LMS 3.1 syslog stopped working

chris.mcgarrah · ‎01-09-2009

I am no longer seeing any entries when I run a syslog severity level summary report. This appears to have stopped working on 11/25/08. I am attaching all logs I could find with syslog in the name. Let me know if I can provide anything else to help me troubleshoot. Thanks.

Joe Clarke · ‎01-09-2009

Please post the output of the pdshow command. Also, verify the messages are still making it to the server, and showing up in the syslog.log file. What do you see if you go to RME > Tools > Syslog > Collector Status?

chris.mcgarrah · ‎01-09-2009

The last entry in syslog.log is 12/5/2008. Looking through the event log, I noticed that these Microsoft patches were applied on 12/5:

KB957097

KB890830

KB954430

KB955069

KB958644

Are any of these know to cause problems?

The file size is also very large (13,410,370 could that be a problem too?) I am attaching pdshow output and screenshot of collector status. Thanks

Joe Clarke · ‎01-09-2009

This tells me the syslog.log file is not receiving new messages. Please post the output of:

netstat -a -n -o -b

You might also run:

logview E:\PROGRA~1\CSCOpx\log\syslog.log

And watch to make sure syslog messages are arriving in this file.

A syslog.log of 13 MB is not too bad. However, you can configure logrot to manage this file. Go to Common Services > Server > Admin > Log Rotation to configure it.

chris.mcgarrah · ‎01-10-2009

I am attaching output from netstat command. I left off "KB" in my previous post, so the file size is really 13GB. I don't see any new messages arriving in the file, but I do see them arriving at the interface with a sniffer.

Joe Clarke · ‎01-11-2009

This indicates our syslog daemon is bound to udp/514. So if you don't see new messages in the syslog.log file, I wonder if there is a host-based firewall blocking them (e.g. Windows Firewall, CSA, etc.).