Figuring out RME, Syslog filters and AA

Unanswered Question
Sep 29th, 2008


I'm trying to determine why my EIGRP neighbor change logged locally on a router but never made it to the RME logs, but other syslog msgs are present. None of the message filters in Syslog appear to be affecting these so am not sure where this could be dropped.

Also, in filters, you can select Keep or Drop and nothing changes on the filter list. Is that normal? I'm not sure what the two buttons are there for.

I have an AA set up for any DUAL factility message to email me, is that the right facility? Everything else is *.

thanks much

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yjdabear Mon, 09/29/2008 - 14:04

It's not implausible that some syslogs could fail to make it out of the router due to connectivity loss(es) during a network reconvergence. By "never made it to the RME logs", do you mean you don't see it the GUI or the syslog_info (by default) flat file that RME reads?

js88888888 Mon, 09/29/2008 - 14:11

thanks for the reply.

What i do see are other logs in RME from the same device with the same severity over the same time frame. Just no DUAL logs in RME, even though there are DUAL logs present on the device.

I'm only running reports in RME to see what syslogs are present on that particular device.

yjdabear Mon, 09/29/2008 - 14:25

If "DUAL-5-NBRCHANGE: IP-EIGRP(0) blah" is the message you are looking for, do you see any other *-5-* (or higher) messages from this router from the same time period? Can you post a chunk of the logging buffer from the router itself, ideally including a mix of "DUAL-5-NBRCHANGE" and other syslogs you do see in RME. Also, a snippet of the running-config on the logging parameters would help narrow it down:

logging buffered ###### ???

logging trap ???

logging source-interface ???

logging xx.xx.xx.xx

js88888888 Tue, 09/30/2008 - 08:32

Well, it started working for some reason. We had a router restarted this morning and the ensuing DUAL events were registered with RME and sent on via AA/email. Not sure why, can't think of anything that could have run overnight for this to start working.

thanks for your time yjdabear.


This Discussion