Configuring Syslog in Cisco ACI -UDP, TCP, TLS

Syslog messages

A syslog in Cisco ACI can be configured to leverage system messages for troubleshooting and optimization of the ACI fabric. A fault or an event can trigger to send a log message to the console and to a logging server, if configured. A system message typically contains a subset of information about the fault or event.

The messages can be;

  • Informational – provides information about the action being performed
  • Warning – provides information about system errors of objects that the user is performing configuration changes or administering
  • Finite state machine (FSM) status – provides information about the status of FSM
figure 1 – Syslog message format when configured with format ‘aci’

System messages are created by the APIC, spine and leaf switches. Not all system messages indicate problems with your system. Some are purely informational, while others may indicate problems.

For more information on syslog messages:

Syslog Configuration Steps

  1. Configure syslog external data collectors
  2. Configure management contract to allow syslog ports
  3. Configure syslog policy
    • Fabric policies
    • Access policies
    • Tenant policies
  4. Verification
  5. Troubleshooting

1. Configure syslog external data collectors

Admin > External Data Collectors > Monitoring Destinations > Syslog > Create Syslog Monitoring Destination Group

figure 2 – Syslog destination group
  1. Enter syslog destination group name
  2. Select the format – ‘aci’ or ‘nxos’
    • sample aci format – Mar 11 14:03:44 DC1-LEAF-102 %LOG_LOCAL7-3-SYSTEM_MSG [F1394][soaking_clearing][interface-physical-down][minor][sys/phys-[eth1/50]/phys/fault-F1394] Port is down, reason:linkNotConnected(connected), used by:Fabric
    • sample nxos format – : 2023 Mar 11 14:07:59 EST : %LOG_LOCAL7-3-SYSTEM_MSG: [F1394][soaking_clearing][interface-physical-down][minor][sys/phys-[eth1/50]/phys/fault-F1394] Port is down, reason:linkNotConnected(connected), used by:Fabric
  3. Click Next
  4. Enter ‘Host Name / IP’
  5. Choose Severity
    • 0 – emergency (System is unusable)
    • 1 – alert (Immediate action required)
    • 2 – critical (Critical condition)
    • 3 – error (Error condition)
    • 4 – warning (Warning condition)
    • 5 – notification (Normal but significant condition)
    • 6 – informational (Informational message only)
    • 7 – debugging (Message that appears during debugging only)
  6. Choose Transport
    • UDP – uses udp port 514 by default
    • TCP – Uses tcp port, the default port for TCP syslog messages for most syslog servers is 1468
    • SSL – If you select ssl as the transport protocol, the Cisco ACI switch (acting as a client) makes a secure, encrypted outbound connection to remote syslog servers (acting as a server) supporting secure connectivity for logging. With authentication and encryption, this feature allows for a secure communication over an insecure network. The default port for secure TCP syslog messages for most syslog servers is 6514
  7. Choose Forwarding Facility
  8. Select the right Management EPG

SSL transport requires a certificate authority created in the ACI APIC for a secure, authenticated and encrypted, syslog communication to be established between ACI and remote syslog server.

Admin > AAA > Security > Public Key Management > Certificate Authorities > Create Certificate Authority

figure 3 – Create certificate for SSL transport

2. Configure management contract to allow syslog ports

Syslog in ACI needs contract for communication between APIC, leaf and spines with the syslog servers. Configure management contract to allow communication between ACI fabric (OOB, or INB addresses) and syslog server. The ports can be UDP, TCP or Secure TCP depending on which transport options selected.

2.1 Create filter

Tenant > mgmt > Contracts > Filters > Create Filter

figure 4 – Create filter for UDO, TCP and secure TCP

2.2 Create a management contract or add the syslog filter if management contract is already created and applied to Out-of-Band EPG.

Tenant > mgmt > Contracts > Filters > Create Filter

figure 5 – Create management contract

2.3 Apply management contract to node management EPG and external management network instance profile EPG

figure 6 – Apply management contract

3. Configure Syslog Monitoring Sources

There are four main monitoring sources that can be configured.

  1. Fabric wide – Under Fabric > Fabric Policies > Policies > Monitoring Policies > Common Policy is a basic monitoring policy that applies to all faults and events and is automatically deployed to all nodes and controllers in the fabric.
  2. Access – Under Fabric > Access Policies > Policies > Monitoring Policies > Default Policy is a monitoring policy for access ports, FEX, VMM controllers, and so on
  3. Fabric – Under Fabric > Fabric Policies > Policies > Monitoring Policies > Default Policy is a monitoring policy for fabric ports, cards, chassis, fans, and so on
  4. Tenant – Under Tenant > Policies > Monitoring Policies > Default Policy is a monitoring policy for VRFs, BDs, EPGs , application profiles, services, and so on

3.1 Configure the SYSLOG Source in Fabric Policies – Common Policy

Fabric > Fabric Policies > Policies > Monitoring > Common Policy > Callhome/Smart Callhome/SNMP/Syslog/TACACS > Syslog

figure 7 – Syslog source fabric wide
  1. Enter a name for the syslog source
  2. Choose the minimum severity of system log messages to be sent
  3. Check the checkboxes for the type of messages to be sent (Audit logs, Events, Faults, and Session logs)
  4. Choose the syslog destination group to which the system log messages will be sent
  5. Click Submit.

Fabric > Fabric Policies > Policies > Monitoring > Common Policy > Syslog Messages Policies

Change the system syslog messages severity for the ‘default’ facility to ‘information’ so that %ACLLOG-5-ACLLOG_PKTLOG messages will recorded in Syslog. This include contract permit and deny loggings.

figure 8 – Modify the default policy for system syslog messages to informational

3.2 Configure the SYSLOG Source in Fabric Policies – Default Policy

Fabric > Fabric Policies > Policies > Monitoring > Default Policy > Callhome/Smart Callhome/SNMP/Syslog/TACACS > Syslog

figure 9 – Syslog source for fabric components
  1. Enter a name for the syslog source
  2. Choose the minimum severity of system log messages to be sent
  3. Check the checkboxes for the type of messages to be sent (Audit logs, Events, Faults, and Session logs)
  4. Choose the syslog destination group to which the system log messages will be sent
  5. Click Submit.

3.3 Configure the SYSLOG Source in Access Policies – Default Policy

Fabric > Access Policies > Policies > Monitoring > Default Policy > Callhome/Smart Callhome/SNMP/Syslog > Syslog

figure 10 – Syslog source for access
  1. Enter a name for the syslog source
  2. Choose the minimum severity of system log messages to be sent
  3. Check the checkboxes for the type of messages to be sent (Audit logs, Events, Faults, and Session logs)
  4. Choose the syslog destination group to which the system log messages will be sent
  5. Click Submit.

3.4 Configure the SYSLOG Source in Tenant Policies – Default Policy (pick a name that is inline with the ACI object naming policy of the organization)

Fabric > tenant > Policies > Monitoring > Default Policy > Callhome/Smart Callhome/SNMP/Syslog > Syslog

figure 11 – Syslog source for tenant level messages
  1. Enter a name for the syslog source
  2. Choose the minimum severity of system log messages to be sent
  3. Check the checkboxes for the type of messages to be sent (Audit logs, Events, Faults, and Session logs)
  4. Choose the syslog destination group to which the system log messages will be sent
  5. Click Submit.

Verification

To verify syslog configuration steps you can use the “logit” CLI command. Perform a “logit” test for each configured remote destinations.

Command Syntax – APIC# logit severity <severity> dest-grp <dest-group> server <server-ip> <syslog message> node <node-id>

Example – APIC1# logit severity information dest-grp F-R-Syslog server 10.10.11.95 ‘this is a test’

Output from the server – Mar 12 23:45:11 APIC1 %LOG_LOCAL7-3-SYSTEM_MSG [E4210472][transition][minor][sys] sent user message to syslog group:F-R-Syslog:this is a test

Syslog messages from the syslog server

figure 12 – Syslog messages from syslog server configured as external data collector

Troubleshooting

  • If SYSLOG is not working as expected, most of the issues relate to misconfiguration. The following are some of the common issues that needs attention when syslog is not working as expected:
    • Management contract – verify Contract configuration for Management EPGs and make sure the port configured is allowed on the contract
    • Make sure the transport (UDP, TCP, secure TCP) and the port configured in ACI matches with the syslog server configuration
    • Facility or Severity mismatch between ACI Devices and Syslog messaging server
    • Verify Node Management Addresses are configured properly
    • Check Firewall configuration on the path from ACI OOB to SYSLOG Monitoring Application Server. Make sure the ports used for syslog are allowed

Detail syslog configuration and troubleshooting document!https://community.cisco.com/legacyfs/online/attachments/document/technote-aci-syslog_external-v1.pdf

Leave a Comment

Your email address will not be published. Required fields are marked *