Unable to collect logs from Cisco Nexus

Description of your problem

I am unable to collect logs from a Cisco Nexus 3524 switch. This particular model doesn’t allow a custom port, it only sends logs on udp 514. I am running a syslog TCP and UDP input in port 1514. To collect logs from the Nexus switch, I added a redirect on iptables to catch tcp and udp on port 514. I tested this by temporarily changing the logging address on an HP switch to udp and port 514, and I instantly received logs on Graylog. But the Cisco Nexus switch doesn’t seem to work.

Description of steps you’ve taken to attempt to solve the issue

I can ping from the switch to the graylog server. I ran tcpdump on graylog server and could see the packets flow from the HP switch sending to port 514, but nothing from the Nexus Switch. The nexus switch is on the same VLAN as the syslog server. The Nexus switch was showing a “unreachable server” error until I restarted the syslog server, I searched about this online and it seems to be a bug of the switch.

I’ve been able to monitor several HP and traditional Cisco Switches, but for some reason Nexus is giving me a ton of issues. Please let me know if I missed something.

Environmental information

Graylog and the Nexus switch are on the same VLAN, graylog has a secondary interface for internet access.

Operating system information

(Debian 11.0.12 on Linux 5.10.0-8-amd64)

Package versions

Graylog 4.1.5+01c9198
Mongod v4.2.16
Elasticsearch 7.10.2

Screenshots

As a new user I can only post two links
Iptables on Graylog and port forwarding: https://i.imgur.com/1uCREsp.png
Graylog inputs and switch logging config/ping: https://i.imgur.com/KTh2Ub0.png

Hello && Welcome

Have you tried to use RawPlaintext UDP/TCP inputs instead?

Might want to check this post out

Hope this helps

EDIT: My apologies I missed a couple statements you made.

If all your other devices are working with iptables prerouting (514) and you tested just Nexus switch and do not see messages coming in then running tcpdump and do not see Nexus Switch I would have agree something is up with the switch.

Are you able to see any logs on the Nexus switch using the TCP connection? or Graylog’s log file that may pertain to a connection issue?
By chance do you have any ACL’s on the nexus switch?

1 Like

Thanks for taking the time to reply.

Have you tried to use RawPlaintext UDP/TCP inputs instead?

I will try with raw inputs but I doubt that it will work, since nothing was detected by tcp dump.

Are you able to see any logs on the Nexus switch using the TCP connection?

Do you mean changing the input to Syslog TCP instead of raw UDP?
As far as I know, Nexus only sends UDP traffic on the default syslog port.

Or Graylog’s log file that may pertain to a connection issue?

Unfortunately no

By chance do you have any ACL’s on the nexus switch?

Yes, several. But they are all allowing different protocols. I didn’t setup this switch myself, and I don’t know how to check the implicit rules that are applied before the ACL’s, those might be blocking outgoing traffic to graylog but I haven’t found the command to show them.

Hello,

Yes, You could use either TCP or UDP what ever protocol you switch is sending.
In my lab I have this config for certain switches.

But if you don’t see your switch with a tcpdump then you have other problems.

Hope that helps

Turns out that the VRF on the Nexus Switch was set to management and once I changed it to default I started to receive logs. Everything is working now, thanks for your help!

1 Like

Thank for sharing, :slight_smile:
I understand the Virtual Routing and Forwarding table didn’t even think about that.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.