LMS 2.6 & Syslog

Unanswered Question
Feb 13th, 2007

Our Ciscoworks LMS2.6 is not logging syslog messages. I have followed all the various "redme's" etc with no success .

What could I be doing wrong ??.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
frankzehrer Tue, 02/13/2007 - 02:54

Hi Scott,

is the syslog service started and working? Have a "netstat -na" take a look for UDP and TCP port 514.

For normal the syslog is listening to UDP only, but some systems have the ability to get messages on TCP 514, too.

In Common Services -> Server -> Admin -> Processes have a look for the status of the Syslog Analyser and Syslog Collector Services.

Best regards,

Frank

sdawson35 Tue, 02/13/2007 - 03:24

Hi,

Both services are shown as started and running, displaying "no messages received".

netstat -na shows

TCP 0.0.0.0:514 0.0.0.0 LISTENING

UDP 0.0.0.0:514 *:*

To my mind that seems to be correct ?.

frankzehrer Tue, 02/13/2007 - 04:09

Hi Scott,

just forgotten to ask:

Do you have any other syslog program on the server installed?

What OS do you have installed?

On Windows 2003 try netstat -nabv

This shows you the executed programs to the corresponding port.

On Windows 2000 try tcpview from www.systernals.com (it now leads to a microsoft Webpage)

Can you see the "CWCS Syslog Service" in the windows services list? And what status does it have?

Do you have a syslog.log file in the path PROGRAMDIR\CSCOpx\log ?

Best regards,

Frank

sdawson35 Tue, 02/13/2007 - 04:51

No other syslog program , Win2K box.

Yes there is a "syslog.log" file its 6GB in size !!

CWCS Service is "Started & Automatic"

frankzehrer Tue, 02/13/2007 - 05:08

Hi Scott,

6 GB large!! Gigabyte??

Just stop the LMS with "net stop crmdmgtd" command from the dos box.

rename the syslog.log to e.g. syslog.log.sav

restart LMS with net start crmdmgtd

Try the Setup of Backup und Purge Policies in RME -> Admin -> Syslog.

Good Luck

Frank

sdawson35 Tue, 02/13/2007 - 05:40

It says theres a sharing violation when I try to rename the file.

Going to stop all running services to see what happens

sdawson35 Tue, 02/13/2007 - 05:56

syslog file size = 6,507,566 !!!

Had to manually stop the CWCS syslog collector service before I could rename the log file.

but now I cannot amend the default purge job, I get an error message , it is

"SLCA0119: Syslog default purge job could not be edited. Check the log for details."

Me thhinks our LMS is a sick puppy :-(

frankzehrer Tue, 02/13/2007 - 06:19

Hi Scott,

just do me the favour:

Stop and Start the whole LMS App.

Or reboot the server.

Do you have a syslog.log file in the log dir now.

I guess not. Thats why the Purge Job may fail.

Best reagrds,

Frank

sdawson35 Tue, 02/13/2007 - 06:32

Rebooted . Log file exists Purge job set.

Log file has device entries in it , but thats as far as it goes, the dont show in Device Centre or any "syslog" Report Jobs.

I am going to give up on this, its burning too many cycles for no result.

Will have to use a seperate syslog" application on a seperate box, it means another application but I dont think i have a choice.

Very many thanks for your help !!!

frankzehrer Tue, 02/13/2007 - 07:12

Hi Scott,

since i do not know how you send the syslog messages from your devices to the LMS i may assume a little chance of a misconfiguration.

Maybe we can resolve it here. The Syslog Report only use the real syslog messages not the syslog traps from the devices!

Setup the "logging host" command on the devices.

Have in mind that the following syslog messages are filtered by default and have to be ebabled: Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail.

Do not be sick about LMS 2.6 it is running fine now. The initial release of 2.5 was sometimes getting me nuts. But now the product is optimized and syslog should not be a problem.

Of course the Documentation for the LMS is sometimes a bit abstract and / or dry stuff.

;-))

Best regards,

Frank

sdawson35 Tue, 02/13/2007 - 11:52

Thanks for the encouragement !!!.

Here is a sample "logging" config fromone of our switches

CHASW37#sh logging

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)

Console logging: disabled

Monitor logging: disabled

Buffer logging: level informational, 378 messages logged

Exception Logging: size (4096 bytes)

File logging: disabled

Trap logging: level informational, 382 message lines logged

Logging to 172.26.1.254, 3 message lines logged

Logging to 172.26.2.21, 3 message lines logged

The syslog file on the LMS server is being populated. (see attachment), but this is the big but thats where it stops "device manager" shows no syslog entries and nor does "report generator".

So the process of LMS reading the log file and associating to device manager/report generator is not working.

I am stumped, but have a work around with a syslog app on another box, this works fine.

Scott.

Attachment: 
frankzehrer Tue, 02/13/2007 - 17:14

Hi Scott,

it seems to me that the logging level is misconfigured.

Have a look into

RME -> Admin -> System Preferences -> Log Level Settings

Choose syslog Analyser and have a look to its value. Could it be set to 3 or 4?

Change to 7 again for a test.

Do you have setup the LMS as Syslog Collector?? This means you end the syslogs generated from the LMS to istself!! This should not be neccessary.

I have seen things like this:

Feb 13 13:53:11 127.0.0.1 100: <30> dmgt[143028]: 3007(I):Started application(jrm) "D:\PROGRA~1\CSCOpx\bin\cwjava.exe -Xms64m -Xmx128m -Dvbroker.se.iiop_tp.scm.iiop_tp.dispatcher.threadMax=128 -Dvbroker.se.default.socket.manager.connectionMax=300 -cp:p MDC\tomcat\shared\lib\MICE.jar;MDC\tomcat\shared\lib\NATIVE.jar;MDC\tomcat\shared\lib\jdom.jar;MDC\tomcat\shared\lib\xalan.jar;MDC\tomcat\shared\lib\xerces.jar;MDC\tomcat\common\lib\servlet.jar com.cisco.nm.cmf.jrm.Server" pid=33044.

I guess it was setup in the RME -> Admin -> Tools -> Syslog. Delete the Syslog Collector entry!

I am not at work so i have no access to my installation.

But dont be afraid if you change the setings and the reports are still empty! The syslog Analyzer starts analyzing from the moment he is correctly configured not into the past!!

I have seen this in LMS 2.5.1 and maybe this behaviour is still valid!

Good Luck

Frank

Actions

This Discussion