Ciscoworks Syslog not showing any logs

Answered Question
Mar 20th, 2009
User Badges:

Facing problem with the syslog collector. No message counters are displaying or increasing in the forward of syslog collector. Able to receive the traps sent from all the devices within the KIWI syslog software which i had temparory installed on LMS server. Kiwi was just used to verify if the traps are reaching the ciscoworks server.I had even done the unsubscribe & subscribing the server in the syslog collector. User casusers has full rights to execute.Recently there was problem with the files of Syslogfirst.log,SyslogSecond.log & Syslogthird.log. I had used the DBSpaceReclaimer utility. The logs are not there for last 6 months.

Can anybody guide me for this problem faced.



Correct Answer by Joe Clarke about 8 years 4 months ago

That's TCP port 514. There is nothing bound to UDP port 514. Run the following:


net start crmlog


You should then start to see syslog messages being written to syslog.log.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Joe Clarke Fri, 03/20/2009 - 12:15
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What is the All Events filter specifically? What messages are you receiving in syslog.log that you think should be logged?

dominic.colson@... Sat, 03/21/2009 - 13:55
User Badges:

All events filter specify that it should get any traps(*) from any devices(*).

The syslog.log file is empty. not a single trap is present in it.

Joe Clarke Sat, 03/21/2009 - 14:00
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

First, syslog messages are NOT traps. Traps are SNMP messages sent to udp/162. Syslog messages are textual messages sent to udp/514. The crmlog service binds to UDP port 514, and receives syslog messages only.


If you are sending syslog messages from your devices to the LMS server, make sure that Kiwi is shutdown, and make sure the CWCS syslog services (i.e. crmlog) is running. If you run netstat -a -n -o -b, you should see the crmlog.exe process bound to UDP port 514.


Once this has been verified, you should start seeing messages in syslog.log. Once that happens, SyslogCollector will read them, filter them, then pass them up to SyslogAnalyzer. SyslogAnalyzer will write the messages into the RME database.

dominic.colson@... Mon, 03/23/2009 - 01:01
User Badges:

After entering the netstat -a -n -o -b command , 514 port was assigned to crmrsh.exe. I had attached the output of the command



Attachment: 
Correct Answer
Joe Clarke Mon, 03/23/2009 - 09:23
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

That's TCP port 514. There is nothing bound to UDP port 514. Run the following:


net start crmlog


You should then start to see syslog messages being written to syslog.log.

Actions

This Discussion