LMS 3.1 Automated actions trouble

Answered Question
Sep 30th, 2008

I have LMS 3.1 with all updates. I have setup RME>Tools>Syslog>Automated actions to email specific alerts. This was working fine for several weeks until about 5 days ago LMS stopped sending email alerts. Has anyone encountered problems with the automated actions. All appeared well and then it stopped working for no apparent reason. Thank you for any assistance you can provide.

Correct Answer by Joe Clarke about 8 years 4 months ago

This is your problem. Your filter mode is set to KEEP, but you do not have filters defined for the interesting message types. Right now, the only messages that will be added to the database, or trigger AAs will be:


PIX-6-302002

PIX-6-302001

PIX-6-304001

FW-6-SESS_AUDIT_TRAIL

LINEPROTO-5-UPDOWN from 10.21.4.253

*-7-*

LINK-3-UPDOWN from 206.77.151.254

LINEPROTO-5-UPDOWN from 206.77.151.254

LINK-5-CHANGED from 206.77.151.254

LINK-5-UPDOWN from 206.77.151.254


If you want other messages, you will either need to change your mode to DROP, or define new filters to match those messages.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Tue, 09/30/2008 - 13:05

Please post the output of the pdshow command. What platform is this?

agivens02 Wed, 10/01/2008 - 05:07

My apologies for not mentioning the platform. I am using the Windows version on a Windows 2003 server with SP2. Please advise how I can use the pdshow command for this version and I will post it. Thank you.

Joe Clarke Wed, 10/01/2008 - 09:04

Run the command "pdshow" from a DOS prompt. Capture the output.

Joe Clarke Wed, 10/01/2008 - 09:50

SyslogAnalyzer is running properly, and was started yesterday. Is the problem occurring now?

Joe Clarke Wed, 10/01/2008 - 09:56

I'm confused. This has nothing to do with Data Collection. The problem is Automated Actions are not being triggered. Is that problem happening right now?

agivens02 Wed, 10/01/2008 - 10:09

Sorry, I am working a couple different issues. It was me that was confused. Yes this problem is still happening. It began about 6 days ago. In fact, the last email alert I received was on Sept 25 at 6:48am. After that point there were no more alerts being sent to my email.

Joe Clarke Wed, 10/01/2008 - 10:11

You will need to enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Application Loglevel Settings, then generate a new message which matches one of our defined AAs. Then post the AnalyzerDebug.log along with the definition of the AA that should have been triggered.

agivens02 Wed, 10/01/2008 - 10:42

Here is what I have done. I have two 3750 switches and I built a fiber etherchannel between the two. I created an AA named LMS-AA-Test. The canned AA that I chose to trigger is: Facility-LINK, Subfacility *, Severity 3, Mnemonic UPDOWN. Both switches have been added in LMS device management and show up in the CM just as they should. I removed gig1/0/1 on the chosen switch (10.21.4.253) and triggered an UPDOWN which I verified in the logging buffer on the switch. I then collected the AnalyzerDebug.log from the server (I had already made the necessary changes to the sysloganalyzer before performing this test). Attached is the requested file for your viewing pleasure. Thanks for your time with this.



Joe Clarke Wed, 10/01/2008 - 10:45

I don't see the message coming into the SyslogAnalyzer. Does the message make it to the LMS server? Do you see it in the syslog.log?

agivens02 Wed, 10/01/2008 - 11:17

No it is not in the Syslog but the sniffer shows it being sent to the LMS. The SNMP packet contains all the information. That is a weird one in itself. However I do see all kinds of config changes in the syslog file after Sept 25 (last email alert I received) which are also setup as an automated action throughout the whole network. This is also a canned AA under: SYS, Subfacility *, Severity 5, Mnemonic CONFIG_I. Those appear in the syslog but the email action is not being triggered. I suppose one thing at a time. I would like to concentrate on why the traps in the syslog are not being mailed out.

Joe Clarke Wed, 10/01/2008 - 11:21

If the messages are not making it to the syslog.log file, then they have no chance of triggering an automated action. Please post your sniffer trace.

agivens02 Wed, 10/01/2008 - 11:53

I believe I have muddied the waters a little bit here. Right now I do not want to concentrate on the sniffer trace. That was just more of a comment. Please lets concentrate on the hundreds of config change traps that are making it to the syslog. Here is one example from the syslog (today).


Oct 01 14:33:14 10.21.4.254 903: Oct 1 14:33:05: %SYS-5-CONFIG_I: Configured from console by ggoebel on vty0


As stated in my previous post there is an AA action setup for config changes. This worked up until Sept 25 at 6:48am. The syslog file does not stop at this date. It is still logging all of these config change traps, it just isn't mailing them out anymore. Your assistance and patience is greatly appreciated with this.

Joe Clarke Wed, 10/01/2008 - 11:55

Please post a screenshot showing the configuration of the config change AA. Also, do these messages make it into the RME database? That is, can you run a syslog report, and see the messages that were generated today?

agivens02 Wed, 10/01/2008 - 12:15

These messages do not appear to be making it into the RME database. As you requested I ran a 24 hour report and came up with nothing. However as I stated before they are making it to the syslog file. I have attached the AA screen shots and also screen shots of the 24 hour report which comes up blank. Any ideas why this is happening?



Attachment: 
Joe Clarke Wed, 10/01/2008 - 12:16

Please post the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat file.

Correct Answer
Joe Clarke Wed, 10/01/2008 - 12:35

This is your problem. Your filter mode is set to KEEP, but you do not have filters defined for the interesting message types. Right now, the only messages that will be added to the database, or trigger AAs will be:


PIX-6-302002

PIX-6-302001

PIX-6-304001

FW-6-SESS_AUDIT_TRAIL

LINEPROTO-5-UPDOWN from 10.21.4.253

*-7-*

LINK-3-UPDOWN from 206.77.151.254

LINEPROTO-5-UPDOWN from 206.77.151.254

LINK-5-CHANGED from 206.77.151.254

LINK-5-UPDOWN from 206.77.151.254


If you want other messages, you will either need to change your mode to DROP, or define new filters to match those messages.

agivens02 Thu, 10/02/2008 - 06:15

I deleted all AA that I had and also any filters associated with these actions. I used one of our 6500's as a test. I used the config change Mnemonic under SYS CONFIG_I and created a filter mirroring this AA and it worked. This makes me very happy and I appreciate your persistence in helping me. I am still unsure why I have to setup a filter when I have already created an AA that is very specific in what I want reported. Is the filter actually necessary? It appears to be because when I run a test without the filter it does not work. In other words LMS will not send me an alert via email when the filter is not in place.

Joe Clarke Thu, 10/02/2008 - 06:20

No, the filter is not necessary. As I said, if you change the filter mode to DROP under RME > Tools > Syslog > Message Filters, then you only need to created filters for messages you do NOT want to keep. In that case, the majority of the messages can be processed.

agivens02 Thu, 10/02/2008 - 08:38

Ok I got it. Thanks for all your help. Greatly appreciated.

Actions

This Discussion