cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1068
Views
0
Helpful
22
Replies

LMS 3.1 Automated actions trouble

agivens02
Level 1
Level 1

I have LMS 3.1 with all updates. I have setup RME>Tools>Syslog>Automated actions to email specific alerts. This was working fine for several weeks until about 5 days ago LMS stopped sending email alerts. Has anyone encountered problems with the automated actions. All appeared well and then it stopped working for no apparent reason. Thank you for any assistance you can provide.

1 Accepted Solution

Accepted Solutions

This is your problem. Your filter mode is set to KEEP, but you do not have filters defined for the interesting message types. Right now, the only messages that will be added to the database, or trigger AAs will be:

PIX-6-302002

PIX-6-302001

PIX-6-304001

FW-6-SESS_AUDIT_TRAIL

LINEPROTO-5-UPDOWN from 10.21.4.253

*-7-*

LINK-3-UPDOWN from 206.77.151.254

LINEPROTO-5-UPDOWN from 206.77.151.254

LINK-5-CHANGED from 206.77.151.254

LINK-5-UPDOWN from 206.77.151.254

If you want other messages, you will either need to change your mode to DROP, or define new filters to match those messages.

View solution in original post

22 Replies 22

Joe Clarke
Cisco Employee
Cisco Employee

Please post the output of the pdshow command. What platform is this?

My apologies for not mentioning the platform. I am using the Windows version on a Windows 2003 server with SP2. Please advise how I can use the pdshow command for this version and I will post it. Thank you.

Run the command "pdshow" from a DOS prompt. Capture the output.

Ok, Please see attached. Thank you

SyslogAnalyzer is running properly, and was started yesterday. Is the problem occurring now?

Yes. I have left Data collection in it's running state.

I'm confused. This has nothing to do with Data Collection. The problem is Automated Actions are not being triggered. Is that problem happening right now?

Sorry, I am working a couple different issues. It was me that was confused. Yes this problem is still happening. It began about 6 days ago. In fact, the last email alert I received was on Sept 25 at 6:48am. After that point there were no more alerts being sent to my email.

You will need to enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Application Loglevel Settings, then generate a new message which matches one of our defined AAs. Then post the AnalyzerDebug.log along with the definition of the AA that should have been triggered.

Here is what I have done. I have two 3750 switches and I built a fiber etherchannel between the two. I created an AA named LMS-AA-Test. The canned AA that I chose to trigger is: Facility-LINK, Subfacility *, Severity 3, Mnemonic UPDOWN. Both switches have been added in LMS device management and show up in the CM just as they should. I removed gig1/0/1 on the chosen switch (10.21.4.253) and triggered an UPDOWN which I verified in the logging buffer on the switch. I then collected the AnalyzerDebug.log from the server (I had already made the necessary changes to the sysloganalyzer before performing this test). Attached is the requested file for your viewing pleasure. Thanks for your time with this.

I don't see the message coming into the SyslogAnalyzer. Does the message make it to the LMS server? Do you see it in the syslog.log?

No it is not in the Syslog but the sniffer shows it being sent to the LMS. The SNMP packet contains all the information. That is a weird one in itself. However I do see all kinds of config changes in the syslog file after Sept 25 (last email alert I received) which are also setup as an automated action throughout the whole network. This is also a canned AA under: SYS, Subfacility *, Severity 5, Mnemonic CONFIG_I. Those appear in the syslog but the email action is not being triggered. I suppose one thing at a time. I would like to concentrate on why the traps in the syslog are not being mailed out.

If the messages are not making it to the syslog.log file, then they have no chance of triggering an automated action. Please post your sniffer trace.

I believe I have muddied the waters a little bit here. Right now I do not want to concentrate on the sniffer trace. That was just more of a comment. Please lets concentrate on the hundreds of config change traps that are making it to the syslog. Here is one example from the syslog (today).

Oct 01 14:33:14 10.21.4.254 903: Oct 1 14:33:05: %SYS-5-CONFIG_I: Configured from console by ggoebel on vty0

As stated in my previous post there is an AA action setup for config changes. This worked up until Sept 25 at 6:48am. The syslog file does not stop at this date. It is still logging all of these config change traps, it just isn't mailing them out anymore. Your assistance and patience is greatly appreciated with this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: