Guest

Preview Tool

Cisco Bug: CSCvt88007 - Syslog port usage in Cisco Emergency Responder

Last Modified

Aug 26, 2020

Products (1)

  • Cisco Emergency Responder

Known Affected Releases

12.5(1.19000.38)

Description (partial)

Symptom:
After 11.5 version of CER there are two purpose of syslog:
a.      Event syslog , which is configured under, Cisco ER administration page->system->Cisco ER group settings.
b.      Audit syslog, which is configured under, Cisco ER Serviceability page-> Tools->Audit log configuration.

The first one will take care of logging all the CER application event related information, the port 514 is used to communicate. 
The second, will take care of auditing the all user related operations (login, logout, edit settings, accessing the info) and using always the port 601 to communicate the remote syslog server.

- From the Audit logs in CER, it is expected to see the usage of port 601 to communicate with the syslog server. If a failure occurs, this will be reported in the same log.  

0: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:********************************************************************************
1: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:*                                                                              *
2: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:*                    Starting Audit Log Agent                                  *
3: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:*                                                                              *
4: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:********************************************************************************
5: Apr 11 11:18:50.322 EDT %CER-CER_AUDITAGENT-6-INFO:
6: Apr 11 11:18:50.464 EDT %CER-CER_AUDITAGENT-6-INFO:Starting the socket server at port 8155
7: Apr 11 11:18:50.465 EDT %CER-CER_AUDITAGENT-6-INFO:Starting the Consumer thread
20: Apr 11 11:18:59.171 EDT %CER-CER_AUDITAGENT-7-DEBUG:Connecting to server on port 601                                  <------------------------- Port 601
[output ommited]
34: Apr 11 11:21:06.416 EDT %CER-CER_AUDITAGENT-7-DEBUG:In sendMail method of AuditLogMessageWriter
35: Apr 11 11:21:06.416 EDT %CER-CER_AUDITAGENT-7-DEBUG:RMI invocation start :
36: Apr 11 11:21:06.419 EDT %CER-CER_AUDITAGENT-7-DEBUG:RMI invocation end:
37: Apr 11 11:21:06.421 EDT %CER-CER_AUDITAGENT-7-DEBUG:Event syslop IP to send audit failure message is: 20.20.20.1      <------------------- Failure 

From the event viewer logs:

Line 102: 2020-04-11 11:51:53,401 | ERROR | AUDITDETAILS | Failed to send audit data to Remote syslog server(20.20.20.1) configured under Audit Log Configuration page.  Event Viewer Message   Could not send audit data to Remote syslog server. IO exception occurred.

- Retransmissions are observed in a packet capture if CER is not able to communicate to the remotesyslog using 601 port. 

479	15:40:14.326332	10.10.10.1	20.20.20.1	TCP	74	38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79050009 TSecr=0 WS=128
484	15:40:15.328793	10.10.10.1	20.20.20.1	TCP	74	[TCP Retransmission] 38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79051012 TSecr=0 WS=128
496	15:40:17.332792	10.10.10.1	20.20.20.1	TCP	74	[TCP Retransmission] 38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79053016 TSecr=0 WS=128
513	15:40:21.340784	10.10.10.1	20.20.20.1	TCP	74	[TCP Retransmission] 38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79057024 TSecr=0 WS=128
544	15:40:29.356807	10.10.10.1	20.20.20.1	TCP	74	[TCP Retransmission] 38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79065040 TSecr=0 WS=128
661	15:40:45.404784	10.10.10.1	20.20.20.1	TCP	74	[TCP Retransmission] 38874 → 601 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=79081088 TSecr=0 WS=128

- Event syslog alerts will use the port 514 according to the level of the alert. 

74	15:39:44.814614	10.10.10.1	20.20.20.1	Syslog	161	LOCAL7.WARNING:  Apr 12 11:39:44 EDT cer-lab.cisco.com CER_TELEPHONY-4:Cannot register media terminal for port:  CER911
User Datagram Protocol, Src Port: 8888, Dst Port: 514
    Source Port: 8888
    Destination Port: 514

478	15:40:14.315557	10.10.10.1	20.20.20.1	Syslog	321	LOCAL7.ERR:  Apr 12 11:40:14 EDT cer-lab.cisco.com AUDITDETAILS-3:Failed to send audit data to Remote syslog server(20.20.20.1) configured under Audit Log Configuration page.\n\nEvent Viewer Message\n\n Could not send audit data to Remote syslog server. IO exception occurred.
User Datagram Protocol, Src Port: 8888, Dst Port: 514
    Source Port: 8888
    Destination Port: 514

Conditions:
CER 11.5 or above.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.