Ciscoworks syslog not archiving

wilson_1234_2 · ‎03-19-2008

Joe,

looking at the syslog, I find that there is no archive information.

I can only go back and look at the past 24 hours.

All devices are pointing to the CW server as a syslog server and it has worked in the past.

I changed the purge settings a while back to purge only after 365 days. I can see past files with the name "purge" in the file, prior to me getting here, in the syslog directory and they have data.

The purge files after that are 0 file size, but they are also being deposited in the directory every 30 days as well.

Does the purge just remove the data from the active file and archive it in the syslog directory, or delete it for good?

What can I check to make sure syslog is configured correctly?

Joe Clarke · ‎03-19-2008

The syslog purge policy removes messages from the RME database. The messages are permanently deleted. The syslog backup policy takes the messages from the database that are going to be purged and archives them to flat files. These syslog files will be written to /var/adm/CSCOpx/files/rme/syslog on Solaris and NMSROOT\files\rme\syslog on Windows. You must make sure casuser can write to these locations, and that there is enough disk space to hold the backup files. By default each file is limited to 100 MB.

The purge policy is configured under RME > Admin > Syslog > Set Purge Policy. The backup polci is configured under RME > Admin > Syslog > Set Backup Policy.

wilson_1234_2 · ‎03-19-2008

That is where I am seeing the files, so the thing to do is configure the purge policy to work with the backup policy and make sure the purge doesn;t happen before the backup, correct?

What would be a reason (casuser should be able to write as it always has, with plenty of space) that I see nothing but for 24 hours in the syslog?

And the archive files are 0 bytes?

Joe Clarke · ‎03-19-2008

Please post a screenshot of the report parameters you're using for your syslog report.

As for the archive files, they will be zero bytes if no messages are purged from the database when the purge job runs (which would be the case if there are no messages older than 365 days).

wilson_1234_2 · ‎03-20-2008

Thanks for the help Joe,

I must not have had the parameters set properly when running the job yesterday, because I can see syslog information now, thanks.

What are your thoughts on the backup/purge settings?

It seems the file will be huge (greater that 100M) if I leave it not to purge for a year.

If the purged file is a flat file, then that suggests that you cannot run reports within the RME Module.

Is that the case?

Where can I check the size of the existing syslog file that is active in RME and not purged yet?

Joe Clarke · ‎03-20-2008

You want the purge files to be large enough to hold all of the messages being aged out of the database. This size will depend on how many messages you get in a day. You can figure an average size of 100 bytes per message.

Once the messages are purged from the database, you will no longer be able to run RME reports against them. You will need to search through the archive files using other tools.

The messages that have not been purged are stored in the syslog data spaces linked to the rmeng database. These files are in NMSROOT/databases/rmeng, but looking at their size is not an accurate indication of the size of the syslogs. There is really no way to tell what that may be exactly.

wilson_1234_2 · ‎03-20-2008

Dang are you a robot or something?

You must never sleep, every time I have a question no matter what time of day, you almost immidiately answer.

Thanks for the information.

I have a question about upgrading the IOS using RME on the other thread.