RME 4.1.1 Syslog Collector NOT receiving Syslog Messages

Unanswered Question
Mar 5th, 2009

Hi Experts,

Please advise why if the Syslog Collector not receiving any Syslog Messages for more than 1 day while the filter is set to keep and some facility codes are specified.

Syslog.log file is currently at 79MB where the limit is 1GB.

I have tried to unsubsrcibe and re-subscribe the syslog collector but problem persists.

Hope to hear some advices.

Thanks and Regards

Yi Shyuan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Thu, 03/05/2009 - 23:10

Please post a screenshot of your filter configuration screen, as well as a scnreeshot of the syslog collector status screen.

Joe Clarke Thu, 03/05/2009 - 23:23

All of your messages are being filtered. What messages are you receiving in the syslog.log file? You only care about a small subset of message types.

jeeyishyuan Thu, 03/05/2009 - 23:55

Hi Joe,

The number of messages that being received remained 1060 and 945 filtered for more than 1 day. Isn't this weird if the collector is properly receiving the Syslog Messages?

Since the syslog.log is more than 5MB, only the latest portion of syslog messages are posted. All are ASA entries.

Thanks & Regards,


Joe Clarke Fri, 03/06/2009 - 00:08

RME is working as designed. All of the messages have the facility ASA, but you are not matching that facility in you message filters. You need to add ASA to your message filters, or change you filter mode to Drop.

jeeyishyuan Fri, 03/06/2009 - 00:17

Hi Joe,

In fact, I don't wish to receive Syslog Messages from ASA devices. Messages that I m interested are listed in the facility codes.jpg.

I am wondering how could 600 over switches do not send any syslog messages based on the facility codes configured in the past 24 hours.

However, if i change the filter mode to Drop, all the syslog messages received will be dropped, this actually defeat the purpose of setting all the facility codes to receive required syslog messages.



Joe Clarke Fri, 03/06/2009 - 08:17

The ASA messages were the only ones you showed me. Go through your syslog.log. What messages do you see that match your desired facility filters?

jeeyishyuan Fri, 03/06/2009 - 09:43

Hi Joe,

Actually the whole syslog.log is only ASA entries, the file is really too big (about 75MB) for me to post here. If you really want to see it, I will separate them into few text files and post it here.

Thanks & Regards,


Joe Clarke Fri, 03/06/2009 - 10:08

Then what you're seeing is expected. If you find that you are receiving messages which match the filter you have configured, then we can analyze that. It is entirely possible that your devices are not sending such messages. Those are not the most prevalent syslog message types.

jeeyishyuan Fri, 03/06/2009 - 10:30

Hi Joe,

Then I will be very surprised that since my message filter has already disabled IOS Firewall audit trail messages and PIX firewall audit messages, why is ASA syslog still being received? ASA doesn't belong to both of them?



Joe Clarke Fri, 03/06/2009 - 11:39

The filters do not control what messages are written to the syslog.log. ALL messages sent by devices will be written to that file. The filters control what messages are written to the database.

The IOS Firewall audit trail message filter only matches FW-*-6-SESS_AUDIT_TRAIL:*.

jeeyishyuan Fri, 03/06/2009 - 18:42

Hi Joe,

Thanks for the reply. A last question is why doesn't syslog.log being updated in real time? As currently, I can only see the log file with the logs which are few hours back?

Thanks & Regards


Joe Clarke Sat, 03/07/2009 - 12:16

The syslog daemon on Windows is tuned to allow for 200 messages per second by default. If you are getting less that this, you may notice some lag in when messages get written to the syslog.log.

You can tune some of the parameters under HKLM\SYSTEM\CurrentControlSet\Services\crmlog\Parameters in the Registry. In particular, try decreasing CrmMsgCount from 256 to 30, and see if messages start to show up quicker. After changing anything here, restart the crmlog service:

net stop crmlog

net start crmlog

Note: lowering these tunables will help messages show up quicker in the syslog.log, but will reduce the scalability of the syslog daemon.

jeeyishyuan Mon, 03/09/2009 - 00:58

Hi Joe,

Thanks for the reply. I have changed it to 30 Decimal and restart crmlog. But it seems the syslog collector still not receiving as many messages as what you have mentioned.

Is it normal to receive only 2000 messages for past 4 hours? for about 685 devices?

Joe Clarke Mon, 03/09/2009 - 09:07

Maybe. You need to cross reference the local logs on these devices to what you're seeing in the syslog.log to see if you're missing any messages based on your logging trap level.


This Discussion