09-20-2007 06:22 AM
To recover from the RME reinit quickly, I imported the Syslog filters from another LMS 2.6 box. Of the eight custom filters imported, none appears to be taking effect. I even went as far as editing each custom filter and resaving it. It didn't seem to work. Unsubscribing from the SyslogCollector, which I assume is as good as restarting it, has made no difference either.
09-20-2007 07:40 AM
Please post the /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat
file.
09-20-2007 10:16 AM
I gave in and restarted SyslogCollector and SyslogAnalyzer. That got the imported filters working. As a result, the filters.dat file has the last modified timestamp of the restart time:
-rw-r----- 1 casuser casusers 1170 Sep 20 10:28 /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat
Process= SyslogCollector
State = Program started - No mgt msgs received
Pid = 18752
RC = 0
Signo = 0
Start = 09/20/07 10:28:43
Stop = Not applicable
Core = Not applicable
Info = Application started by administrator request.
Process= SyslogAnalyzer
State = Program started - No mgt msgs received
Pid = 18749
RC = 0
Signo = 0
Start = 09/20/07 10:28:43
Stop = Not applicable
Core = Not applicable
Info = Application started by administrator request.
If filters.dat is backed up, I can go dig it out from this morning's db backup. The filters were imported yesterday during daytime, so that should show what filters.dat looked like before the restart.
09-20-2007 10:20 AM
I wanted to see the contents of this file. But, no, filters.dat is not backed up. It is regenerated from the RME database.
09-20-2007 10:27 AM
Filters for the server: nms.fqdn.com
Mode: DROP
Filter expressions:
^((\S+);;;(ACL)(-(\S+))?-(5)-(ARPINSPECTPKTDENIED.*\s*)\s*:\s*.*)$
^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$
^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$
^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$
^((\S+);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*Authentication failure.*)$
^((\S+);;;(ETHC)(-(\S+))?-(5)-(PORT.*STP\s*)\s*:\s*Port.*bridge port.*)$
^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$
^((\S+);;;(IP)(-(\S+))?-(4)-(PERMITFAIL\s*)\s*:\s*Unauthorized.*from.*)$
^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$
^((\S+);;;(SYS)(-(\S+))?-(5)-(SPAN_CFGSTATECHG\s*)\s*:\s*local span session.*)$
^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*)$
^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$
^((\S+);;;(LINK)(-(\S+))?-(5)-(CHANGED\s*)\s*:\s*.*)$
^((\S+);;;(LINK)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$
^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLO.*\s*)\s*:\s*.*)$
^((\S+);;;(SYS)(-(\S+))?-(5)-(AUTOSAVE\s*)\s*:\s*Autosaving.*NVRAM)$
...................
09-20-2007 10:45 AM
All of these look good. The Collector should be dropping all matching messages. If this is not the case, enable SyslogCollector debugging, send a message that should be dropped, then post the SyslogCollector.log.
09-20-2007 12:29 PM
This is the picture when it's working now, after I bounced SyslogCollector and SyslogAnalyzer. I suspect it's not so before the bounce, even though the GUI showed all the imported filters. Or, maybe something else was awry if filters.data has been this way since the import yesterday.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: