08-13-2007 08:36 AM
Hi all,
Getting syslog message with six octets ip address instead of four. The first four octets are the correct IP address, not sure where the last two came from.
Wondering if anyone has seen this type before. Cisco ISR 3825 with Version 12.4(9)T4 Router and Version 12.2(25) switch module
Initially, I thought that IPv6 was enabled.
Aug 9 14:18:52 [10.5.1.9.22.20] 199: *Aug 9 14:20:24.435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Aug 9 14:19:13 [10.5.1.9.22.20] 203: *Aug 9 14:20:44.439: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
08-13-2007 08:55 AM
Ah, yes, the famous six octets. This comes up every so often. The last two octets are actually the encoded source UDP port the device used to send the message. Since a port is a 16-bit short, it cannot live in a single 8-bit octet. So, the sixth octet is the low-order bits in the 16-bit value (20 in this case). The fifth octet represents the high-order bits (22 in this case):
22 << 8 + 20 = 5652
Said another way:
(22 * 256) + 20 = 5652
Therefore, the device used the source UDP port 5652 when sending this message.
08-13-2007 09:18 AM
Thanks for your prompt response.
Is there away to disable or configure this so that normal 4 octet can be send to NMS server?
Actually, the last two octet is 224.204.
Which would be 10.5.1.9.224.204. Based on your calculation, this would change.
08-13-2007 09:24 AM
No, this is a fact of Solaris syslog. The devices have nothing to do with this format.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide