Hi,

Which is the correct one?

SYSLOG_FILES=$NMSROOT/log/syslog.log

- if this is the one, I don't see any relevant syslog messages from the device which I configured to send syslog.

- Most of the log entries are about CW LMS server applications.

DEBUG_FILE=$NMSROOT/log/SyslogCollector.log

DOWNTIME_DIR=$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data

FILTER_DUMP_FILE=$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

This one:

SYSLOG_FILES=$NMSROOT/log/syslog.log

If you don't see any syslog message, then check:

- is the Ciscoworks Syslog service running? - If you have other syslog server software running, shut it down.

- do a sniffer trace on udp port 514 and check if the syslog packet reaches your syslog server.

- if you don't see any packet, check if any firewall blocking the packets.

Hi jclarke,

I have checked the log file and found the logs seem like firewall blocking the packets. I have posted a few strings in the text file attached with this post. Please advise.

Thanks & Regards,

Yi Shyuan

Ok, so now you see your syslog messages in syslog.log?

If so, check your Syslog Collector status from Ciscoworks RME page. You need to see the number of forwarded message increasing.

If the number of forwarded message is increasing, and you don't see any messages under syslog report, check the unexpected device report.

Hi jclarke,

I have checked the forwarded messages number, it has remained the same for the past few days. Please advise.

Besides this, I also would like to clarify if Syslog collector must be remotely installed on another appliance? Or could it be running as one of the RME applications on LMS server?

No, syslog collector can be running locally on the LMS server.

Re-generate the certificate:

- Common Services > Server > Security > Single-Server Management > Certificate Setup

Re-Subscribe the Collector

- Select Resource Manager Essentials > Tools > Syslog > Syslog Collector Status

- Select the current collector and click on unsubscribe

- Subscribe again the collector filling the appropriate information

Restart daemon manager

-Stop CiscoWorks daemon: net stop crmdmgtd

-wait 15 min than:

-Restart CiscoWorks daemon: net start crmdmgtd

If the number of forwarded message is still not increasing, enable debug:

- RME=>Admin=> System Preferences=> Loglevel Settings

- Select for "Syslog Analyzer" and "Syslog Analyzer User

Interface" "Logging level" = debug

Post the following files:

- \log\SyslogAnalyzer.log

- \log\SyslogAnalyzerUI.log

- \log\SyslogAnalyzerUI.log.1

- \log\SyslogAnalyzerUI.log.2

- \log\SyslogCollector.log

- \log\syslog_debug.log

Hi Dany,

Sorry for the delay to response. I have tried to unsubscribe the syslog collector which LMS has after installation. When I subscribed again the collector, it seems like the newly subscribed collector doesn't function at all.

The columns to display number of syslog messages are displaying Not Applicable. Even after I have left it for a few hours.

Is this normal? or should I try to stop and restart daemon manager after I have subscribed again the collector?

Hi Dany,

What job should I run after I have set the logging level to debug? Or should I re-subscribe the collector again?

As posted in my previous reply, I did not get a successful re-subscribe as the number of syslog messages forwarded is displayed as Not Applicable after re-subscribe. Currently, the collector is running as I did a restore from the latest backup.

What I am suspecting here is that,

Aft re-subscribe, name of Collector: LMS Server IP Address

Bef re-subscribe, name of Collector: LMS Server Name

Currently, the LMS server IP address is not resolvable with the LMS server name. Could this be the problem?