DoIT Network Services - Daily Noontime Syslog Correlation Report

This report provides targeted syslog correlation for UW Madison campus LAN administrators.
  • Why am I receiving this report?

    There have been multiple instances of syslog events for network switch interfaces that are currently in one of your VLANs/subnets (WiscNIC details).  There is a default threshold of 50 for most event types before they will appear on the report.  The report runs at noon, so this threshold is for the number of occurrences in roughly half a day.
  • What should I do now?

    Investigate to determine the root cause of the problem based on the type of summarized event.  This will likely include physically checking on the device connected to the switch port.  A review of switch logs may also provide clues.  If you are unable to resolve the issue after tracking down the physical connection, please open a Wiscit ticket at https://kb.wisc.edu/helpdesk using the "Help Online" option or contact the DoIT Help Desk at 608-264-4357 (264-HELP) for assistance opening a ticket. These tickets should be escalated to NS-OpEng for further assistance.
  • How do I view the device logs?

    • Use EdgeConf.  Navigate to the desired switch.  Click on "Log" under the Status Info Queries.
    • Use GetDeviceStatus.  Select the desired switch and click "Check Status".  The last 75 log messages will be shown at the bottom of the resulting page.
    • Use Looking Glass.  Select the desired switch.  Select "show log" from the Query section.  Click Submit.
    • Use LogOutput.  Select the desired switch.  Click View Logs.
  • Examples of summarized events

    • [updown] link up-down:  The port link state has changed.
    • [portsec] port security violation: MAC address locking has been turned on for this port.  Packets with unknown source addresses are dropped.
    • [stormcontrol] traffic dropped due to stormcontrol: The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces.
    • [macflap]:  A MAC Flap is caused when a switch receives packets from two different interfaces with the same source MAC address. If you are getting the behavior for a lot of other MACs, that most likely is a layer 2 loop.
    • [nativevlan] native vlan mismatch:  A switch or device connected to the port is using a different vlan number.
    • [bpduguard] bpduguard event:  The port has received a BPDU from a connected device.  This can be caused by a bridge loop or a misconfigured device.
    • [duplex] duplex mismatch:  The switch port and the connected device are operating in different duplex modes.
    • [stp] spanning tree state change:  Topology Changes in Spanning Tree Protocol (STP) can happen in a network due to different reasons like a link failure, a switch (bridge) failure, or a port transitioning to forwarding state.  Excessive state changes may indicate an underlying problem.
    • [poe]:  PoE events may indicate an issue with the connected device.  Review the device log for more detailed information.

How do I opt out of this email report?

We strongly encourage you to resolve the issues that are appearing on your email report in order to have a better functioning network.  If there are no issues that rise above the thresholds on your networks, you will not receive an email.  If you decide that you no longer want to receive this report you can opt out.



Keywords:
syslog noontime correlation daily report 
Doc ID:
92392
Owned by:
Mark K. in Network Services
Created:
2019-06-12
Updated:
2021-07-06
Sites:
DoIT Help Desk, Network Services