RME Syslog Questions

Unanswered Question
Jul 16th, 2009

Syslog is collecting information, but I have some general questions about the config:

The Syslog Collector Status is showing up and the name of the CiscoWorks Server itself.

Accoring to the Help screen this is where you configure the common syslog collector.

This has to be configured even though the CiscoWorks server is doing the collection to itself?

And the idea is that CiscoWorks could be pointed to a third party collector to create reports from off box syslog files?

Backup/Purge

Currently the purge is set up for once a month and the backup file size is 200M, but I am not sure this is the best configuration.

My understanding is that once the file is backed up, it is no longer viewed and no reports pulled in CiscoWorks, correct?

So with my current config, I am able to view/report a month back as long as the month of data is not bigger than 200M, is this correct?

Also, on the purge, does it delete files?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Joe Clarke Thu, 07/16/2009 - 08:19

You can point the SyslogAnalyzer in RME to remote SyslogCollectors. They are not third party collectors, but either remote RME servers, or installations of the Remote Syslog Collector. Yes, the Analyzer needs to be registered to at least the local Collector in order to be able to process anything.

Correct, purged syslog messages will be backed up to a flat text file, and will not be viewable in the RME reports. You must comb through the backup file. The purge is from the database. RME purges old syslog messages, and will then write them to the specified backup file (if configured). You will be able to view reports in RME for syslog messages which are less than a month old.

wilson_1234_2 Thu, 07/16/2009 - 10:01

Thanks Joe,

You have been busy today.

On the Message Filters,

If the Message Filter Type is set to "Drop" and the filters are created,

does "Enabled" mean that filter is active to drop those messages?

For example:

Drop (Message Filter Type)

+

Enabled (Message Filter) =

------------------------

Anything matching enabled filter is dropped

Drop (Message Filter Type)

+

Disabled (Message Filter) =

------------------------

Anything matching disabled filter is allowed

Joe Clarke Thu, 07/16/2009 - 10:44

If the filter mode is set to drop, all enable filters will drop matching messages. So your first example is correct.

wilson_1234_2 Fri, 07/17/2009 - 07:41

Joe,

Is there an implicit deny after a "keep" + "Enabled" rule?

For example if I configure:

Keep

+

Enabled (allow Severity 7)=

-------------------------

Only Severity 7 messages

Is there a baseline or samples of filter configs that would be typically used?

Joe Clarke Fri, 07/17/2009 - 09:45

Yes. If you want to set the mode to Keep, then be aware that only the messages which match enabled filters will be forwarded to the SyslogAnalyzer.

No, there is really no baseline. It really depends on the technologies deployed in your network, and what you are interested in. Personally, I prefer to be notified about config changes, all S0, 1, and 2 messages, and anything generated by EEM (%HA_EM...).

wilson_1234_2 Fri, 07/17/2009 - 10:05

Joe,

Here is how I have the ASA appliances configured to collect severity 7 messages for the ASAs:

Facility Sub-Facility Severity Mnemonic Description

ASA * 7 * *

I can see how you would possibly configure the 0, 1 and 2:

Facility Sub-Facility Severity Mnemonic Description

* * 0 * *

* * 1 * *

* * 2 * *

How would the EEM messages be allowed?

wilson_1234_2 Fri, 07/17/2009 - 10:19

Thanks Joe,

I can see the collector status is showing that it was updated when I made a filter change,

Does it need to be re subscribed, or these changes can be made on the fly?

Actions

This Discussion