Solved: LMS 3.2 - Syslog Config fetch not working

Sven Hruza · ‎06-07-2010

Hello,

the syslog config fetch on my LMS 3.2 with RME 4.3.0 is not working.

I get syslog messages from devices and the count in the syslog collector status is okay.

But in the syslog message summary in device center the count is not getting higher with every message.

And the config fetch is not working.

I changed the logging level in the collector-properties to "debug" and got the following messages for a device which I want to fetch:

SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssEmblemProcessor - About to process the syslog string : Jun 07 14:40:23 10.155.224.102 53: Jun 7 14:39:57: %SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssEmblemAFormatParser@13bd574
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssEmblemBFormatParser@13adc56
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssGenericFormatParser@157aa53
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.CSSSyslogFormatParser@6f50a8
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemA not valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemB not valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemA valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Setting daemon date
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, After adjusting the offset Mon Jun 07 14:40:23 CEST 2010 GMT 7 Jun 2010 12:40:23 GMT
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parsed using the parser : com.cisco.nm.rmeng.fcss.common.FcssGenericFormatParser@157aa53
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssEmblemProcessor - Valid EMBLEM format. Passing on...
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Converted syslog to filter string. Filter string is 10.155.224.102;;;SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, ^((10\.161\.1\.45);;;(\S+)(-(\S+))?-(.*)(-(.*\s*))?\s*:\s*.*)$
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssFilterPatternSet- inside 6
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, getInterestedSubscribers() - Incrementing filtered count for HNW2K3CISCO03
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, getInterestedSubscribers() - No interested subscribers. Returning null.
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Entered zero size

I attached the AnalyzerDebug.log, syslog_debug.log, SyslogAnalyzer.log and SyslogCollector.log for further informations.

Thanks for any advice!

Sven

Joe Clarke · ‎06-14-2010

The SyslogCollector.log looks good. Post the AnalyzerDebug.log along with a raw message which came in and should be shown in the log.

View solution in original post

Joe Clarke · ‎06-07-2010

Post a screenshot of RME > Tools > Syslog > Message Filters.

Sven Hruza · ‎06-07-2010

Hi Joe,

thanks for your reply.

I read something about faulty filter settings in another thread and I checked the filters once again.

The only filter I enabled is a filter for all syslog messages from one device which has a problem we can't fix at the moment.

Please have a look on the screenshots.

Is there a possibility to see which syslog messages are forwarded, invalid, filtered, dropped and received?

There is a gap between the received and forwarded, invalid, filtered and dropped.

I thought that forwarded + invalid + filtered + dropped = received.

The strange thing is, that I see the SYS-5-CONFIG_I message in the device center view of my test device, but the config fetch will not be started.

Thanks!

Sven

Joe Clarke · ‎06-08-2010

This has all the visible symptoms of CSCtc18888. However, the logs aren't jiving. Can you post new SyslogCollector.log, AnalyzerDebug.log, and syslog.log over the same time period showing one specific CONFIG_I message?

Sven Hruza · ‎06-08-2010

Hello,

I will check this.

I created an email allert for SYS-5-CONFIG_I messages and sometimes last night I got this emails.

Is it possible that syslog messages from wireless controllers make this trouble to LMS?

Thanks!

Joe Clarke · ‎06-09-2010

Yes. The bug states that if an unexecpted message arrives in the buffer at the same time as a message to be processed, the automated action engine will skip both messages. A patch is available from TAC to correct this behavior.

Sven Hruza · ‎06-10-2010

Thanks a lot, Joe!

I opened a case to get the patch.

One more question to the Collector Status.

Is it possible to get informations about which devices are responsible for the "Invalid messages"?

This would be very useful to figure out which devices are wrong configured or something like that.

Joe Clarke · ‎06-10-2010

Chances are these messages are not coming from devices, but from Daemon Manager. On Windows, the syslog.log is shared by device messages and dmgtd messages. The latter are all considered invalid by SyslogCollector. But, if you do get invalid device messages, you'd have to comb through the SyslogCollector.log to find the device generating them.

Sven Hruza · ‎06-14-2010

Hello,

I got the patch, but the situation is the same.

I attached the the syslogCollector.log starting with the restart of the process syslog Collector.

Before I disabled all syslog filters and set the filter type to "keep".

Debug level is DEBUG.

I saw that the collector in collector status was not working. I did unsubscribe and a subscribe once again. Now I see new messages.

Thanks!

Joe Clarke · ‎06-14-2010

The SyslogCollector.log looks good. Post the AnalyzerDebug.log along with a raw message which came in and should be shown in the log.

Sven Hruza · ‎06-14-2010

Hello,

I did the test and all I can find in the AnalyzerDebug.log is the following message:

[ Tue Jun 15 08:40:23 CEST 2010 ],INFO ,[Thread-18],newsyslogqueue Dropping the syslog as queue is full 100000

I found another thread here in the community with that message, but now solution for it.

Thanks!

Sven Hruza · ‎06-15-2010

After I restarted the processes the syslog queue is empty and the config fetch works :-)

Output from syslog.log:

Jun 15 09:37:51 4.72.80.13 3131: Jun 15 09:36:59.881: %SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)

Output from AnalyzerDebug.log:

[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,74,Invoking Config collection for syslog message
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,81,Before triggering syslog config fetch
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,83,Syslog Timestamp Tue Jun 15 09:37:51 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,85,DCMA Endtime String 2010-06-10 00:51:02.94
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,90,DCMA Endtime String after formatting Thu Jun 10 00:51:02 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,98,Buffer Time after adding 5 minutes Thu Jun 10 00:56:02 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,101,Triggering fetch on syslog since Timestamp > bufferTime

My last question is now, what can I do that the syslog queue will not getting full one more time?

Is logrot a solution? My syslog.log will be rotated at 128 MB.

Thanks a lot!

Sven