Syslog message error with 6 octets IP address

eudechime · ‎08-13-2007

Hi all,

Getting syslog message with six octets ip address instead of four. The first four octets are the correct IP address, not sure where the last two came from.

Wondering if anyone has seen this type before. Cisco ISR 3825 with Version 12.4(9)T4 Router and Version 12.2(25) switch module

Initially, I thought that IPv6 was enabled.

Aug 9 14:18:52 [10.5.1.9.22.20] 199: *Aug 9 14:20:24.435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

Aug 9 14:19:13 [10.5.1.9.22.20] 203: *Aug 9 14:20:44.439: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

Joe Clarke · ‎08-13-2007

Ah, yes, the famous six octets. This comes up every so often. The last two octets are actually the encoded source UDP port the device used to send the message. Since a port is a 16-bit short, it cannot live in a single 8-bit octet. So, the sixth octet is the low-order bits in the 16-bit value (20 in this case). The fifth octet represents the high-order bits (22 in this case):

22 << 8 + 20 = 5652

Said another way:

(22 * 256) + 20 = 5652

Therefore, the device used the source UDP port 5652 when sending this message.

eudechime · ‎08-13-2007

Thanks for your prompt response.

Is there away to disable or configure this so that normal 4 octet can be send to NMS server?

Actually, the last two octet is 224.204.

Which would be 10.5.1.9.224.204. Based on your calculation, this would change.

Joe Clarke · ‎08-13-2007

No, this is a fact of Solaris syslog. The devices have nothing to do with this format.