Mutiple Syslog Servers

JASON SIMMONS · ‎07-20-2017

Can you send logs to multiple syslog servers?

I have two syslog servers configured, Cisco Prime and a Splunk server. I can view syslog from the prime server but not in Splunk. I'm concerned because when you configure syslog from the cli you get a message that "system logs will be sent to x.x.x.x from now on."

GRANT3779 · ‎07-20-2017

Are you referencing sending syslog from a WLC or another Cisco device? I was assuming WLC due the post being in Wireless section but correct me if I am wrong.

You can configure multiple hosts in either scenario.

As an example below for IOS I have multiple logging host commands (not sure on how many are supported in IOS).

logging buffered informational
no logging console
logging enable
logging size 500
logging trap notifications
logging host 10.44.10.31
logging host 10.44.145.242

For WLC - I believe it is up to 3 syslog targets - commands below

(Cisco Controller) >config logging syslog host ?

<ip_addr> dotted IP address of the remote host

I am not clear on exactly what you are referencing though.

JASON SIMMONS · ‎07-20-2017

Yes sending syslog from a wlc to a configured target, in my case Cisco Prime Infrastructure and Splunk.

Yes, you can configure 3 syslog targets.

The statement that popped up on the screen after configuring a syslog target from the cli, "system logs will be sent to x.x.x.x from now on" makes it seem like the wlc will only send syslog to the newly configured target. At least that's how I read it.

GRANT3779 · ‎07-20-2017

I 'think' this is just advising the logs will also be sent to this address. It can send a copy for up to 3 servers.

Might be worth configuring them via gui under management tab and test from there.

I can lab the multiple syslog server setup but won't be until tomorrow morning (UK).

What wlc code are you running out of interest?

JASON SIMMONS · ‎07-20-2017

8.2.151.0

Initially, I configured it using the GUI, but when the Splunk guys told me they weren't seeing anything I tried the CLI.

They've since confirmed that they are seeing the data but for some reason Splunk cant parse it.

Karthickeyan Prabanandhan · ‎04-24-2020

Just happen to hit this thread. I thought I will share some of my observation with respect to Syslog behavior. Code 8.5 and above

Here is my understanding of the syslog behavior from the tests I did. Please correct me if you have observed something different.

IOS AP

Config on Global config + AP Specific from WLC => AP specific takes precedence ( check in WLC ). Logs only to AP specific syslog server.
Config AP specific from WLC + AP specific from AP => Logs to both syslog servers as technically we can have 3 syslog servers.
Removing syslog server from the AP CLI works. (can be verified directly from AP CLI. But “sh capwap cli config” show only WLC data)

COS AP

Config on Global config + AP Specific from WLC => AP specific takes precedence ( check in WLC ). AP specific doesn’t get configured ( from WLC CLI ). Unable to verify that 100% because “sh logging” doesn’t show any server config from AP CLI. "sh capwap client config" doesnt show configured AP specific syslog.
Config AP specific from WLC + AP specific from AP => AP specific from AP CLI works.
Removal of the syslog server via the above Ap CLI command defaults it to 255.255.255.255. Not sure if its broadcast or just a display. Also disabling the syslog via AP CLI – not sure whether it works.

Checking with DEs about this behavior.