Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
0
Helpful
4
Replies

Enhancing syslog filters

ngholmieh
Level 1
Level 1

‎05-01-2007 08:47 AM

I have setup LMS2.5.1 to send emails upon reception of certain syslog messages.

For every message received, an email is triggered. If there is a faulty device, thousands of emails are triggered for the same message.

Is Cisco by any chance going to implement message correlation in a future CiscoWorks release, so that syslog message filters manage the received messages more intelligently, and that one's mailbox will not be flooded by thousands of emails for the same message?

Thanks

Labels:
0 Helpful
4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

‎05-01-2007 09:09 AM

This is not currently planned. However, by using the script Automated Action instead of the email, you could code your own correlation engine to reduce the flood of messages. Newer versions of IOS also offer the ability to manipulate syslog messages directly on the device using rate limiting and the Embedded Syslog Manager.

See http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a8516.html for more on the Embedded Syslog Manager.

0 Helpful

ngholmieh
Level 1
Level 1
In response to Joe Clarke

‎05-01-2007 02:33 PM

has anyone coded already a correlation engine you can recommend as a starting point?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to ngholmieh

‎05-01-2007 02:41 PM

I have not heard of any AA scripts to do message correlation. Hopefully, if any one has written such a script, they would participate in this forum, and be willing to share.

As a basic starting point, you could do simple message counting. Keep a cache file of devices, messages, the message count, and the start time of your "roll-up" window. That way, you would only get one of each message from each device in the desired window.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to Joe Clarke

‎05-01-2007 04:39 PM

I went ahead and coded my simply counting example. Attached is the AA script and the .sh and .bat wrappers for Solaris and Windows. You will need to modify some of the values in msg_rollup.pl as well as install the sampleEmailScript.pl into NMSROOT/bin (note: this is the same sampleEmailScript.pl that shipped with LMS 2.2).

This should give you a good starting point. Of course, these files are distributed as is with no support. The msg_rollup.pl script is BSD-licensed.

11917-msg_rollup.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents