3 Replies Latest reply on Feb 6, 2014 2:38 PM by go.bucks

    Data Source Troubleshooting


      I'm looking for some additional troubleshooting steps I can take to solve an issue where I'm not seeing events for a defined client. Here are some details regarding the configuration:


      Data Source Vendor: Cisco

      Data Source Model: IOS (ASP)

      Data Format: Default

      Data Retrieval: Default

      Parsing and Logging: Enabled

      Name: COM-LOC-SYS-IOS

      IP Address: Blank

      Host Name: COM-LOC-SYS-IOS

      Syslog Relay: None

      Mask: 32

      Port: 514

      Support Generic Syslogs: Log “unknown syslog” event

      Time Zone: GMT -6:00 Central


      Client Data Source:

      Name: Cisco-Switch-3500

      Time Zone: None

      IP Address:

      Host Name: Cisco-Switch-3500


      I've taken the following steps:

      1) Verified that the receiver is getting logs over udp 514 from the client address (auth success and failure events)

      2) Reviewed the /etc/NitroGuard/thirdpart.conf and found the parentid (95)

      3) Looked at the date on the /var/log/data/inline/thirdparty.logs/95/in and it had today's date

      4) Stopped and started the nitro service NitroStop --nod NitroStart --nod

      5) Restarted the receiver

      This data source has received logs in the past but stopped at some point. You'll also note that I'm logging unknown events so even if it was not meeting a specific signature they should still show up as unknown.

      Any suggestions on where to go from here would be greatly appreciated.


      Thanks much,


        • 1. Re: Data Source Troubleshooting

          You need to add the IP Address of the device sending you the Syslog's to your Data Source configuration.

          If your switch is configured to use AAA through an ACS Server, most of the data about what happens on the switch will be logged through that device.

          Typically we get between 500-1000 events per day from all of our Cisco IOS devices, with a few spikes up in to 2-3,000 range - the majority of the events are unknown.

          • 2. Re: Data Source Troubleshooting

            Thanks rth67 appreciate your response.  We were trying to get away from using an actual device (IP) as our parent data source.  Our IP is defined on the client and we have received logs with this configuration in the past and this configuration currently works for other data sources.  We also have ACS logs coming in but in order to achieve compliance we really need authentication successes and failures to log directly from the device.


            Thanks again

            • 3. Re: Data Source Troubleshooting

              Just to provide an update we are seeing this issue with multiple data sources now.  I have tried as suggested above and created a parent data source with no children and we're still experiencing the issue (tcpdump, reviewed the in, same results).  I have a case opened so hoping support will help us in resolving the issue.