syslog to 2nd server doesn't work

Answered Question
Aug 9th, 2008


sh logg:

Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 2465 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 2465 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level debugging, 2469 message lines logged

Logging to (udp port 514, audit disabled), 2469 message lines logged, xml disabled,

filtering disabled

Logging to (udp port 514, audit disabled), 0 message lines logged, xml disabled,

filtering disabled

sh ver:

C1700 Software (C1700-IPBASE-M), Version 12.4(1a), RELEASE SOFTWARE (fc2)

On previous versions IOS it works!

What is the trick?



I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 2 months ago

This is due to bug CSCsa87733. You will need to upgrade to 12.4(2) or higher to get the fix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
aruzsinszky Sat, 08/09/2008 - 11:00

I thought it but I wasn't sure.

Now I'm testing the config in dynamips.



aruzsinszky Fri, 08/22/2008 - 09:14


Does PIX 6.3.5 suffer from this problem, too?

I've no luck with more than only one syslog server.



Joe Clarke Fri, 08/22/2008 - 09:21

This bug is for IOS only. I couldn't find a PIX bug for this symptom. I did find an indication that multiple syslog destinations do work in 6.3, but I didn't see a specific 6.3 release.

aruzsinszky Fri, 08/22/2008 - 09:37

Thanks for your prompt answer!

The problem somewhere other side because I can't ping the new syslog server. I don't know why.

They are in the same segment so now I've got no ideas. :-(

aruzsinszky Fri, 08/22/2008 - 11:59

Can you tell me what thought PIX about the next MAC: 00:00:00:00:00:00?

It is the MAC of the syslog server!

Other machines (PCs, 2 SUN WSs, etc) work perfectly with that funny MAC.



Joe Clarke Fri, 08/22/2008 - 13:04

Is the PIX sending a packet with a source MAC of 00:00:00:00:00:00 or is this the MAC being reported by the syslog server?

Joe Clarke Fri, 08/22/2008 - 13:17

Then it sounds like you have a bad NIC in that server. Try replacing it.

aruzsinszky Sat, 08/23/2008 - 00:39

Not really.

Every machine can communicate with that PC except Cisco PIX 501. Even a Cisco 1721 router!

I know this MAC address not the best ...

Joe Clarke Sat, 08/23/2008 - 00:44

Why are you using the MAC. It's generally considered invalid as it is used things such as in ARP packets, and some of our devices will complain if they see packets sourced from such a MAC. A NIC claiming to have such a MAC is either broken or did not get a proper MAC burned into at the factory. If you can't replace the NIC, try changing the MAC in software.

aruzsinszky Sat, 08/23/2008 - 00:51

I think you know the source of my problem: my motherboard forgot its MAC which was burned into at factory.

I will change it but now the PC is a firewall, too, so not to easy just put into down state. And it is not trivial I can change from software (OpenSUSE 10.3). I found some instructions on the Net. So I change it ASAP.

I don't understand why my PIX hates at all this address if SUN ws (and other LAN devices) work happily.

I'm not sure this is the problem with PIX. But maybe ...

aruzsinszky Sat, 08/23/2008 - 02:55

My problem was solved.

I sshed from the outside interface of my bad MAC PC and ifconfig command changed the MAC address successfully.

PIX can able to send syslog messages to this server, too.



This Discussion