What to look in the syslog messages

[Papoulos]

Hi, i'm not really using a cisco switch but i'm sending all my switch logs to a splunk server and I use it for postmortem analyses.

But i was wondering if i could get usefull info for supervision from there logs.

By now i only check three things :
- All notifications there are not link up/down, ssh sessions, FIB refresh and NTP.
- Nb of linkup/down for every switch by time
- The nb of MSTP modification by switch by time


I was wondering what other thing it might be interesting to watch.


Thank you.

 

[VinceWhirlwind]

Get Splunk to listen for SNMP traps and make SNMP queries - then you can use it to generate performance statistics.

 

[Papoulos]

Yes, thanks but i was wondering what queries i can make...

 

[VinceWhirlwind]

Syslog doesn't really get stuff that's incredibly interesting.

Ports up/down.
Some errors, but how can you predict which ones? Maybe you can devise a query that looks generically for log entries that contain an error code?

Really, the thing you want is information about congested links and errors on interfaces, and SNMP queries are what you need there.

 

[burtsbees]

ACL and IPS atomic sig filtered blocks, etc. too though...but yeah, other than that I agree w/Vince

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY