09-30-2008 12:32 PM
I have LMS 3.1 with all updates. I have setup RME>Tools>Syslog>Automated actions to email specific alerts. This was working fine for several weeks until about 5 days ago LMS stopped sending email alerts. Has anyone encountered problems with the automated actions. All appeared well and then it stopped working for no apparent reason. Thank you for any assistance you can provide.
Solved! Go to Solution.
10-01-2008 12:35 PM
This is your problem. Your filter mode is set to KEEP, but you do not have filters defined for the interesting message types. Right now, the only messages that will be added to the database, or trigger AAs will be:
PIX-6-302002
PIX-6-302001
PIX-6-304001
FW-6-SESS_AUDIT_TRAIL
LINEPROTO-5-UPDOWN from 10.21.4.253
*-7-*
LINK-3-UPDOWN from 206.77.151.254
LINEPROTO-5-UPDOWN from 206.77.151.254
LINK-5-CHANGED from 206.77.151.254
LINK-5-UPDOWN from 206.77.151.254
If you want other messages, you will either need to change your mode to DROP, or define new filters to match those messages.
09-30-2008 01:05 PM
Please post the output of the pdshow command. What platform is this?
10-01-2008 05:07 AM
My apologies for not mentioning the platform. I am using the Windows version on a Windows 2003 server with SP2. Please advise how I can use the pdshow command for this version and I will post it. Thank you.
10-01-2008 09:04 AM
Run the command "pdshow" from a DOS prompt. Capture the output.
10-01-2008 09:31 AM
10-01-2008 09:50 AM
SyslogAnalyzer is running properly, and was started yesterday. Is the problem occurring now?
10-01-2008 09:55 AM
Yes. I have left Data collection in it's running state.
10-01-2008 09:56 AM
I'm confused. This has nothing to do with Data Collection. The problem is Automated Actions are not being triggered. Is that problem happening right now?
10-01-2008 10:09 AM
Sorry, I am working a couple different issues. It was me that was confused. Yes this problem is still happening. It began about 6 days ago. In fact, the last email alert I received was on Sept 25 at 6:48am. After that point there were no more alerts being sent to my email.
10-01-2008 10:11 AM
You will need to enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Application Loglevel Settings, then generate a new message which matches one of our defined AAs. Then post the AnalyzerDebug.log along with the definition of the AA that should have been triggered.
10-01-2008 10:42 AM
Here is what I have done. I have two 3750 switches and I built a fiber etherchannel between the two. I created an AA named LMS-AA-Test. The canned AA that I chose to trigger is: Facility-LINK, Subfacility *, Severity 3, Mnemonic UPDOWN. Both switches have been added in LMS device management and show up in the CM just as they should. I removed gig1/0/1 on the chosen switch (10.21.4.253) and triggered an UPDOWN which I verified in the logging buffer on the switch. I then collected the AnalyzerDebug.log from the server (I had already made the necessary changes to the sysloganalyzer before performing this test). Attached is the requested file for your viewing pleasure. Thanks for your time with this.
10-01-2008 10:45 AM
I don't see the message coming into the SyslogAnalyzer. Does the message make it to the LMS server? Do you see it in the syslog.log?
10-01-2008 11:17 AM
No it is not in the Syslog but the sniffer shows it being sent to the LMS. The SNMP packet contains all the information. That is a weird one in itself. However I do see all kinds of config changes in the syslog file after Sept 25 (last email alert I received) which are also setup as an automated action throughout the whole network. This is also a canned AA under: SYS, Subfacility *, Severity 5, Mnemonic CONFIG_I. Those appear in the syslog but the email action is not being triggered. I suppose one thing at a time. I would like to concentrate on why the traps in the syslog are not being mailed out.
10-01-2008 11:21 AM
If the messages are not making it to the syslog.log file, then they have no chance of triggering an automated action. Please post your sniffer trace.
10-01-2008 11:53 AM
I believe I have muddied the waters a little bit here. Right now I do not want to concentrate on the sniffer trace. That was just more of a comment. Please lets concentrate on the hundreds of config change traps that are making it to the syslog. Here is one example from the syslog (today).
Oct 01 14:33:14 10.21.4.254 903: Oct 1 14:33:05: %SYS-5-CONFIG_I: Configured from console by ggoebel on vty0
As stated in my previous post there is an AA action setup for config changes. This worked up until Sept 25 at 6:48am. The syslog file does not stop at this date. It is still logging all of these config change traps, it just isn't mailing them out anymore. Your assistance and patience is greatly appreciated with this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: