Enhancing syslog filters

Unanswered Question
May 1st, 2007

I have setup LMS2.5.1 to send emails upon reception of certain syslog messages.

For every message received, an email is triggered. If there is a faulty device, thousands of emails are triggered for the same message.

Is Cisco by any chance going to implement message correlation in a future CiscoWorks release, so that syslog message filters manage the received messages more intelligently, and that one's mailbox will not be flooded by thousands of emails for the same message?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Tue, 05/01/2007 - 09:09

This is not currently planned. However, by using the script Automated Action instead of the email, you could code your own correlation engine to reduce the flood of messages. Newer versions of IOS also offer the ability to manipulate syslog messages directly on the device using rate limiting and the Embedded Syslog Manager.

See http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a8516.html for more on the Embedded Syslog Manager.

ngholmieh Tue, 05/01/2007 - 14:33

has anyone coded already a correlation engine you can recommend as a starting point?

Joe Clarke Tue, 05/01/2007 - 14:41

I have not heard of any AA scripts to do message correlation. Hopefully, if any one has written such a script, they would participate in this forum, and be willing to share.

As a basic starting point, you could do simple message counting. Keep a cache file of devices, messages, the message count, and the start time of your "roll-up" window. That way, you would only get one of each message from each device in the desired window.

Joe Clarke Tue, 05/01/2007 - 16:39

I went ahead and coded my simply counting example. Attached is the AA script and the .sh and .bat wrappers for Solaris and Windows. You will need to modify some of the values in msg_rollup.pl as well as install the sampleEmailScript.pl into NMSROOT/bin (note: this is the same sampleEmailScript.pl that shipped with LMS 2.2).

This should give you a good starting point. Of course, these files are distributed as is with no support. The msg_rollup.pl script is BSD-licensed.

Attachment: 

Actions

This Discussion