duplicate ip address cannot receive from LMS server

Answered Question
Aug 30th, 2007

hi,

i am aware that duplicate ip address is inside syslog as well as inside DFM. which one is sending out alert to user if there is any duplicate ip address problem occurs? i configure duplicate ip address trap inside DFM as well as configure syslog level to debugging.but i still don't receive any trap sending out to user as well as any syslog regarding about duplicate IP address.on the switch,i can see duplicate IP address logging and when i use kiwi syslog deamon, i also see duplicate ip address syslog.actually,in syslog collector status,receive syslog number increasing and filter syslog is also increasing.forward syslog is not much.why messages are filtered by LMS since i configured the syslog analyzer log level to debugging.any idea what is happening?please help me to find out the solution as there is ciritical virus outbreak on one switch.thanks in advance.

Correct Answer by Joe Clarke about 9 years 5 months ago

If you want to accept all messages, you should disable or delete all filters and set the mode to Keep.

More information on logrot can be found in the LMS online help in the "Maintaining Log Files" chapter. logrot_trunc is merely a supporting tool that logrot uses to do truncation of large files.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Joe Clarke Thu, 08/30/2007 - 18:55

Please provide a screenshot or screenshots showing all of your configured filters. also, provide a sample syslog message, and the configuration from your automated action that you configured to match on it.

thetnaing00 Thu, 08/30/2007 - 19:41

hi

thanks for the reply.unfortunately,i cannot provide the screenshot as i am away from the system but i didn't filter anything and i am sure that because othere devices sending syslog messages to the server and i can see the syslog from other devices.the sample log message is 'duplicate ip address sending from "mac address of the interface"' and i didn't configure the automated action for the syslog.i only want to see that in report generator.i hope this could help.sorry for not to provide the information.thanks again.

Joe Clarke Thu, 08/30/2007 - 20:13

Without a complete sample of the message and your filter configuration, I cannot offer any clue as to why these messages are not showing up in the report.

thetnaing00 Thu, 08/30/2007 - 22:39

hi.

i am now on site and able to give your the information.hope this will help.furthermore,what is the filtered message and is it based on what criteria?i've got a lot of filter message though i configure to keep everything.please check.thanks.

Joe Clarke Thu, 08/30/2007 - 23:04

Based on your filters, you are only keeping the following messages:

Link up/down

IOS Firewall Audit Trail

PIX Firewall Audit Trail

Sev 7

So every other message will be dropped. Change the type from Keep to Drop, and I think you will start seeing what you want.

thetnaing00 Thu, 08/30/2007 - 23:28

hi

thanks.i am now trying to set the filter to drop and how can i keep ALL message from devices?shall i delete or disable all filters and mode set to keep?is it correct?i tried that before and i don't see the result.please point me out for this too and can you also tell me where i can learn more about logrot.pl command and logrot_trun.exe.thanks again

Correct Answer
Joe Clarke Fri, 08/31/2007 - 09:43

If you want to accept all messages, you should disable or delete all filters and set the mode to Keep.

More information on logrot can be found in the LMS online help in the "Maintaining Log Files" chapter. logrot_trunc is merely a supporting tool that logrot uses to do truncation of large files.

Actions

This Discussion