Cisco 3850 switch stack sending garbage syslog messages

Graylog Central (peer support)
1

HI,

I have a Cisco 3850 switch stack sending syslog messages to my graylog install, but for some reason the syslog messages show up using strange/unknown characters in graylog. Here is an example of the messages being relayed to graylog

2017-12-18 02:17:41.577 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�\ު� �M� �e �e8���3��h#
2017-12-18 02:17:41.576 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɚު� ��ePO-SW-SVR-SS-02.poweron.cm
2017-12-18 02:17:37.979 10.6.70.253
2017-12-18 02:17:41.577 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�\ު� �M� �e �e8���3��h#
2017-12-18 02:17:41.576 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɚު� ��ePO-SW-SVR-SS-02.poweron…cm
2017-12-18 02:17:37.979 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�Ƀݪ� ���PO-SW-SVR-SS-02.poweron.cm Ci
2017-12-18 02:17:37.979 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɚD�� �!PO-SW-SVR-SS-02.poweron.cmGigabitEthernet1/0/26ata
2017-12-18 02:00:49.604 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɋު� �CPO-SW-SVR-SS-02.poweron.cm Cisco IOS Software, Ca
2017-12-18 02:00:47.603 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�\ު� y_� x x;�@�3�d$)
2017-12-18 01:59:52.724 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɬD�� t\� se se;��3�?t#
2017-12-18 01:59:52.723 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɬު� ��PO-SW-SVR-SS-02.poweron.cm
2017-12-18 01:59:48.944 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnmn7પ tHh s s
2017-12-18 01:59:48.944 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɬD�� �#PO-SW-SVR-SS-02.poweron.cmGigabitEthernet1/0/44
2017-12-18 01:37:45.006 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�\ ު� ��APO-SW-SVR-SS-02.poweron.cm
2017-12-18 01:37:45.006 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�.ު� ^� a- a-8�t3���) 2017-12-18 01:37:42.401 10.6.70.253 PO-SW-SVR-SS-02: [syslog@9 ���p�Z�G�ު� � � � 2017-12-18 01:37:41.392 10.6.70.253 PO-SW-SVR-SS-02: [syslog@9 ���pnm�Ɇݪ� a�� r r;+�3��|) 2017-12-18 01:36:39.036 10.6.70.253 PO-SW-SVR-SS-02: [syslog@9 ���p�Z�\ ު� ��APO-SW-SVR-SS-02.poweron.c*m 2017-12-18 01:36:39.036 10.6.70.253 PO-SW-SVR-SS-02: [syslog@9 ���pnm�ɰު� T � �8�t3�/�)
2017-12-18 01:36:35.534 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���p�Z�
ު� �� � �
2017-12-18 01:36:34.532 10.6.70.253
PO-SW-SVR-SS-02: [syslog@9 ���pnm�Ɋު� �@PO-SW-SVR-SS-02.poweron.c*m Cisco IOS Software, Cata

Now that I am looking at the log files on the switch stack itself, I am noticing that the messages all start out with % (percentage signs) directly after the time stamp (see below for examples)

Dec 18 01:37:41.398: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to down
Dec 18 01:37:43.999: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to up
Dec 18 01:37:44.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to up
Dec 18 01:59:47.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/44, changed state to down
Dec 18 01:59:48.936: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/44, changed state to down
Dec 18 01:59:51.716: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/44, changed state to up
Dec 18 01:59:52.716: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/44, changed state to up
Dec 18 02:00:46.597: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/44, changed state to down
Dec 18 02:00:48.596: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/44, changed state to up
Dec 18 02:17:36.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/26, changed state to down
Dec 18 02:17:37.968: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/26, changed state to down
Dec 18 02:17:40.567: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/26, changed state to up
Dec 18 02:17:41.569: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/26, changed state to up
Dec 18 02:17:53.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/26, changed state to down
Dec 18 02:17:55.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/26, changed state to up
Dec 18 02:30:42.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to down
Dec 18 02:30:43.888: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to down
Dec 18 02:30:47.407: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to up
Dec 18 02:30:48.408: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to up
Dec 18 02:31:49.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to down
Dec 18 02:31:50.726: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to down
Dec 18 02:31:53.268: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/32, changed state to up
Dec 18 02:31:54.272: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/32, changed state to up

Is there any possibility the % is being interpreted as a variable or some other type of command line argument by graylog? Just throwing ideas out there…

None of my other cisco switches I have logging over syslog seem to be doing this. Any ideas?

Thanks
Richard

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.