zero record syslog reports

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Thu, 08/27/2009 - 12:18
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Disabling all message filters is probably the problem. If you disable all filters, make sure the mode is set to KEEP instead of the default DROP.

Joe Clarke Thu, 08/27/2009 - 12:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Post the output of the pdshow command as well as some of the sample messages not appearing in your syslog reports.

Joe Clarke Fri, 08/28/2009 - 09:31
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This looks okay. Post the SyslogCollector.log and AnalyzerDebug.log.

Joe Clarke Fri, 08/28/2009 - 09:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This all looks healthy. In fact, I'm seeing evidence that syslogs are being processed. Exactly what reports are you running, and how are you running them? Post a screenshot of RME > Tools > Syslog > Syslog Collector Status.

I'm trying to run 24 hour reports on the devices in question. But even standard reports return zero records. A show logging from the devices via telnet shows plenty of snmp authentication failures within the past 24 hours but all reports return zero records. The messages are in the syslog.log file... I just checked again. The only difference being that I run the report based on host name while the log file shows the IP address for the device. The server is getting the data but RME won't show it in a report. The messages I posted earlier should show up in a 24 hour report correct?



Joe Clarke Fri, 08/28/2009 - 10:16
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, they should. Try running an Unexpected Devices Report to see if the syslog messages show up there. Also, post the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat file.

Joe Clarke Fri, 08/28/2009 - 10:32
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Loglevel Settings, regenerate some new messages, then re-post the AnalyzerDebug.log along with the messages that were generated.

Joe Clarke Mon, 08/31/2009 - 08:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

According to this, device device generating the SEC-6-IPACCESSLOGP message is not properly managed by RME. It is either in a suspended state or a conflicting state. You need to fix that problem by either resuming management of the device, or correcting the device type.


The same is true for the CONFIG_I message and the AUTHFAIL message.

Joe Clarke Mon, 08/31/2009 - 09:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There must be a failure getting the current device state, then. Post the EssentialsDM_Server.log and EssentialsDM.log.

Joe Clarke Mon, 08/31/2009 - 10:04
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There is no error, but something is wrong with getting the information from the database. I suggest you open a TAC service request so the database contents can be analyzed.

Actions

This Discussion