Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
0
Helpful
5
Replies

Forwarding SYSLOG fro CW

rice.randy
Level 1
Level 1

‎01-21-2008 07:17 AM

I am using an automated action to froward SYSLOG to another server. I am getting this message (Not a validaction) in the AnalyzerDeBug.log:

I am using the perl script and bat from a previous post.

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to process new syslogs from the collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find the device id

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to find device id by assuming 10.116.11.131 as address

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Finding device id in the cache

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Device id found in the cache itself as 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Found the device id as 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to insert the syslog into database

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to hand of syslog to the database handler

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2], Time stamp of the syslog received is : Mon Jan 21 10:06:54 EST 2008 GMT 21 Jan 2008 15:06:54 GMT

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Insert into SYSLOG_20080021(Syslog_Device_Id,Syslog_Device_Name,Syslog_TimeStamp,Syslog_Facility,Syslog_SubFacility,Syslog_Severity, Syslog_Mnemonic,Syslog_Description )values ( '4837','10.116.11.131','2008-01-21 15:06:54','DOT11',null,'6','DISASSOC','Interface Dot11Radio0, Deauthenticating Station 0015.7024.a215 Reason: Sending station has left the BSS' )

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Recreated the statement object

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Added syslog to the database handler

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Insertion of syslog into database is done

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find interested actions, bypassing

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Found 3 actions on the syslog

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to check with DM to invoke action on the device 4837

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],The device already granted by DM

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Statemanagement allowed actions on the syslog

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to hand off the syslog to action handlers

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Preparing to hand of syslog to the action processor

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Valid action: Script

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Parameters: D:/apps/CSCOpx/files/scripts/syslog/log.bat

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Not a valid action

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Not a valid action

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog has at least one action, passing it to action handling processer

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Handed off syslog to the action processor

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog handed off to action handlers

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Syslog Action Processor thread attempts to get next syslog from queue

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to read from the queue for new syslogs from collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to process new syslogs from the collector

[ Mon Jan 21 10:06:55 EST 2008 ],DEBUG,[Thread-2],Attempting to find the device id

Labels:
0 Helpful
5 Replies 5

David Stanford
Cisco Employee
Cisco Employee

‎01-21-2008 09:22 AM

Which version of RME is this?

Was log.bat created or modified?

0 Helpful

rice.randy
Level 1
Level 1
In response to David Stanford

‎01-21-2008 10:09 AM

Here is log.bat

@ECHO OFF

D:\apps\cscopx\bin\perl.exe d:\apps\CSCOpx\files\scripts\syslog\log.pl "%~2"

RME is 4.0.5

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to rice.randy

‎01-21-2008 11:06 AM

You need to provide the log.pl as well. Note, this message is typical, and does not necessarily indicate a problem. Are the messages not actually being forwarded?

0 Helpful

rice.randy
Level 1
Level 1
In response to Joe Clarke

‎01-21-2008 11:32 AM

log.pl

#!/opt/CSCOpx/bin/perl

use strict;

use Sys::Syslog qw(:DEFAULT setlogsock);

my $msg = $ARGV[0];

setlogsock('inet');

$Sys::Syslog::host = '10.129.20.236';

syslog('info|local7', $msg);

closelog;

I can live with the error if its normal....

Also, is there a way to direct the syslog to a particular directory and a name? ie /backup/ftpusr/cisco and the file needs to be named syslog.log.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to rice.randy

‎01-21-2008 11:43 AM

In order for the messages to go to a certain file, you need to configure the receiving side to handle local7.info messages in the way desired. On UNIX systems, this will typically be done in /etc/syslog.conf.

0 Helpful
Customers Also Viewed These Support Documents