LMS 3.2 - Syslog Issue - Missing Syslog Data in Reports

Unanswered Question
Feb 25th, 2010
User Badges:

I recently installed LMS 3.2 on a virtual machine running Windows 2003 R2 Standard on VMware ESX 3.5 cluster to replace our current installation of LMS, which is 2.5 running on Solaris.  This is a brand new installation and not an upgrade.  For the most part, everything seems to be functioning properly with the exception of Syslog.  After importing all of our network devices (about 200) into LMS 3.2, I started noticing issues with Syslog.  When I run Syslog reports in RME, such as a 24 hour report for all devices, there are large and small time frames where there is no syslog data in the report.  For example, when I ran a 24 hour report the other day there were the following time frames where there was no syslog data in the report for any of my devices:


Feb 08 2010 18:19:04 - Feb 08 2010 18:28:33
Feb 08 2010 23:05:39 - Feb 08 2010 23:10:15
Feb 09 2010 01:07:47 - Feb 09 2010 01:41:56
Feb 09 2010 05:03:46 - Feb 09 2010 06:38:00


During those times, there was syslog data being written to the syslog.log file on the server and we do not have any special syslog filters configured.  Furthermore, since I still have my old LMS 2.5 server running, I can also verify on it that there should be syslog data in the report for those time frames.  Both servers are pretty configured the same.


I have had a TAC case open since the beginning of February but they have made no progress on this issue.  Furthermore, since this issue surfaced it has gotten worse.


Please assist.  Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Thu, 02/25/2010 - 21:35
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the syslog messages are making it into the log, the next step would be to enable SyslogCollector and SyslogAnalyzer debugging, then reproduce the problem, and check the SyslogCollector.log and AnalyzerDebug.log for a reason as to why the messages are not making it into the DB.  If you have a TAC service request open, they can walk you through these steps.


There could be another problem as well.  The messages might be getting into the RME database (and this will be seen in the logs, and can be determined by running SQL queries against the database), but perhaps they are being added with the wrong timestamps.  I have seen this in the recent past with CSS syslog messages.


Again, get TAC to walk you through the debugging steps.  The logs should reveal what is going on.

Actions

This Discussion

Related Content