imported Syslog filters ignored

Unanswered Question
Sep 20th, 2007

To recover from the RME reinit quickly, I imported the Syslog filters from another LMS 2.6 box. Of the eight custom filters imported, none appears to be taking effect. I even went as far as editing each custom filter and resaving it. It didn't seem to work. Unsubscribing from the SyslogCollector, which I assume is as good as restarting it, has made no difference either.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Thu, 09/20/2007 - 07:40

Please post the /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

yjdabear Thu, 09/20/2007 - 10:16

I gave in and restarted SyslogCollector and SyslogAnalyzer. That got the imported filters working. As a result, the filters.dat file has the last modified timestamp of the restart time:

-rw-r----- 1 casuser casusers 1170 Sep 20 10:28 /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

Process= SyslogCollector

State = Program started - No mgt msgs received

Pid = 18752

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

Process= SyslogAnalyzer

State = Program started - No mgt msgs received

Pid = 18749

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

If filters.dat is backed up, I can go dig it out from this morning's db backup. The filters were imported yesterday during daytime, so that should show what filters.dat looked like before the restart.

Joe Clarke Thu, 09/20/2007 - 10:20

I wanted to see the contents of this file. But, no, filters.dat is not backed up. It is regenerated from the RME database.

yjdabear Thu, 09/20/2007 - 10:27

Filters for the server: nms.fqdn.com

Mode: DROP

Filter expressions:

^((\S+);;;(ACL)(-(\S+))?-(5)-(ARPINSPECTPKTDENIED.*\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$

^((\S+);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*Authentication failure.*)$

^((\S+);;;(ETHC)(-(\S+))?-(5)-(PORT.*STP\s*)\s*:\s*Port.*bridge port.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(4)-(PERMITFAIL\s*)\s*:\s*Unauthorized.*from.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(SPAN_CFGSTATECHG\s*)\s*:\s*local span session.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(CHANGED\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLO.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(AUTOSAVE\s*)\s*:\s*Autosaving.*NVRAM)$

...................

Joe Clarke Thu, 09/20/2007 - 10:45

All of these look good. The Collector should be dropping all matching messages. If this is not the case, enable SyslogCollector debugging, send a message that should be dropped, then post the SyslogCollector.log.

yjdabear Thu, 09/20/2007 - 12:29

This is the picture when it's working now, after I bounced SyslogCollector and SyslogAnalyzer. I suspect it's not so before the bounce, even though the GUI showed all the imported filters. Or, maybe something else was awry if filters.data has been this way since the import yesterday.

Actions

This Discussion