取消
显示结果 
搜索替代 
您的意思是: 
cancel
2704
查看次数
0
有帮助
2
评论
Luke Huang
Cisco Employee
Cisco Employee
本帖最后由 fushuang 于 2020-3-5 20:22 编辑
问题描述:
Nexus Syslog logging 配置可以参考我同事这篇帖子 N5K syslog server配置;
nexus 发送给 external logging server 的 log 格式,一般例子如下:
2017-10-3118:31:49.781820 172.16.3.252 -> 172.16.84.137 Syslog LOCAL5.NOTICE: : 2017Oct 31 18:31:49 utc: %ETHPORT-5-IF_UP: Interface loopback2 is up
这里为什么会有两个冒号?
这里为什么没有 nexus switch 的 host-name?

在 syslog server做 tcpdump, 收到类似结果为:
root@nfjd-logplat-rsyslog01-84137 chentz]# tcpdump -i eth1 host 172.16.3.252 -vv
18:25:27.657915 IP(tos 0x0, ttl 64, id 20633, offset 0, flags [none], proto UDP (17), length 105)
172.16.3.252.syslog >nfjd-logplat-rsyslog01-84137.jpushoa.com.syslog: [udp sum ok] SYSLOG, length:77
Facilitylocal5 (21), Severity notice (5)
Msg:: 2017 Oct 31 18:40:49 utc: %ETHPORT-5-IF_UP: Interface loopback2 is up


关于为什么会有两个冒号:
syslog 依据 RFC3164, RFC5424 https://en.wikipedia.org/wiki/Syslog
RFC3164
4.1.3 MSG Part of a syslog PacketMost commonly, the first character of the CONTENT field that signifies the conclusion of the TAG field has been seen to be the left square bracket character ("["), a colon character (":"), or a space character. This is explained in more detail in Section 5.3.5.3 Originating Process InformationIn that case, a colon and a space character usually follow the TAG. This would be displayed as "TAG: " without the quotes. In that case, the colon is the first character in the CONTENT field.
或者简单点说,这个冒号是为了 switch hostname 预留的。

关于 syslog 为什么没有origin-id/hostname:NXOS 版本问题。https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtu54802 描述,从7.3(0)N1(1) 和 7.2(1)N1(1)之后开始支持 ‘logging origin-id [hostname|ip|string]’功能
LAB 验证如下:
switch# show version | in 'system image'
system image file is: bootflash:///n6000-uk9.7.3.3.N1.1.bin
switch(config)# logging server 1.1.1.1 use-vrf management
switch(config)# logging source-interface mgmt0
Configuring logging source-interface will open UDP/syslog socket(514).

不配置 logging origin-id 的情况:

switch(config)# eth lo in mgmt capture-filter udp limit-captured-frames 0
Capturing on mgmt0
2014-05-09 03:20:41.835688 10.197.249.156 -> 1.1.1.1 Syslog LOCAL7.NOTICE: : 2014 May 9 03:20:41 UTC:%ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface loopback100 is down (Administratively down)
2014-05-09 03:20:43.834283 10.197.249.156 -> 1.1.1.1 Syslog LOCAL7.NOTICE: : 2014 May 9 03:20:43 UTC: %ETHPORT-5-IF_UP:Interface loopback100 is up

配置 logging origin-id 之后的情况:

switch(config)# logging origin-id
hostname ip string
switch(config)# logging origin-id ?
hostname Use hostname as origin-id of logging messages
ip Use ip address as origin-id of logging messages
string Use text string as origin-id of logging messages

switch(config)# logging origin-id string N6K-1


switch(config)# eth lo in mgmt capture-filter udp limit-captured-frames 0
Capturing on mgmt0
2014-05-09 03:21:42.724304 10.197.249.156 -> 1.1.1.1 Syslog LOCAL7.NOTICE: N6K-1: 2014 May 9 03:21:42 UTC: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interfaceloopback100 is down (Administratively down)
hostname/origin-id出现了;
同时注意一下,两个连续 冒号 的尴尬,也消除了。


2014-05-09 03:21:44.734358 10.197.249.156 -> 1.1.1.1 Syslog LOCAL7.NOTICE: N6K-1: 2014 May 9 03:21:44 UTC: %ETHPORT-5-IF_UP:Interface loopback100 is up

多说一句,抓包工具是个好东西,善用。

评论
one-time
Level 13
Level 13
感谢专家分享,谢谢~
likuo
Spotlight
Spotlight
抓包工具是个好东西。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接