cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
935
Views
0
Helpful
6
Replies

imported Syslog filters ignored

yjdabear
VIP Alumni
VIP Alumni

To recover from the RME reinit quickly, I imported the Syslog filters from another LMS 2.6 box. Of the eight custom filters imported, none appears to be taking effect. I even went as far as editing each custom filter and resaving it. It didn't seem to work. Unsubscribing from the SyslogCollector, which I assume is as good as restarting it, has made no difference either.

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

Please post the /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

I gave in and restarted SyslogCollector and SyslogAnalyzer. That got the imported filters working. As a result, the filters.dat file has the last modified timestamp of the restart time:

-rw-r----- 1 casuser casusers 1170 Sep 20 10:28 /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

Process= SyslogCollector

State = Program started - No mgt msgs received

Pid = 18752

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

Process= SyslogAnalyzer

State = Program started - No mgt msgs received

Pid = 18749

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

If filters.dat is backed up, I can go dig it out from this morning's db backup. The filters were imported yesterday during daytime, so that should show what filters.dat looked like before the restart.

I wanted to see the contents of this file. But, no, filters.dat is not backed up. It is regenerated from the RME database.

Filters for the server: nms.fqdn.com

Mode: DROP

Filter expressions:

^((\S+);;;(ACL)(-(\S+))?-(5)-(ARPINSPECTPKTDENIED.*\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$

^((\S+);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*Authentication failure.*)$

^((\S+);;;(ETHC)(-(\S+))?-(5)-(PORT.*STP\s*)\s*:\s*Port.*bridge port.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(4)-(PERMITFAIL\s*)\s*:\s*Unauthorized.*from.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(SPAN_CFGSTATECHG\s*)\s*:\s*local span session.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(CHANGED\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLO.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(AUTOSAVE\s*)\s*:\s*Autosaving.*NVRAM)$

...................

All of these look good. The Collector should be dropping all matching messages. If this is not the case, enable SyslogCollector debugging, send a message that should be dropped, then post the SyslogCollector.log.

This is the picture when it's working now, after I bounced SyslogCollector and SyslogAnalyzer. I suspect it's not so before the bounce, even though the GUI showed all the imported filters. Or, maybe something else was awry if filters.data has been this way since the import yesterday.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: