I have some Cisco switches that are not being logged and some that are being logged. All Cisco switches have the same config “logging host 10.10.10.10”. I know the switches are sending the logs to the graylog server, because I ran tcpdump and I see the ip address of the switches but I don’t see logs on graylog.
How can I fix this?
Which type of input do you use? Because cisco don’t follow RFC for syslog, it’s best to use Raw Input and parsers/pipeline rules to extract fields.
Also check if switches send hostname in syslog message:
logging origin-id string/hostname/ip
I have added the logging origin-id hostname as well, but no luck. I see the switch ip address in my tcpdump on the graylog but its not showing up in graylog search.
Try to create Raw input and redirect only one of the non-function switch to new input and analyze.
Cisco will only log to port 514, which by default you cannot run as a port on an Input because the Graylog user is non-root and non-root users cannot start ports under… 1024 I think.
Anyway, you will need to create an input using port 5140 and then using the OS firewall setup port forwarding from 514 to 5140.
If this sounds like a direction, I can provide more info on the steps. Thank you, Zach.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.