Dell N Series

LogZilla App Store application: Dell N Series

Overview

LogZilla app for Dell EMC Networking N-Series switches running DNOS 6.x firmware. Covers N1100-ON, N1500, N2000, N2200, N3000, N3200, and N4000 series. Parses both the DNOS native (FASTPATH) log format and the Cisco IOS-compatible format that Dell N-Series switches emit for link, STP, LLDP, and port events.

App Function

Parses Dell N-Series switch logs and extracts:

  • Interface state changes (link up/down, line protocol up/down)
  • Spanning Tree topology changes and BPDU errors
  • LLDP neighbor discovery events
  • FDB MAC address movement events
  • Port error frame notifications
  • OSPF routing protocol errors
  • SupportAssist connection events

Provides per-Event-Class dashboards for network and system monitoring, plus triggers for interface flapping, STP storms, MAC move storms, and OSPF failures.

Vendor Documentation

Prerequisites

LogZilla Dedicated Port

Dell N-Series switches emit Cisco IOS-format syslog messages (%LINK-3-UPDOWN, %SPANTREE-5-TOPOTRAP, etc.) that are indistinguishable from actual Cisco devices. A dedicated port is required to route these events to the Dell parser instead of the Cisco parser.

  1. Navigate to Settings > System > Application Ports
  2. Set Dell N-Series syslog port to a dedicated port (e.g., 5523)
  3. Click Save

Both TCP and UDP listeners are enabled on the configured port.

Dell Switch Configuration

Configure each Dell N-Series switch to send syslog to the dedicated port:

  1. Access the switch CLI via console or SSH
  2. Enter configuration mode:
text
enable
configure
  1. Configure syslog server with the dedicated port:
text
logging host <LogZilla-IP> port 5523
logging buffered informational
  1. Save configuration:
text
write memory

Verification

Generate a link event by toggling an interface, then verify events appear in LogZilla with Vendor tag set to Dell.

Incoming Log Format

Dell N-Series switches generate syslog in two formats.

DNOS Native Format (FASTPATH)

text
taskName]: source_file.c(line) seqnum %% SEVERITY MESSAGE_TYPE: details

Cisco IOS-Compatible Format

text
 *Mon DD HH:MM:SS: %FACILITY-SEV-MNEMONIC: message

Parsed Metadata Fields

Tag NameTypeDescriptionExample
VendorConstantDevice vendorDell
ProductConstantProduct lineN-Series Switch
Event ClassTaxonomyEvent classificationNetwork, System
Event TypeTaxonomyEvent typeInterface, Topology, Routing, Service
InterfaceCross-vendorNetwork interface nameGigabitEthernet 1/0
VLANCross-vendorVLAN identifierVlan200
ActionCross-vendorEvent actionUp, Down, MAC Move, Topology Change
SrcMACCross-vendorSource MAC address0A:5A:45:21:82:DA
MitreIdCross-vendorMITRE ATT&CK techniqueT1557
Dell MnemonicDell-specificFacility-severity-mnemonicLINK-3-UPDOWN
Dell MAC MoveDell-specificMAC move port pathTe2/0/27 -> Te2/0/28
Dell STP ErrorDell-specificSTP error descriptionInvalid Forward Delay

High-Cardinality Tags

The following tags are excluded from indexing due to high cardinality:

  • SrcMAC - MAC addresses from FDB events
  • Interface - Network interface names across switch ports
  • Dell MAC Move - Port path combinations from MAC move events

Log Examples

FDB MAC Move (DNOS)

text
dtlAddrTask]: fdb.c(685) 981153 %% INFO MAC_MOVE: Mac 0A:5A:45:21:82:DA in VLAN: 200 is overwritten from entryType 1 to 1 and port Te2/0/27 to Te2/0/28

STP BPDU Error (DNOS)

text
hapiRxTask]: dot1s_txrx.c(1236) 54878005 %% NOTE dot1sBpduReceive(): Invalid Forward Delay.

Interface Down (Cisco IOS)

text
 *Mar  6 14:22:50: %LINK-3-UPDOWN: Interface GigabitEthernet 1/0, changed state to down.

Topology Change (Cisco IOS)

text
 *Mar  6 15:01:22: %SPANTREE-5-TOPOTRAP: Topology Change Trap.

LLDP Neighbor (Cisco IOS)

text
 *Mar  6 15:10:05: %LLDP-5-CREATEREM: Port GigabitEthernet 1/28 created one new neighbor, Chassis ID is MikroTik1, Port ID is ether1.

OSPF Error (DNOS Short)

text
OSPF4-3: % [_ospf_snmp_ext_process_entry_read] Get ospf proc failed

Dashboards

Dell N-Series Network

  • Interface up/down event tracking
  • STP topology change monitoring
  • MAC move path distribution
  • OSPF routing error tracking
  • VLAN activity distribution
  • Top switches by event volume

Dell N-Series System

  • SupportAssist connection monitoring
  • System event timeline
  • Top switches by system event volume

Triggers

Dell N-Series Interface Down

Alerts when switch interfaces go down. Throttled per interface.

Dell N-Series STP Topology Storm

Alerts on excessive STP events indicating potential network loop.

Dell N-Series MAC Move Storm

Alerts on excessive MAC moves indicating potential AiTM attack or misconfiguration. Maps to MITRE T1557.

Dell N-Series OSPF Error

Alerts on OSPF routing protocol failures. Throttled per switch.

Dell N Series | LogZilla Documentation