03-03-2008 06:15 AM
Why on the RME main home page or LMS Portal "System" view, I can't see any alert show on the Syslog Alert.
I did shut/unshut interface the syslog did send to CW server. I can view by issue " logview.exe" command , but it does not show on Syslog Alert windows.
C:\Documents and Settings\hpadmin>logview
ar 03 21:48:25 122.255.98.14 156: *Mar 3 05:41:18: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 1 packet
Mar 03 21:50:22 122.255.97.4 24: *Mar 3 13:49:30.737: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)
Mar 03 21:53:56 122.255.97.5 52: *Mar 3 13:54:45: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)
Mar 03 21:57:33 122.255.98.14 157: *Mar 3 05:50:27: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 3 packets
Mar 03 22:01:53 122.255.97.6 518: Mar 3 22:02:21.780: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)
Mar 03 22:02:19 122.255.97.6 519: Mar 3 22:02:47.448: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to reset
Mar 03 22:02:25 122.255.97.6 520: Mar 3 22:02:52.984: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)
Mar 03 22:02:25 122.255.97.6 521: Mar 3 22:02:53.168: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
Regards
03-03-2008 10:40 AM
Once the syslog messages make it to syslog.log, they are read by the SyslogCollector daemon which then performs filtering on those messages. Please post the output of the pdshow command as well as the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat
file.
03-03-2008 04:38 PM
03-03-2008 04:49 PM
Your filters are wrong. According to this, the only messages you will process are PIX and firewall audit trail messages, and sev 7 messages. Change your filter mode from KEEP to DROP under RME > Tools > Syslog > Message Filters, then you should start seeing new messages get processed.
03-04-2008 04:55 AM
03-04-2008 10:11 AM
It looks like you also changed the include interfaces option as well. You should not have done this. Set "Include interfaces of selected devices:" back yo Yes.
03-04-2008 05:13 PM
Done that, but still no syslog message on "Syalog Alert" panel.
Logview shown the log message , when I shut/ not shut one of device interface.
thanks
03-04-2008 08:55 PM
Assuming you haven't enabled the Link Up/Down Message filter, you should be seeing these messages in your syslog reports. You are getting forwarded messages. Try running a Syslog Standard Report under RME > Reports > Report Generator to see what messages are being written to the RME database.
03-05-2008 02:38 AM
03-05-2008 03:35 AM
what are your settings for the portlet; check the options for the refresh cycle as descibed here:
also I think only severity 0 - 3 messages are displayed.
03-05-2008 07:38 AM
Good. So syslog analysis is now working. Now, as mermel said, the syslog alerts portlet only shows the messages in the past 24 hours that are of severity 0, 1, and 2 (emerg, alert, crit). Now that you have syslog analysis working, you should start to see that count increase when a message of a high enough severity comes in.
03-05-2008 07:56 AM
That mean all the while it is working. Just the Syslog Alert portlet only shown severity 0/1/2 only.
BTW can we change the setting so it can also display up to severity 5 or 6 ? The reason was sometime the bgp peering or OSPF neighbor was down, it also important to be shown on portlet. Otherwise, we only knew it when we manually generate the report.
Severity 0/1/2 is rarely occur, unless CPU/Memory or system failed happend.
Thanks
Regards
03-05-2008 08:45 AM
The severities displayed cannot be changed. However, you can create Automated Actions for the syslog messages that you care about, and have RME email you when those important messages are processed. This is done under RME > Tools Syslog > Automated Actions.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: