Filters for the server: ACT-CISCOWORKS

Mode: DROP

Filter expressions:

^((\S+);;;(C6KERRDETECT)(-(SP))-(2)-(FIFOCRITLEVEL\s*)\s*:\s*.*)$

^((\S+);;;(AT)(-(\S+))?-(6)-(NODEWRONG\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR DISABLE\s*)\s*:\s*.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*GigabitEthernet.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*FastEthernet.*)$

^((\S+);;;(SYS)(-(\S+))?-(2)-(PS_FAIL\s*)\s*:\s*.*)$

^((|localhost);;;(FILESYS)(-(SP))-(5)-(DEV\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR RECOVER\s*)\s*:\s*.*)$

^((\S+);;;(MLS)(-(\S+))?-(4)-(MOVEOVERFLOW\s*)\s*:\s*.*)$

^((\S+);;;(MCAST)(-(\S+))?-(2)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(PORT_SECURITY)(-(\S+))?-(2)-(PSECURE_VIOPLATION\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(ADDR_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(LINK_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGNP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGS\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGRP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGDP\s*)\s*:\s*.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(4)-(SNMP_WRITENET\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(\S+)-(AUTHFAIL\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(3)-(UPD_SOCKOVFL\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(UBR7200)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

Filters for the server: act-ciscoworks

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

I shutdown the syslog collector and removed the filter.dat file. I restarted the syslog collector, but i have not received any notification since.

I have checked the Collector status page, no collector was defined, and i got this message:

SLCA0132: Collector status is currently not available. check whether SyslogAnalyzer process is running normally.

I checked the SyslogAnalyzer. it said program started. I stopped it and started it again, the syslog collector status page kept giving me this message.

What can i do now to get the syslog collector running again?

Thanks

This could be a known bug where SyslogAnalyzer takes a long time to startup on Windows if there are a lot of devices and a lot of automated actions configured. To confirm this, you need to enable Syslog Analyzer debugging under RME > Admin > System Preferences > Loglevel Settings, then restart SyslogAnalyzer. Then post the AnalyzerDebug.log.

It seems that the syslog collector was indeed too late to come up. When it started running again, my mailbox was flooded with messages that are not being filtered.

I checked the filter.dat file that i previously removed after you asked me, it was back and same as the one I sent you earlier:

>>>>>>>>>>>>>>

Filters for the server: ACT-CISCOWORKS

Mode: DROP

Filter expressions:

^((\S+);;;(C6KERRDETECT)(-(SP))-(2)-(FIFOCRITLEVEL\s*)\s*:\s*.*)$

^((\S+);;;(AT)(-(\S+))?-(6)-(NODEWRONG\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR DISABLE\s*)\s*:\s*.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*GigabitEthernet.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*FastEthernet.*)$

^((|localhost);;;(FILESYS)(-(SP))-(5)-(DEV\s*)\s*:\s*.*)$

^((\S+);;;(PM)(-(\S+))?-(4)-(ERR RECOVER\s*)\s*:\s*.*)$

^((\S+);;;(MLS)(-(\S+))?-(4)-(MOVEOVERFLOW\s*)\s*:\s*.*)$

^((\S+);;;(MCAST)(-(\S+))?-(2)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(ADDR_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(RTD)(-(\S+))?-(1)-(LINK_FLAP\s*)\s*:\s*.*)$

^((\S+);;;(PORT_SECURITY)(-(\S+))?-(2)-(PSECURE_VIOPLATION\s*)\s*:\s*.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGNP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGS\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGRP\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLOGDP\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(4)-(SNMP_WRITENET\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(\S+)-(AUTHFAIL\s*)\s*:\s*.*)$

^((|localhost);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(3)-(UPD_SOCKOVFL\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(UBR7200)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

Filters for the server: act-ciscoworks

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)-(.*\s*)\s*:\s*.*)$

...................

<<<<<<<<<<<<<<<<<<<<<<<

It seems the file was recreated as it was, and the filters are not taking any effect.

So i am back to square one. Any other ideas?

Thanks

I have not seen this problem before. What does your syslog collector status screen look like?

The syslog collector status screen contains the follwing syslog collector defined:

Name=ciscoworks

forwarded=495081

invalid=636

filtered=0

dropped=7164

received=502881

Uptime= Nov 19 2007...

Update time=Nov 28 2007...

Where is act-ciscoworks coming from? Did you change the hostname on this server?

non actually in the syslog collector page the name is act-ciscoworks. I must have mistyped it. I double checked it now.

I did not rename the server at all.

Sorry about that.

Okay, do this. From that page, unsubscribe your Collector. Then, shutdown SyslogCollector and SyslogAnalyzer. Delete filters.dat and NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/sa/data/collectors.dat. Then restart SyslogCollector and SyslogAnalyzer. If the Analyzer does not automatically resubscribe to the Collector, do that (note: you may need to wait for the Analyzer to fully initialize).