Duplicate Syslog messages

I have syslog logging running on most of my Cisco network equipment but I have started to have a peculiar event begin recently.  Most certainly it was due to a configuration change but I am stumped thus far.  I have several switches and routes connected to a Cisco 4507 switch and whenever one of them generates a syslog event (gets sent to my Kiwi Syslog server), the 4507 chimes in with its own syslog entry for the same event.  For example I have a fan going out in one of my routers and each time the router senses the fan not turning, it generates a syslog message.  Then the switch immediately sends me the same message about the router.  So I end up with twice the notifications as I should and my email fills up even faster!  Any thoughts??  What have I got configured wrong?  I can provide config excerpts as needed.
mwaters31Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:

That sounds weird, can you post the log that includes some of the originals and the duplcates?

habor235 ;}
0
eeRootCommented:
it sounds like 4507 is trying to forward network traffic, perhaps to a different vlan or subnet.  Is there anything in the 4507's config that would try to route traffic between 2 different networks?
0
mwaters31Author Commented:
That particular 4507(I'll call it SW1) has a default route back to another 4507(SW2) that is acting as our core router in that it holds all the layer 3 vlans and default routes out of our network.  SW1 and SW2 are on the same subnet as the 2821 router that is generating the original syslog events.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

harbor235Commented:


Do you have this switch setup to receive syslogs? Does teh switch that generates the original message
have the 4507 configured as a syslog server?

Perhaps the real issue is that you have duplicate packets in your network somewhere, span tree issues etc .... cisco devices do not run syslog server on them so unless the ssyslog udp packet is destined to the 4507 I do not see how this can happen, something else is going on,

harbor235 ;}
0
mwaters31Author Commented:
The original device is a Cisco 2821 router which is connected to SW1.  Neither of the switches has the syslog server running.  I run a windows server with Kiwi as my Syslog server.
0
harbor235Commented:
What does the syslog configuration on the device look like? can you post the applicable syslog configuration statements?

harbor235 ;}
0
eeRootCommented:
Can you check your older configs and see if there was anything blocking or filtering traffic prior to the change you mentioned in you original post?  Also, if SW1 and SW2 are on the same subnet, why the default route?  Can you post configs and a network diagram?
0
mwaters31Author Commented:
Well, I figured it out and it had nothign to do with the switches or router.  It was the way the Kiwi Syslog server was processing it filters for IP addresses.  The router and SW2 have ip addresses that are very close (x.x.x.1 vs x.x.x.11).  The Kiwi filters were configured to use a substring search and because the rule for SW1 was above the Router, it saw x.x.x.1 as a valid address to fire its rule upon ( the router is at x.x.x.11). The packet worked its way down the rule set until it got to the Router filter where it also fired its rule.  Both are set to email me should something trigger their rule..

Once I unselected the option to perform a sub-string search on each rule, I stopped getting duplicate emails.  Now I just have to replace the bad fan.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.