I am unable to collect logs from a Cisco Nexus 3524 switch. This particular model doesn’t allow a custom port, it only sends logs on udp 514. I am running a syslog TCP and UDP input in port 1514. To collect logs from the Nexus switch, I added a redirect on iptables to catch tcp and udp on port 514. I tested this by temporarily changing the logging address on an HP switch to udp and port 514, and I instantly received logs on Graylog. But the Cisco Nexus switch doesn’t seem to work.
Description of steps you’ve taken to attempt to solve the issue
I can ping from the switch to the graylog server. I ran tcpdump on graylog server and could see the packets flow from the HP switch sending to port 514, but nothing from the Nexus Switch. The nexus switch is on the same VLAN as the syslog server. The Nexus switch was showing a “unreachable server” error until I restarted the syslog server, I searched about this online and it seems to be a bug of the switch.
I’ve been able to monitor several HP and traditional Cisco Switches, but for some reason Nexus is giving me a ton of issues. Please let me know if I missed something.
Environmental information
Graylog and the Nexus switch are on the same VLAN, graylog has a secondary interface for internet access.
Have you tried to use RawPlaintext UDP/TCP inputs instead?
Might want to check this post out
Hope this helps
EDIT: My apologies I missed a couple statements you made.
If all your other devices are working with iptables prerouting (514) and you tested just Nexus switch and do not see messages coming in then running tcpdump and do not see Nexus Switch I would have agree something is up with the switch.
Are you able to see any logs on the Nexus switch using the TCP connection? or Graylog’s log file that may pertain to a connection issue?
By chance do you have any ACL’s on the nexus switch?
Have you tried to use RawPlaintext UDP/TCP inputs instead?
I will try with raw inputs but I doubt that it will work, since nothing was detected by tcp dump.
Are you able to see any logs on the Nexus switch using the TCP connection?
Do you mean changing the input to Syslog TCP instead of raw UDP?
As far as I know, Nexus only sends UDP traffic on the default syslog port.
Or Graylog’s log file that may pertain to a connection issue?
Unfortunately no
By chance do you have any ACL’s on the nexus switch?
Yes, several. But they are all allowing different protocols. I didn’t setup this switch myself, and I don’t know how to check the implicit rules that are applied before the ACL’s, those might be blocking outgoing traffic to graylog but I haven’t found the command to show them.
Turns out that the VRF on the Nexus Switch was set to management and once I changed it to default I started to receive logs. Everything is working now, thanks for your help!