All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I cannot get Cisco Nexus 6004 to send syslog data to Splunk

tigerpaws
New Member
‎04-06-2018 02:52 PM

Hello,

I am trying to get a Cisco Nexus 6004 to send its syslog data to a Splunk server. Below is my Nexus syslog configuration:

vrf context management
ip route 0.0.0.0/0 mgmt0 10.211.152.129

interface mgmt0
vrf member management
ip address 10.211.152.188/26

interface loopback0
ip address 10.211.137.251/32

logging logfile testlog 6 size 409600
logging server 10.211.147.126 5 use-vrf management facility syslog
logging source-interface loopback0
logging timestamp microseconds

From the console of the Nexus 6004, I can ping the syslog server's IP address of 10.211.147.126 using the vrf management interface as follows:

ping 10.211.147.126 vrf management

However, the syslog server does not receive any log information from the Nexus when I check it. I really appreciate any info that you can share.

Thanks

Tags (1)
0 Karma
Reply

tigerpaws
New Member
‎04-06-2018 04:17 PM

Hello esix,

Thank you for your response. Do you know if Cisco Nexus 6004 uses default UDP port 514 to send its syslog data to the Syslog Server?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 06:08 PM

Not sure on that, havent used the nexus in a few years. But by default in IOS, it is. HEre's a link to start :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configurati...

Against, run tcpdump / wireshark on the host. If its being sent over TCP, or a different UDP, it will catch it.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 04:00 PM

Im going under the assumption that you have already configured Splunk to receive UDP data on port 514, via this : https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Configure_a_UDP_input

The next step would be to make sure that your network can receive syslog over UDP from your nexus. Use a tool like tcpdump or wireshark on your Splunk box to see if the UDP/Syslog traffic is actually going to the box. If it is, then you need to re-read the above link and recreate the UDP input in a inputs.conf file on your Splunk instance. Otherwise, if TCPdump/wireshark doesnt see your syslog stream, then most likely you have a network configuration issue on the Nexus.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...