Forwarding SYSLOG fro CW

Unanswered Question
Jan 21st, 2008
User Badges:

I am using an automated action to froward SYSLOG to another server. I am getting this message (Not a validaction) in the AnalyzerDeBug.log:

I am using the perl script and bat from a previous post.




[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to process new syslogs from the collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find the device id

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to find device id by assuming 10.116.11.131 as address

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Finding device id in the cache

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Device id found in the cache itself as 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Found the device id as 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to insert the syslog into database

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to hand of syslog to the database handler

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2], Time stamp of the syslog received is : Mon Jan 21 10:06:54 EST 2008 GMT 21 Jan 2008 15:06:54 GMT

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Insert into SYSLOG_20080021(Syslog_Device_Id,Syslog_Device_Name,Syslog_TimeStamp,Syslog_Facility,Syslog_SubFacility,Syslog_Severity, Syslog_Mnemonic,Syslog_Description )values ( '4837','10.116.11.131','2008-01-21 15:06:54','DOT11',null,'6','DISASSOC','Interface Dot11Radio0, Deauthenticating Station 0015.7024.a215 Reason: Sending station has left the BSS' )

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Recreated the statement object

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Added syslog to the database handler

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Insertion of syslog into database is done

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find interested actions, bypassing

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Found 3 actions on the syslog

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to check with DM to invoke action on the device 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],The device already granted by DM

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Statemanagement allowed actions on the syslog

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to hand off the syslog to action handlers

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to hand of syslog to the action processor

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Valid action: Script

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Parameters: D:/apps/CSCOpx/files/scripts/syslog/log.bat

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Not a valid action

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Not a valid action

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog has at least one action, passing it to action handling processer

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Handed off syslog to the action processor

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog handed off to action handlers

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog Action Processor thread attempts to get next syslog from queue

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to read from the queue for new syslogs from collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to process new syslogs from the collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find the device id


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Stanford Mon, 01/21/2008 - 09:22
User Badges:
  • Cisco Employee,

Which version of RME is this?


Was log.bat created or modified?

rice.randy Mon, 01/21/2008 - 10:09
User Badges:

Here is log.bat


@ECHO OFF

D:\apps\cscopx\bin\perl.exe d:\apps\CSCOpx\files\scripts\syslog\log.pl "%~2"


RME is 4.0.5

Joe Clarke Mon, 01/21/2008 - 11:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to provide the log.pl as well. Note, this message is typical, and does not necessarily indicate a problem. Are the messages not actually being forwarded?

rice.randy Mon, 01/21/2008 - 11:32
User Badges:

log.pl


#!/opt/CSCOpx/bin/perl


use strict;

use Sys::Syslog qw(:DEFAULT setlogsock);


my $msg = $ARGV[0];

setlogsock('inet');

$Sys::Syslog::host = '10.129.20.236';

syslog('info|local7', $msg);

closelog;


I can live with the error if its normal....




Also, is there a way to direct the syslog to a particular directory and a name? ie /backup/ftpusr/cisco and the file needs to be named syslog.log.

Joe Clarke Mon, 01/21/2008 - 11:43
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

In order for the messages to go to a certain file, you need to configure the receiving side to handle local7.info messages in the way desired. On UNIX systems, this will typically be done in /etc/syslog.conf.

Actions

This Discussion