about sums it up netlogix.