How to view router/switch logs using LMS 3.2?

Unanswered Question
Mar 23rd, 2010
User Badges:

Of course I can log into each of my 100 routers and switches and peforms "sh loggin" to look for problems, but how do I use LMS 3.2 to consolidate all those logs into one location?  Can I set up something so I can see those logs in more or less real time?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yjdabear Tue, 03/23/2010 - 09:11
User Badges:
  • Gold, 750 points or more

RME provides the Syslog Analysis tool for centralized reporting. Here's a guide written for RME 3.x, but the same applies to RME 4.x of LMS 3.2:

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00800a7275.shtml


Of course, the reports need to be either scheduled or run manually, so I don't consider it "real-time". OTOH, "interesting" syslogs can be acted upon in real-time via the Automated Actions feature of RME (email or triggering a custom script).

Tod Larson Tue, 03/23/2010 - 20:46
User Badges:

The terminology is confusing me.


Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?


What's the benefit of scheduling a report to run automatically?  Is it saved somewhere that is easier/quicker to get to?


Can new syslog messages from devices be posted to an RSS feed?

yjdabear Wed, 03/24/2010 - 20:26
User Badges:
  • Gold, 750 points or more

>> Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?


The latter.


If for some reason, the devices cannot log directly to LMS, there're a few options: 1) Devices log to a central syslog server, which in turn exposes the syslogs to LMS' Syslog Analyzer, either via the Cisco-supplied Remote Syslog Collector or some unsupported methods such as NFS mount, or 2) Install Syslog-ng on the central syslog server, relay the logs to LMS, as described in this whitepaper: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-571038.html


>> What's the benefit of scheduling a report to run automatically?  Is it saved somewhere that is easier/quicker to get to?


It's the usual benefits of automation. Scheduled syslog reports apparently write outputs to /var/adm/CSCOpx/files/rme/cri/archives/syslog/reports/output/[jobID_runID], on Solaris, for example. The structure inside is rather muddy. So it might be easier to have something like a VBscript to screen-scrape the LMS web GUI for the report outputs instead.


>> Can new syslog messages from devices be posted to an RSS feed?


That's a novel idea. Though obviously not from the devices directly, it most likely coud be done through some "syslog2rss" relay residing on the syslog server. I think the potential volumes of logs could be too much for RSS, unless careful filtering/deduplication takes place on the relay before posting to a feed.

Actions

This Discussion