JOIN GRAYLOG FOR OUR

ANNUAL CONFERENCE

Thursday,
October 21, 2021
10am-5pm CT
REGISTER NOW

Unable to collect logs from Cisco Nexus

Description of your problem

I am unable to collect logs from a Cisco Nexus 3524 switch. This particular model doesn’t allow a custom port, it only sends logs on udp 514. I am running a syslog TCP and UDP input in port 1514. To collect logs from the Nexus switch, I added a redirect on iptables to catch tcp and udp on port 514. I tested this by temporarily changing the logging address on an HP switch to udp and port 514, and I instantly received logs on Graylog. But the Cisco Nexus switch doesn’t seem to work.

Description of steps you’ve taken to attempt to solve the issue

I can ping from the switch to the graylog server. I ran tcpdump on graylog server and could see the packets flow from the HP switch sending to port 514, but nothing from the Nexus Switch. The nexus switch is on the same VLAN as the syslog server. The Nexus switch was showing a “unreachable server” error until I restarted the syslog server, I searched about this online and it seems to be a bug of the switch.

I’ve been able to monitor several HP and traditional Cisco Switches, but for some reason Nexus is giving me a ton of issues. Please let me know if I missed something.

Environmental information

Graylog and the Nexus switch are on the same VLAN, graylog has a secondary interface for internet access.

Operating system information

(Debian 11.0.12 on Linux 5.10.0-8-amd64)

Package versions

Graylog 4.1.5+01c9198
Mongod v4.2.16
Elasticsearch 7.10.2

Screenshots

As a new user I can only post two links
Iptables on Graylog and port forwarding: https://i.imgur.com/1uCREsp.png
Graylog inputs and switch logging config/ping: https://i.imgur.com/KTh2Ub0.png

Hello && Welcome

Have you tried to use RawPlaintext UDP/TCP inputs instead?

Might want to check this post out

Hope this helps

EDIT: My apologies I missed a couple statements you made.

If all your other devices are working with iptables prerouting (514) and you tested just Nexus switch and do not see messages coming in then running tcpdump and do not see Nexus Switch I would have agree something is up with the switch.

Are you able to see any logs on the Nexus switch using the TCP connection? or Graylog’s log file that may pertain to a connection issue?
By chance do you have any ACL’s on the nexus switch?