cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1292
Views
0
Helpful
25
Replies

Syslog Collector: Unable to resurrect connection to a subscriber

jeeyishyuan
Level 1
Level 1

Hi Experts,

I found this logs in SyslogCollector.log.

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:31:31,500, Logging System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:31:31,500, System Initialized.

SyslogCollector - [Thread: main] WARN , 19 Jan 2009 17:31:37,203, Unable to get the filters for subscriber ciscoworkProd. Default value will be used.

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,093, Logging System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,093, System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,171, Subscriber list is empty!

Can the Experts advise me why is the collector properties file is not found? I have checked the NMS root directory, the file is there.

Secondly, how can I re-subscribe the collector? Unsubscribe the collector for troubleshooting purpose.

I really appreciate it greatly if the Experts can show me some light. Thanks a billion!!!

Regards,

Yi Shyuan

1 Accepted Solution

Accepted Solutions

Your syslog problem probably has to do with your filter settings. Please post a screenshot of your syslog filter settings.

The LMS packet capture tool should capture the syslog messages provided you started it on the correct interface, and your filter was correct (udp port 514).

View solution in original post

25 Replies 25

Joe Clarke
Cisco Employee
Cisco Employee

There are no problems here. If you need to resubscribe the Analyzer to the Collector go to RME > Tools > Syslog > Syslog Collector Status, and unsubscribe the current Collector, then click the Subscribe button to resubscribe.

Hi jclarke,

Is it normal for the SyslogCollector.log to show unable to find collector.properties file?

I have tried to unsubscribe and re-subscribe the collector but the SyslogCollector.log shows that the subscriber list is empty. Due to this error, I have to restore Ciscoworks LMS.

Isn't the path directory is strange to show "C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data

\Collector.properties"

where the string seems to "restart" the whole string again when it shows up to "classes" folder?

Please advise.

Thanks & Regards,

Yi Shyuan

Yes, this error is common, and it means nothing. Don't look at the log files. What do you see in the GUI when you try to unsubscribe and resubscribe the Collector? It would be helpful to see a set of screenshots illustrating what you're doing, and what you see.

Hi jclarke,

I had a successful re-subscribe this time. However, I can only receive syslog messages from ASA devices but not from other switches that I intended to receive.

I have installed a sniff packet software on the LMS server and received syslog packets from other switches. However, packet capture in Device Centre did not capture any syslog packets from the targeted switch. I wonder why is it so?

Thanks & Regards,

YS

Your syslog problem probably has to do with your filter settings. Please post a screenshot of your syslog filter settings.

The LMS packet capture tool should capture the syslog messages provided you started it on the correct interface, and your filter was correct (udp port 514).

Hi jclarke,

I have posted the filter screen shot. Pls advise.

Thanks & Regards,

YS

This is your problem. You have your filter mode set to KEEP, but you only have filters defined for firewall, debugging, and link up/down messages. Either set your mode to DROP, or add additional filters for other messages in which you are interested.

Hi jclarke,

So I have configured the filter mode drop and disabled the firewall filters.

I restarted the crmlog aft the I made the changes. But i still dun see any syslog messages from the switches and the update of the syslog.log is not up to the real time. (as compared to kiwi syslog server)

Currently the syslog.log file size is 2947KB while the recommended file size which I found from the log file status report is 1048576KB. So it's not likely that syslog.log has exceeded the file size.

Please advise as I am really running out ideas to troubleshoot.

Thanks & Regards

YS

If you set the mode to drop, and disabled all the filters, then all of the messages will be dropped. I said to EITHER set the mode to drop, OR add more filters. If all your filters are disabled, set the mode to KEEP. If you have filters enabled, and those filters define messages you do NOT want to see, then set the mode to DROP. If you have filters enabled, and those filters define messages you DO want to see, set the mode to KEEP.

You can control the size of syslog.log by configuring logrot.pl. Consult the online help for Common Services on how to configure this. Search for "logrot".

Hi jclarke,

I have configured a message filter to have all * to receive any syslog messages from the switches. I tried to restart the CWCS syslog service but it the service seems to hang aft it tried to stop for 1 hour.

Can you advise from here?

Thanks & Regards

YS

What exactly is hanging?

Hi jclarke,

CWCS Syslog Service is currently hanging. I can only force the service to rerun by restarting the server.

I have attached a screen shot to show the error if a second time of net stop crmlog is run while the service is hanging.

Thanks & Regards

YS

Check the Windows Event View and syslog_debug.log for any errors. But at this point, you will probably need to reboot to continue receiving syslog messages.

Hi jclarke,

So I have my server rebooted.

Set a new message filter (shown in the attached screen shot) with asterisk for all columns.

Possible to advise if this filter going to work in order to receive all syslog messages from any switches configured to log to the LMS server?

FYI, I only receive syslog messages from ASA devices at this point of time

Thanks & Regards

YS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco