2 message IDs in syslog messages

Unanswered Question
Aug 11th, 2008

Some of my devices are logging syslog messages with 2 message IDs, for example:

Aug 11 00:04:59 router1 973182: 886901: Aug 11 00:04:58.249 EDT: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet3/4 (not half duplex), with switch1 Ethernet0 (half duplex)

Of the ~800 IOS devices in my network I would say that 5% are exhibiting this behaviour (different platforms & code). All messages from a given device either have or do not have this problem.

I am assuming that this is something config related on these devices, but I can't track it down. Can anyone help? I'm just trying to standardize the syslog format to make analysis easier.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Mon, 08/11/2008 - 08:53

One ID is most likely coming from the syslog server. The other could be from the logging origin-id command. It would be helpful to see a running config from one such device.

mcdougalla Mon, 08/11/2008 - 08:57

Note that all devices are logging to the same syslog server, but some entries only have one message ID while others have 2.

What in the server config could do this?

Joe Clarke Mon, 08/11/2008 - 09:21

The server is probably adding one to ALL messages. I'm thinking the second is because the affected devices have "logging origin-id" configured. This is why I wanted to see a show run from one such device.

mcdougalla Mon, 08/11/2008 - 10:06

I have done a scan of all my configs via Opsware, and no devices have "logging origin-id".

Sorry - I'm not too crazy about posting my full device config here for security reasons. I can post sections of the config and reliably answer questions about what is or isn't configured by using our Opsware config management system.

More info (important!):

I just discovered that not all messages from a given device have this problem:

From the log buffer on the device, here are 2 log messages:

Aug 11 13:53:23.066 EDT: %PM_SCP-SP-3-LCP_FW_ABLC: Late collision message from module 3, port:07

887729: Aug 11 13:53:42.314 EDT: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet3/4 (not half duplex), with ts1-sema-13.network.acml.com Ethernet0 (half duplex).

Here's the same 2 messages once they make it to my syslog server:

Aug 11 13:53:25 router1 974080: Aug 11 13:53:23.066 EDT: %PM_SCP-SP-3-LCP_FW_ABLC: Late collision message from module 3, port:07

Aug 11 13:53:43 router1 974081: 887729: Aug 11 13:53:42.314 EDT: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet3/4 (not half duplex), with switch1 Ethernet0 (half duplex).

So, not all messages from a given device have the same issue (sorry for the bad info earlier). I think we can rule out the syslog server as the local log on the router has a message ID at thestart of some messages and not others. Why is this???

Joe Clarke Mon, 08/11/2008 - 10:10

Do you have "logging message-counter" configured? If you can't show all of your config, what about the logging * commands?

Joe Clarke Mon, 08/11/2008 - 10:13

Or rather, I should say, do you have "no logging message-counter syslog configured on the unaffected devices?

mcdougalla Mon, 08/11/2008 - 10:14

i do not have "logging message-counter" configured, but I think I've found the culprit. I do have:

service sequence-numbers

configured on several of my devices. I am still puzzled as to why this applies to some messages and not others from a device.

Any ideas?

Joe Clarke Mon, 08/11/2008 - 10:24

logging message-counter syslog is enabled by default. Check the devices without the two numbers.

The service sequence numbers would account for one of the fields, but not both. The syslog count could account for the second. Without knowing the device type and IOS version, I cannot say for certain why the first message was only tagged with the sequence number. My guess is that this is a buginf message and not a syslog message.

mcdougalla Mon, 08/11/2008 - 10:31

I think that one message ID is always addeded by the server, and that "service sequence-numbers" is adding another one in some cases. I need to do more research to find out if all the devices are inconsistent, or if it is just this one.

The one device in question is a 6509 + Sup2 running IOS 12.2(18)SXF7.

Actions

This Discussion