Wired Intelligent Edge

last person joined: 13 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

This thread has been viewed 8 times

  • 1.  AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    Posted Oct 05, 2019 06:19 AM

    One syslog question at the end of POST......

     

    Current 8320 logging and debug settings:

    logging 10.10.10.55
    logging facility local6

    -----

    HPE-AOSCX8320# show debug

    ------------------------------------------------------------------------------------------

    module sub_module severity vlan port ip mac instance vrf

    ------------------------------------------------------------------------------------------

    acl        acl_log         debug     ----- ----- ----- ----- ----- -----


    HPE-AOSCX8320# show debug dest

    ---------------------------------------------------------------------

    show debug destination

    ---------------------------------------------------------------------

    SYSLOG:debug

     

    ===

    HPE-AOSCX8320# show deb buf | incl "VLAN-111-ACL" | incl "1/1/48"

     

    2019-10-04:04:51:52.827703|ops-switchd|LOG_INFO|AMM|-|ACL|ACL_LOG|List VLAN-111-ACL, seq# 999 denied udp 10.111.100.222(67)..............

     

    >>> above is an exerpt of the debug buffer output  that I expected to be sent to the syslog server <<<

    ------------------------------------------------------------------------

     

    QUESTION:

    What am I missing???  No DEBUG 8320 messages are being received by the SYSLOG (10.10.10.55) server.  Yes, I can ping the syslog server from the 8320 and many other hosts are successfully sending messages to the syslog (10.10.10.55) server.

     

    Thanks in advance.


    #8320


  • 2.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    MVP GURU
    Posted Oct 05, 2019 04:11 PM

    What the configuration of the ACL ?

    the log is enable ?



  • 3.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    Posted Oct 05, 2019 07:30 PM

    Hence my qustion, what am I missing????

     

    I believe the LOGGING is enabled via:

     

    logging 10.10.10.55
    logging facility local6

    debug destination syslog}

    debug acl log

     

    SAMPLE ACL:

    163 deny any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 log count

     

    where the hitcounts is over 800 but no syslog messages, only the debug BUFFER is reflecting the ACL messages similar to>>>

    2019-10-04:09:06:35.707513|ops-switchd|LOG_INFO|AMM|-|ACL|ACL_LOG|List ACLv4-VLAN-222-IN, seq# 163 denied udp 0.0.0.0(68) -> 255.255.255.255(67)

     

    Thank you.



  • 4.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    MVP GURU
    Posted Oct 06, 2019 03:30 AM
    @../smb/air wrote: I believe the LOGGING is enabled via:

     

    logging 10.10.10.55
    logging facility local6

    debug destination syslog}

    debug acl log

    Shouldn't instead syslog forwarding to a remote syslog server be enabled through the logging remote-syslog-server-ip-address severity debug command on ArubaOS-CX?

     

    Eventually you are permitted to also specify the VRF that should be used to reach the remote syslog server.

     



  • 5.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    Posted Oct 06, 2019 04:50 AM

    Thank you parnassus.

    Will try the "logging remote-syslog-server-ip-address severity debug" and report back as a post.



  • 6.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    Posted Oct 07, 2019 02:52 AM

    No syslog messages were generated using:

     

    • Shouldn't instead syslog forwarding to a remote syslog server be enabled through the logging remote-syslog-server-ip-address severity debug command on ArubaOS-CX?

    I am beginning to believe there is an AOS-CX 10.03 "logging" bug.



  • 7.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    MVP GURU
    Posted Oct 07, 2019 03:41 AM

    Is your remote syslog server available via mgmt vrf or what?



  • 8.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???

    Posted Oct 07, 2019 03:54 AM

     

    >>>> Is your remote syslog server available via mgmt vrf or what?

     

    Assuming I understand your question:

     

    Our syslog server part of our standard server VLAN (subnet). I can ping the syslog server from the 8320.  Whole 8320 uses default vrf.



  • 9.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???
    Best Answer

    MVP GURU
    Posted Oct 07, 2019 01:43 PM

    ask the TAC... (or waiting Vincent Giles !)



  • 10.  RE: AOS-CX (10.03+) 8320: Missing ACL SYSLOG messages ???
    Best Answer

    Posted Oct 08, 2019 04:10 AM

    IN REVIEW:

     

    I accepted alagoutte's total post interaction mainly because he was willing to dialogue about LOGGING.  The interaction helped me think, look at the problem uniquely thanks to alagoutte, and  prove my original LOGGING understanding was correct but the AOS-CX (10.03.0031) buggy.

     

    Steps for my work-around:

    1. debug acl log sev info

    2. waited 12 hours

    3. debug acl log sev debug

    4. waited 12 hours

    5. debug acl log sev info

     

    NOTE:  waiting 12 hours was not planned nor is it necessarily part of the work-around....the WAIT is what happened due to "life happening."

     

    BOTTOMLINE:   ACL LOG messages are now being sent to our SYSLOG.

     

    POST UPDATED (201910081339 CT) I upgraded the 8320 to ArubaOS-CX 10.03.0040 and did not need the previously mentioned "work-around" steps.