syslog automated actions & filters

Answered Question
Nov 16th, 2007

I am trying to setup email notifications with syslog in RME, when syslog messages 0-3 are sent to the syslog collector.

I want to filter the messages LINK-3-UPDOWN, so i setup a Drop message filter with that message. The filter is enabled, but it is not taking effect. I am still receiving LINK-3-UPDOWN email notifications.

Am I missing a step? Or is there a bug?

This is happening with LMS 2.5.1 under windows 2003.

Thanks

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 9 years 3 weeks ago

Two things. First, it looks like you've subscribed the same analyzer to this collector twice. The second subscription is set to keep all messages. I would shutdown SyslogCollector, then remove the filters.dat file, then restart SyslogCollector. Assuming you only have one subscription showing up on the Collector Status page, that should resolve this first problem.

Second, your filters will only supress LINK-3-UPDOWN messages for GigabitEthernet and FastEthernet interfaces. If you want to match on all interfaces, you will need to adjust your filters.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 11/16/2007 - 11:38

Please post your NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

ngholmieh Fri, 11/16/2007 - 13:42

Filters for the server: ACT-CISCOWORKS

Mode: DROP

Filter expressions:

^((\S+);;;(C6KERRDETECT)(-(SP))-(2)-(FIFOCRITLEVEL\s*)\s*:\s*.*)$

^((\S+);;;(AT)(-(\S+))?-(6)-(NODEWRONG\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR DISABLE\s*)\s*:\s*.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*GigabitEthernet.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*FastEthernet.*)$

^((\S+);;;(SYS)(-(\S+))?-(2)-(PS_FAIL\s*)\s*:\s*.*)$

^((|localhost);;;(FILESYS)(-(SP))-(5)-(DEV\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR RECOVER\s*)\s*:\s*.*)$

^((\S+);;;(MLS)(-(\S+))?-(4)-(MOVEOVERFLOW\s*)\s*:\s*.*)$

^((\S+);;;(MCAST)(-(\S+))?-(2)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(PORT_SECURITY)(-(\S+))?-(2)-(PSECURE_VIOPLATION\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(ADDR_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(LINK_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGNP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGS\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGRP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGDP\s*)\s*:\s*.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(4)-(SNMP_WRITENET\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(\S+)-(AUTHFAIL\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(3)-(UPD_SOCKOVFL\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(UBR7200)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

Filters for the server: act-ciscoworks

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

Correct Answer
Joe Clarke Fri, 11/16/2007 - 14:36

Two things. First, it looks like you've subscribed the same analyzer to this collector twice. The second subscription is set to keep all messages. I would shutdown SyslogCollector, then remove the filters.dat file, then restart SyslogCollector. Assuming you only have one subscription showing up on the Collector Status page, that should resolve this first problem.

Second, your filters will only supress LINK-3-UPDOWN messages for GigabitEthernet and FastEthernet interfaces. If you want to match on all interfaces, you will need to adjust your filters.

ngholmieh Mon, 11/19/2007 - 18:16

I shutdown the syslog collector and removed the filter.dat file. I restarted the syslog collector, but i have not received any notification since.

I have checked the Collector status page, no collector was defined, and i got this message:

SLCA0132: Collector status is currently not available. check whether SyslogAnalyzer process is running normally.

I checked the SyslogAnalyzer. it said program started. I stopped it and started it again, the syslog collector status page kept giving me this message.

What can i do now to get the syslog collector running again?

Thanks

Joe Clarke Mon, 11/19/2007 - 18:21

This could be a known bug where SyslogAnalyzer takes a long time to startup on Windows if there are a lot of devices and a lot of automated actions configured. To confirm this, you need to enable Syslog Analyzer debugging under RME > Admin > System Preferences > Loglevel Settings, then restart SyslogAnalyzer. Then post the AnalyzerDebug.log.

ngholmieh Tue, 11/27/2007 - 16:10

It seems that the syslog collector was indeed too late to come up. When it started running again, my mailbox was flooded with messages that are not being filtered.

I checked the filter.dat file that i previously removed after you asked me, it was back and same as the one I sent you earlier:

>>>>>>>>>>>>>>

Filters for the server: ACT-CISCOWORKS

Mode: DROP

Filter expressions:

^((\S+);;;(C6KERRDETECT)(-(SP))-(2)-(FIFOCRITLEVEL\s*)\s*:\s*.*)$

^((\S+);;;(AT)(-(\S+))?-(6)-(NODEWRONG\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR DISABLE\s*)\s*:\s*.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*GigabitEthernet.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*FastEthernet.*)$

^((|localhost);;;(FILESYS)(-(SP))-(5)-(DEV\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR RECOVER\s*)\s*:\s*.*)$

^((\S+);;;(MLS)(-(\S+))?-(4)-(MOVEOVERFLOW\s*)\s*:\s*.*)$

^((\S+);;;(MCAST)(-(\S+))?-(2)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(ADDR_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(LINK_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(PORT_SECURITY)(-(\S+))?-(2)-(PSECURE_VIOPLATION\s*)\s*:\s*.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGNP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGS\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGRP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGDP\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(4)-(SNMP_WRITENET\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(\S+)-(AUTHFAIL\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(3)-(UPD_SOCKOVFL\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(UBR7200)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

Filters for the server: act-ciscoworks

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

<<<<<<<<<<<<<<<<<<<<<<<

It seems the file was recreated as it was, and the filters are not taking any effect.

So i am back to square one. Any other ideas?

Thanks

Joe Clarke Tue, 11/27/2007 - 23:08

I have not seen this problem before. What does your syslog collector status screen look like?

ngholmieh Wed, 11/28/2007 - 15:02

The syslog collector status screen contains the follwing syslog collector defined:

Name=ciscoworks

forwarded=495081

invalid=636

filtered=0

dropped=7164

received=502881

Uptime= Nov 19 2007...

Update time=Nov 28 2007...

Joe Clarke Wed, 11/28/2007 - 15:14

Where is act-ciscoworks coming from? Did you change the hostname on this server?

ngholmieh Thu, 11/29/2007 - 10:48

non actually in the syslog collector page the name is act-ciscoworks. I must have mistyped it. I double checked it now.

I did not rename the server at all.

Sorry about that.

Joe Clarke Thu, 11/29/2007 - 11:00

Okay, do this. From that page, unsubscribe your Collector. Then, shutdown SyslogCollector and SyslogAnalyzer. Delete filters.dat and NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/sa/data/collectors.dat. Then restart SyslogCollector and SyslogAnalyzer. If the Analyzer does not automatically resubscribe to the Collector, do that (note: you may need to wait for the Analyzer to fully initialize).

Actions

This Discussion