Syslog messages

Unanswered Question
Aug 6th, 2009

I have configured our switches with syslog traps and syslog server as LMS server, but I don't see any messages under "syslog Alerts" in RME module. The messages are collected fine on another linux box. I don't see much configuration of syslog server on LMS.

In RME, Syslog collector Status under Tools, shows 1855, 12, 1867 under Invalid,Filtered and Received respectively, but when I tried to run syslog report it doesn't show anything. I would like to collect all switches syslog messages on LMS box. Any help will be appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Thu, 08/06/2009 - 11:37

The Syslog Alerts module only shows sev 0, 1, and 2 messages. You may not have received any of these. Go to RME > Reports > Report Generator, and run a Syslog Standard Report for all your devices. Do you see anything?

msalim Thu, 08/06/2009 - 12:43

I don't see any records. I did disconnect and reconnect one of the switch port to generate a message, but still didn't get anything. I did get that on another linux box.


Joe Clarke Thu, 08/06/2009 - 13:00

Post a screenshot of RME > Tools > Syslog > Message Filters. Verify that the messages being sent by your devices are appearing in NMSROOT/log/syslog.log.

msalim Thu, 08/06/2009 - 13:31

We are running LMS 3.1 on windows. What do you mean by verifing the messages being sent by your devices are appearing in NMSROOT/logs/syslog.log? I couldn't attach the screen shot file. Cut and paste of screen text is given below.

Message Filters Type: Drop Keep

Include interfaces of selected devices: Yes No

Showing 5 records

Name Status

1. Link Up/Down Message Filter Enabled

2. IOS Firewall Audit Trail Messages Enabled

3. PIX Firewall Audit Messages Disabled

4. Severity 7 Message Filter Enabled

5. Otsa switches message filter Enabled

msalim Thu, 08/06/2009 - 13:37

Screen shot is attached with following thread message.

Joe Clarke Thu, 08/06/2009 - 13:41

What is the configuration for your Otsa switches filter? I know you're on Windows. The NMSROOT directory is the path into which you installed LMS. Within that directory there will be a log subdirectory. And in that subdirectory will be a file called syslog.log. Make sure your device messages are showing up in that file.

msalim Fri, 08/07/2009 - 11:02

11:05:17 294: Aug 7 11:05:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down

Aug 07 11:05:17 295: Aug 7 11:05:13: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down

Aug 07 11:05:21 296: Aug 7 11:05:17: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up

Aug 07 11:05:21 297: Aug 7 11:05:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to up

Joe Clarke Fri, 08/07/2009 - 11:07

You have enabled the linkup/down filter which means those messages will be dropped. Disable this filter, generate some new messages, then run your syslog report. They should show up.

msalim Tue, 08/11/2009 - 10:19

I have disabled all filters. Messages do show when I run report, but they still don't show on RME main screen under Syslog Alerts. It still shows "No Records Found".

Joe Clarke Tue, 08/11/2009 - 10:21

As I said, the Syslog Alerts portlet only shows the most severe alerts (Severity 0, 1, and 2). If you are not receiving any of these, then nothing will show up in the portlet. This is actually a good thing as it means your network isn't experiencing any high-severity issues.

Joe Clarke Tue, 08/11/2009 - 10:30

No, the severity levels for the portlet are hardcoded. However, LMS 3.2 offers a new portlet called Syslog Summary which displays the 24-hour syslog event distribution as a pie graph along with the specific syslog counts.

msalim Tue, 08/11/2009 - 12:58

We bought LMS 3.1 this year, do you know if we can upgrade to 3.2 without any additional cost.


msalim Wed, 08/12/2009 - 09:38

So my understanding is that after installing the LMS3.1 license it will remain 3.2. I hope LMS3.2 will accept 3.1 license key.

I will try and let you know. Thanks for your help.

msalim Wed, 08/12/2009 - 09:44

I hope installing 3.2 eval would not mess up any current configuration or data collection.


Joe Clarke Wed, 08/12/2009 - 09:47

Not at all. If you install the eval on a licensed copy of LMS 3.1, it will simply upgrade your copy to a licensed install of 3.2. There won't be any eval involved in that case.

msalim Mon, 08/17/2009 - 10:24

Thanks for that info. I couldn't download 3.2 eval, but I have contacted our sales rep for assistance. This matter can be considered resolved.



This Discussion