cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
0
Helpful
19
Replies

RME 4.1.1 Syslog Collector NOT receiving Syslog Messages

jeeyishyuan
Level 1
Level 1

Hi Experts,

Please advise why if the Syslog Collector not receiving any Syslog Messages for more than 1 day while the filter is set to keep and some facility codes are specified.

Syslog.log file is currently at 79MB where the limit is 1GB.

I have tried to unsubsrcibe and re-subscribe the syslog collector but problem persists.

Hope to hear some advices.

Thanks and Regards

Yi Shyuan

19 Replies 19

Joe Clarke
Cisco Employee
Cisco Employee

Please post a screenshot of your filter configuration screen, as well as a scnreeshot of the syslog collector status screen.

Hi Joe,

Here are the screen shots. Thanks!

Regards

YS

All of your messages are being filtered. What messages are you receiving in the syslog.log file? You only care about a small subset of message types.

Hi Joe,

The number of messages that being received remained 1060 and 945 filtered for more than 1 day. Isn't this weird if the collector is properly receiving the Syslog Messages?

Since the syslog.log is more than 5MB, only the latest portion of syslog messages are posted. All are ASA entries.

Thanks & Regards,

YS

RME is working as designed. All of the messages have the facility ASA, but you are not matching that facility in you message filters. You need to add ASA to your message filters, or change you filter mode to Drop.

Hi Joe,

In fact, I don't wish to receive Syslog Messages from ASA devices. Messages that I m interested are listed in the facility codes.jpg.

I am wondering how could 600 over switches do not send any syslog messages based on the facility codes configured in the past 24 hours.

However, if i change the filter mode to Drop, all the syslog messages received will be dropped, this actually defeat the purpose of setting all the facility codes to receive required syslog messages.

Regards,

YS

The ASA messages were the only ones you showed me. Go through your syslog.log. What messages do you see that match your desired facility filters?

Hi Joe,

Actually the whole syslog.log is only ASA entries, the file is really too big (about 75MB) for me to post here. If you really want to see it, I will separate them into few text files and post it here.

Thanks & Regards,

YS

Then what you're seeing is expected. If you find that you are receiving messages which match the filter you have configured, then we can analyze that. It is entirely possible that your devices are not sending such messages. Those are not the most prevalent syslog message types.

Hi Joe,

Then I will be very surprised that since my message filter has already disabled IOS Firewall audit trail messages and PIX firewall audit messages, why is ASA syslog still being received? ASA doesn't belong to both of them?

Regards

YS

The filters do not control what messages are written to the syslog.log. ALL messages sent by devices will be written to that file. The filters control what messages are written to the database.

The IOS Firewall audit trail message filter only matches FW-*-6-SESS_AUDIT_TRAIL:*.

Hi Joe,

Thanks for the reply. A last question is why doesn't syslog.log being updated in real time? As currently, I can only see the log file with the logs which are few hours back?

Thanks & Regards

YS

The syslog daemon on Windows is tuned to allow for 200 messages per second by default. If you are getting less that this, you may notice some lag in when messages get written to the syslog.log.

You can tune some of the parameters under HKLM\SYSTEM\CurrentControlSet\Services\crmlog\Parameters in the Registry. In particular, try decreasing CrmMsgCount from 256 to 30, and see if messages start to show up quicker. After changing anything here, restart the crmlog service:

net stop crmlog

net start crmlog

Note: lowering these tunables will help messages show up quicker in the syslog.log, but will reduce the scalability of the syslog daemon.

Hi Joe,

Where can I get the registry?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco