LMS RME - Syslog Alert

Unanswered Question

Why on the RME main home page or LMS Portal "System" view, I can't see any alert show on the Syslog Alert.

I did shut/unshut interface the syslog did send to CW server. I can view by issue " logview.exe" command , but it does not show on Syslog Alert windows.



C:\Documents and Settings\hpadmin>logview


ar 03 21:48:25 122.255.98.14 156: *Mar 3 05:41:18: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 1 packet

Mar 03 21:50:22 122.255.97.4 24: *Mar 3 13:49:30.737: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:53:56 122.255.97.5 52: *Mar 3 13:54:45: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:57:33 122.255.98.14 157: *Mar 3 05:50:27: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 3 packets

Mar 03 22:01:53 122.255.97.6 518: Mar 3 22:02:21.780: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:19 122.255.97.6 519: Mar 3 22:02:47.448: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to reset

Mar 03 22:02:25 122.255.97.6 520: Mar 3 22:02:52.984: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:25 122.255.97.6 521: Mar 3 22:02:53.168: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down


Regards




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Mon, 03/03/2008 - 10:40
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Once the syslog messages make it to syslog.log, they are read by the SyslogCollector daemon which then performs filtering on those messages. Please post the output of the pdshow command as well as the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

Joe Clarke Mon, 03/03/2008 - 16:49
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Your filters are wrong. According to this, the only messages you will process are PIX and firewall audit trail messages, and sev 7 messages. Change your filter mode from KEEP to DROP under RME > Tools > Syslog > Message Filters, then you should start seeing new messages get processed.

Joe Clarke Tue, 03/04/2008 - 10:11
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It looks like you also changed the include interfaces option as well. You should not have done this. Set "Include interfaces of selected devices:" back yo Yes.

Joe Clarke Tue, 03/04/2008 - 20:55
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Assuming you haven't enabled the Link Up/Down Message filter, you should be seeing these messages in your syslog reports. You are getting forwarded messages. Try running a Syslog Standard Report under RME > Reports > Report Generator to see what messages are being written to the RME database.

Joe Clarke Wed, 03/05/2008 - 07:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Good. So syslog analysis is now working. Now, as mermel said, the syslog alerts portlet only shows the messages in the past 24 hours that are of severity 0, 1, and 2 (emerg, alert, crit). Now that you have syslog analysis working, you should start to see that count increase when a message of a high enough severity comes in.

That mean all the while it is working. Just the Syslog Alert portlet only shown severity 0/1/2 only.


BTW can we change the setting so it can also display up to severity 5 or 6 ? The reason was sometime the bgp peering or OSPF neighbor was down, it also important to be shown on portlet. Otherwise, we only knew it when we manually generate the report.


Severity 0/1/2 is rarely occur, unless CPU/Memory or system failed happend.


Thanks



Regards


Joe Clarke Wed, 03/05/2008 - 08:45
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The severities displayed cannot be changed. However, you can create Automated Actions for the syslog messages that you care about, and have RME email you when those important messages are processed. This is done under RME > Tools Syslog > Automated Actions.

Actions

This Discussion