Cisco ACI Syslog Configuration [Step by Step Example]

I- Configure SYSLOG Destination

• Navigate to: Admin > External Data Collectors > Monitoring Destinations > Syslog.

• Right-click “Create Syslog Monitoring Destination Group”:

– Make sure the admin state is “Enabled”

– The severity of the event, alert, or issue that caused the Syslog entry to be generated. It can be:

• Emergencies
• Alerts
• Critical
• Errors
• Warnings
• Notifications
• Information
• Debugging

The default severity is Information.

– In the Remote Destination, fill:

• The Syslog server Ip or FQDN
• Name (Optional)
• Admin State: Enabled
• The severity of the the event or fault to be sent to the Remote location , default is warnings
• Remote Syslog Destination Service port: 514
• The facility with which to send the log entries to the remote server. All messages will be sent with the specified facility code.
  A facility code is used to specify the type of system that is logging the message. Messages with different facilities may be handled differently.
• Management EPG: Inband or OOB, make sure the contract will allow 514 UDP port.

II- Configuring ACI SYSLOG Sources:

The SYSLOG sources can be:

• Fabric Monitoring Sources: Fabric ports, chassis, fans, and line cards.
• Access Monitoring Sources: Access ports, VMM-related alerts.
• Tenant Monitoring Sources: VRF, BD, and EPG-related events, application profiles, etc.

Next, We will go through the configuration of each source type.

The information generated from the ACI system falls into one of these categories:

• Faults: Faults that are generated by the system fall into one of several categories:
  – Generic System issues
  – Equipment is inoperable or has a functional issue
  – Configuration-related faults (the system cannot push the config)
  – Environmental issues (power, thermal, voltage)
  – Network (Link down, etc)
• Events: Holds records of system-related events (link state transitions, Logged Contract hits etc)
• Audit Logs: Records user-initiated events (logins, configuration changes etc)
• Session Logs: Records session events (REST-client authentication updates for API sessions etc)

1- Configure Fabric SYSLOG Sources:

There are mainly 2 types of Fabric Syslog policy:

–  Common Policy is a basic monitoring policy that applies to all faults and events and is automatically deployed to all nodes and controllers in the fabric.

Alternatively, you can specify an existing policy with a more limited scope.

– Default: It includes all objects as sources by default: ALL (server the same as common), unlike the Common which includes all Fabric objects, the default policy source objects can be modified:

Note: If you don’t want to use the default policy (maybe because it’s used for other destinations for some specific source objects, you can create a new policy and select the desired source objects and destination group.

• Common Policy:

Navigate to: Fabric > Fabric Policies > Policies > Monitoring > Common Policy > Callhome/Smart Callhome/SNMP/Syslog/TACACs > SYSLOG:

In the action pane, select: Create Syslog Source

• Default:

Navigate to: Fabric > Fabric Policies > Policies > Monitoring > default > Callhome/Smart Callhome/SNMP/Syslog/TACACs > SYSLOG:

2- Configure Access SYSLOG Sources:

• Navigate to: Fabric > Access Policies > Policies > Monitoring > default > Callhome/Smart Callhome/SNMP/Syslog/TACACs
• Under Syslog Source, click (+) sign and create Syslog Source, select the appropriate Destination group:

3- Configure Tenant SYSLOG Sources:

In order to Syslog on the Tenant level, it can be achieved in 2 ways:

• Configure the SYSLOG source from the Common Tenant, and then select that default configuration from each of your used-defined Tenants.
• Configure a separate SYSLOG source in each, respective tenant.

a- Define SYSLOG source in the Common Tenant:

• Create a Syslog source in the Common Tenant:

Navigate to: Tenant > common > Policies > Monitoring > default > Callhome/Smart Callhome/SNMP/Syslog/TACACs

The previous created Tenant Syslog source can be applied in Common tenant or in user defined Tenants:

• Apply the default Common Tenant Monitoring policy in Common Tenant:

Navigate to Tenant > PROD > Policy > Monitoring Policy , select default

• Apply the default Common Tenant Monitoring policy in the User-defined Tenant PROD:

Navigate to Tenant > PROD > Policy > Monitoring Policy and select the policy created in the Common Tenant: default

b- Define SYSLOG source in user Tenant:

• Create a Tenant Monitoring Policy

Navigate to: Tenant > PROD > Policies > Monitoring >right click and create monitoring if you don’t have an existing one:

• Create Syslog Source under the monitoring Policy

Navigate to: Tenant > PROD > Policies > Monitoring > LD_MonPol > Callhome/Smart Callhome/SNMP/Syslog/TACACs:

• Apply the monitoring Policy:

Navigate to Tenant > PROD > Policy > Monitoring Policy and select the policy created in the PROD Tenant:

III- Send Contract Log entries to the Syslog

In order to allow ACI to send the logging of the contracts to the Syslog server, under the System Messages Policy, we need to change the value of the “default” facility filter to “informational.