All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I cannot get Cisco Nexus 6004 to send syslog data to Splunk

tigerpaws
New Member
‎04-06-2018 02:52 PM

Hello,

I am trying to get a Cisco Nexus 6004 to send its syslog data to a Splunk server. Below is my Nexus syslog configuration:

vrf context management
ip route 0.0.0.0/0 mgmt0 10.211.152.129

interface mgmt0
vrf member management
ip address 10.211.152.188/26

interface loopback0
ip address 10.211.137.251/32

logging logfile testlog 6 size 409600
logging server 10.211.147.126 5 use-vrf management facility syslog
logging source-interface loopback0
logging timestamp microseconds

From the console of the Nexus 6004, I can ping the syslog server's IP address of 10.211.147.126 using the vrf management interface as follows:

ping 10.211.147.126 vrf management

However, the syslog server does not receive any log information from the Nexus when I check it. I really appreciate any info that you can share.

Thanks

Tags (1)
0 Karma
Reply

tigerpaws
New Member
‎04-06-2018 04:17 PM

Hello esix,

Thank you for your response. Do you know if Cisco Nexus 6004 uses default UDP port 514 to send its syslog data to the Syslog Server?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 06:08 PM

Not sure on that, havent used the nexus in a few years. But by default in IOS, it is. HEre's a link to start :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configurati...

Against, run tcpdump / wireshark on the host. If its being sent over TCP, or a different UDP, it will catch it.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 04:00 PM

Im going under the assumption that you have already configured Splunk to receive UDP data on port 514, via this : https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Configure_a_UDP_input

The next step would be to make sure that your network can receive syslog over UDP from your nexus. Use a tool like tcpdump or wireshark on your Splunk box to see if the UDP/Syslog traffic is actually going to the box. If it is, then you need to re-read the above link and recreate the UDP input in a inputs.conf file on your Splunk instance. Otherwise, if TCPdump/wireshark doesnt see your syslog stream, then most likely you have a network configuration issue on the Nexus.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...