All Apps and Add-ons

I cannot get Cisco Nexus 6004 to send syslog data to Splunk

tigerpaws
New Member

Hello,

I am trying to get a Cisco Nexus 6004 to send its syslog data to a Splunk server. Below is my Nexus syslog configuration:

vrf context management
ip route 0.0.0.0/0 mgmt0 10.211.152.129

interface mgmt0
vrf member management
ip address 10.211.152.188/26

interface loopback0
ip address 10.211.137.251/32

logging logfile testlog 6 size 409600
logging server 10.211.147.126 5 use-vrf management facility syslog
logging source-interface loopback0
logging timestamp microseconds

From the console of the Nexus 6004, I can ping the syslog server's IP address of 10.211.147.126 using the vrf management interface as follows:

ping 10.211.147.126 vrf management

However, the syslog server does not receive any log information from the Nexus when I check it. I really appreciate any info that you can share.

Thanks

Tags (1)
0 Karma

tigerpaws
New Member

Hello esix,

Thank you for your response. Do you know if Cisco Nexus 6004 uses default UDP port 514 to send its syslog data to the Syslog Server?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Not sure on that, havent used the nexus in a few years. But by default in IOS, it is. HEre's a link to start :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configurati...

Against, run tcpdump / wireshark on the host. If its being sent over TCP, or a different UDP, it will catch it.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Im going under the assumption that you have already configured Splunk to receive UDP data on port 514, via this : https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Configure_a_UDP_input

The next step would be to make sure that your network can receive syslog over UDP from your nexus. Use a tool like tcpdump or wireshark on your Splunk box to see if the UDP/Syslog traffic is actually going to the box. If it is, then you need to re-read the above link and recreate the UDP input in a inputs.conf file on your Splunk instance. Otherwise, if TCPdump/wireshark doesnt see your syslog stream, then most likely you have a network configuration issue on the Nexus.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...