LMS 3.1 syslog stopped working

Unanswered Question
Jan 9th, 2009
User Badges:

I am no longer seeing any entries when I run a syslog severity level summary report. This appears to have stopped working on 11/25/08. I am attaching all logs I could find with syslog in the name. Let me know if I can provide anything else to help me troubleshoot. Thanks.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Fri, 01/09/2009 - 11:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Please post the output of the pdshow command. Also, verify the messages are still making it to the server, and showing up in the syslog.log file. What do you see if you go to RME > Tools > Syslog > Collector Status?

chris.mcgarrah@... Fri, 01/09/2009 - 12:16
User Badges:

The last entry in syslog.log is 12/5/2008. Looking through the event log, I noticed that these Microsoft patches were applied on 12/5:

KB957097

KB890830

KB954430

KB955069

KB958644

Are any of these know to cause problems?


The file size is also very large (13,410,370 could that be a problem too?) I am attaching pdshow output and screenshot of collector status. Thanks




Attachment: 
Joe Clarke Fri, 01/09/2009 - 16:40
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This tells me the syslog.log file is not receiving new messages. Please post the output of:


netstat -a -n -o -b


You might also run:


logview E:\PROGRA~1\CSCOpx\log\syslog.log


And watch to make sure syslog messages are arriving in this file.


A syslog.log of 13 MB is not too bad. However, you can configure logrot to manage this file. Go to Common Services > Server > Admin > Log Rotation to configure it.

chris.mcgarrah@... Sat, 01/10/2009 - 11:30
User Badges:

I am attaching output from netstat command. I left off "KB" in my previous post, so the file size is really 13GB. I don't see any new messages arriving in the file, but I do see them arriving at the interface with a sniffer.



Attachment: 
Joe Clarke Sun, 01/11/2009 - 09:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This indicates our syslog daemon is bound to udp/514. So if you don't see new messages in the syslog.log file, I wonder if there is a host-based firewall blocking them (e.g. Windows Firewall, CSA, etc.).

Actions

This Discussion