Hello,
I am trying to get a Cisco Nexus 6004 to send its syslog data to a Splunk server. Below is my Nexus syslog configuration:
vrf context management
ip route 0.0.0.0/0 mgmt0 10.211.152.129
interface mgmt0
vrf member management
ip address 10.211.152.188/26
interface loopback0
ip address 10.211.137.251/32
logging logfile testlog 6 size 409600
logging server 10.211.147.126 5 use-vrf management facility syslog
logging source-interface loopback0
logging timestamp microseconds
From the console of the Nexus 6004, I can ping the syslog server's IP address of 10.211.147.126 using the vrf management interface as follows:
However, the syslog server does not receive any log information from the Nexus when I check it. I really appreciate any info that you can share.
Thanks
Hello esix,
Thank you for your response. Do you know if Cisco Nexus 6004 uses default UDP port 514 to send its syslog data to the Syslog Server?
Not sure on that, havent used the nexus in a few years. But by default in IOS, it is. HEre's a link to start :
Against, run tcpdump / wireshark on the host. If its being sent over TCP, or a different UDP, it will catch it.
Im going under the assumption that you have already configured Splunk to receive UDP data on port 514, via this : https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Configure_a_UDP_input
The next step would be to make sure that your network can receive syslog over UDP from your nexus. Use a tool like tcpdump or wireshark on your Splunk box to see if the UDP/Syslog traffic is actually going to the box. If it is, then you need to re-read the above link and recreate the UDP input in a inputs.conf file on your Splunk instance. Otherwise, if TCPdump/wireshark doesnt see your syslog stream, then most likely you have a network configuration issue on the Nexus.