Syslog messages are not getting into RME

Unanswered Question
Feb 15th, 2010

Dear All,

we are using CW LMS 3.2.

If I go to Device Center I can't see any syslog message in 24-hour Syslog Message Summary. Everything shows zero. First I checked syslog file in Log folder and I could see syslog messages in this file. Then I checked Collector Status. I can see number of received and forwarded numbers increase.  I Even unsubscribed and subscribed back and then restarted  SyslogAnalyzer and SyslogCollector processes, but it didn't help

Dear Experts, any ideas? my change audit doesn't work because of this problem.

Thanks a lot.

UPD. Just checked unexpexted device syslog report. Took one of the devce from this list and added it to Common Services. Made sure that device is fully discovered: inventory collected and configuration is synched. and again can't see anything in 24-hour Syslog Message Summary for any device.

All syslog filters are default. attached syslog files to give more information.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Mon, 02/15/2010 - 17:46

If the number of forwarded messages is increasing, then the messages should be getting written to the RME database.  Post a sample of messages not making it into the database.  Recheck the unexpected devices report to make sure the new messages are not still showing up there.  Also post the AnalyzerDebug.log.

agipkcolon Tue, 02/16/2010 - 01:01

Looks like I found the reason. I imported all 400 devices yesterday and then I discovered that I could see some of the syslogs in RME.

I compared configs of the devices and found out that devices that has 4 characters TIMEZONE in syslog message (eg. KZAT) don't get into RME and with 2 or 3 characters characters are successfully logged into RME.

I am going to play a little bit more about it today, but can I change this RME behaviour so it can accept 4 characters timezone? I am not very happy about adjusting configuration for all our devices. and these timezones were working fine with CW LMS 3.0.1.

attached AnalyzerDebug.log as you requested.

Thanks a lot for your help.

Joe Clarke Tue, 02/16/2010 - 10:43

RME has no problem with four -letter timezones.  KZAT is just not a supported timezone.  Modify NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.lst, and add the timezone with the appropriate offset from GMT.  Then restart SyslogCollector and SyslogAnalyzer.  New messages should appear properly.

agipkcolon Tue, 02/16/2010 - 11:14

Thanks a lot again, Joe.

Just one note - I can see syslog from switches that have KZ Timezone configured. I checked Timezone.lst file and didn't find this zone. I also tried other non standard timezone abbreviations and they all work if they are not more than 3 letters.

But anyway, thanks for a good hint.

Joe Clarke Tue, 02/16/2010 - 13:30

The messages are most likely making it into the database.  It's just that the timestamp being used may not be correct.  RME may be obtaining a timestamp in the future, which is causing your searches to fail.  It's best to make sure the device is sending syslog messages with a timestamp which RME understands.  This includes a supported timezone.

Actions

This Discussion