This document outlines the recommended configuration for enabling Syslog on a Cisco Nexus 9000 Series switch running NX-OS so logs can be forwarded to the Auvik collector or external syslog server.
Cisco Nexus switches support remote syslog forwarding over UDP, TCP, and secure TLS (depending on NX-OS version). Auvik commonly uses standard UDP/514 syslog ingestion.
Prerequisites
Before configuring syslog, ensure the following:
- The Auvik collector or syslog server IP address is reachable
- DNS and routing are configured correctly
- Management VRF is configured if using the mgmt interface
- UDP/514 (or your configured syslog port) is allowed through firewalls
- Device time/NTP is configured correctly for accurate timestamps
Recommended Auvik Syslog Configuration
Example Environment
| Setting | Example |
| Syslog Server | 10.100.10.50 |
| VRF | management |
| Severity Level | informational (6) |
| Source Interface | mgmt0 |
Configuration Steps
1. Enter Configuration Mode
configure terminal
2. Configure the Syslog Server
Standard UDP Syslog
logging server 10.100.10.50 6 use-vrf management
Optional TCP Syslog
logging server 10.100.10.50 6 port 514 use-vrf management
Severity level 6 (informational) is recommended for Auvik monitoring environments.
Cisco severity levels:
| Level | Description |
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notification |
| 6 | Informational |
| 7 | Debugging |
When a severity level is configured, NX-OS sends messages at that level and higher priority.
3. Configure Source Interface
Cisco recommends defining a consistent source interface for syslog traffic.
logging source-interface mgmt0
If using an in-band VLAN interface instead:
logging source-interface vlan10
4. Enable Timestamps
logging timestamp milliseconds
Millisecond timestamps improve event correlation within Auvik and external SIEM platforms.
5. Configure Facility (Optional)
logging facility local7
Common facilities include:
- local0–local7
- daemon
- syslog
local7 is commonly used for network infrastructure devices.
6. Verify Configuration
Show Logging Configuration
show logging info
Verify Remote Server
show logging server
Test Connectivity
ping 10.100.10.50 vrf management
Generate a Test Log
send log 6 TEST-SYSLOG-MESSAGE
Example Complete Configuration
configure terminal
logging server 10.100.10.50 6 use-vrf management
logging source-interface mgmt0
logging facility local7
logging timestamp milliseconds
copy running-config startup-config
Secure Syslog (TLS) — Optional
Beginning with NX-OS 9.2(1), Cisco Nexus 9000 supports secure syslog using TLS.
Example:
logging server 10.100.10.50 6 secure use-vrf management
Additional PKI and certificate configuration is required for TLS-based syslog.
Recommended Auvik Best Practices
Use the Management VRF
Cisco recommends using the management VRF for syslog traffic whenever possible.
Avoid Debug Logging in Production
Severity level 7 (debugging) can generate excessive log volume and unnecessary alerts.
Recommended levels:
- 5 — Notification
- 6 — Informational
Configure NTP
Accurate timestamps are critical for:
- Alert correlation
- Root cause analysis
- Audit investigations
- Auvik event timelines
Verify Firewall Rules
Ensure the following are allowed between the switch and collector:
| Protocol | Port |
| UDP | 514 |
| TCP | 514 |
| TLS Syslog | 6514 |
Troubleshooting
Logs Not Reaching Auvik
Verify:
show logging server
Check:
- Correct VRF
- Routing to collector
- Firewall policies
- Source interface configuration
Verify Active Logging
show logging logfile
Check Management VRF Connectivity
ping <collector-ip> vrf management
References
Cisco Nexus 9000 Series NX-OS System Management Configuration Guide:
Cisco Syslog Configuration Guide