Syslog triggered fetch config

Unanswered Question
Aug 1st, 2010
User Badges:

Hi,


I have an issue with syslog triggered fetch config feature. The problem is that LMS expects Sub-facility to be a part of the syslog message.


I have set the Facility to be SYS and severity 5. Result? Nothing is happening, because none of our devices send Sub-facility and therefore the automated action will never take place.



Name:  mail notif

Devices:  *

State:  Enabled

Parameters:  [email protected], SUB=CW RME Syslog AA, TEXT=TEST !

Action Type:  Email

Messages:  SYS-*-5-*:*



The devices send *-*-*:*  messages and not *-*-*-*:*
If you have any solutions for this silly problem I am all yours
Martin
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sven Hruza Sun, 08/01/2010 - 10:14
User Badges:
  • Bronze, 100 points or more

Hi,


I don't understand what you want to do.

You want to get an email when a config is fetched triggered by syslog?


You can compare the the system defined config for config check to see how the syslog message is configured with facility and so on.



Sven

Martin Smid Sun, 08/01/2010 - 10:37
User Badges:

No No. All I want is LMS to fetch the config when a syslog message about config change is sent


The devices send "SYS-5-CONFIG_I: Configuration changed" message.


And because LMS expects *-*-*-*:* format, the automated fetch procedure is not executed.


See the difference ? LMS expects 5 variables in the message and the devices send only 4.


Message was edited by: Martin Smid

Martin Smid Sun, 08/01/2010 - 14:54
User Badges:

The filter posted in first post is customized. That does not change the fact that even the default filters do not work.


I mentioned the reason for the failures is that LMS expects something from the devices it will not get.


It looks like my explanation is not being understood.


"SYS-5-CONFIG_I: Configuration ..."


SYS = facility

5 = severity

CONFIG_I = mnemonic

Configuration ... = Description



and this is how it is going through the LMS filter


SYS = facility

5 = sub-facility

CONFIG_I = severity

Configuration ... = mnemonic

no description


LMS needs to skip the check for sub-facility.


The only way how I could get an automated action is to create filter *-*-*-*:*  That is the only filter, which resulted with successfully sent email to the recipient.


Maybe I am doing something terribly wrong, but the bottom line is that even the default filters do not work.

Sven Hruza Sun, 08/01/2010 - 22:09
User Badges:
  • Bronze, 100 points or more

Do you have this problem with all your devices or only with one device type?


I checked my default auto action for config fetch:


Facility: SYS

Sub-Facility: *

Severity: 5

Mnemonic: CONFIG_I

Description: *


But there are a lot of other syslog-entries for that action!


What do you mean with "and this is how it is going through the LMS filter"? Where did you see this?

You have the word "configuration" in your syslog message?


Did you try to check the syslog messages from the devices with wireshark on the server?



Sven

Martin Smid Sun, 08/01/2010 - 23:44
User Badges:

Hi,


Here is the syslog message from the device


1045204: Aug  2 07:33:20.021: %SYS-5-CONFIG_I: Configured from console by martin.smid onvty2 (x.x.x.x)


(that's where the "Configured" is from. I just didn't want to write down the whole description and the IP was replaced)


About the LMS filter. I thought if LMS awaits 5 variables it will look for 5 variables. And as you can see in the syslog message, the devices send only 4. (No Sub-Facility)


The syslog messages do arrieve to LMS. You can see it in the screenshot.


And yes, none of the devices trigger automated action.


Martin

Sven Hruza Sun, 08/01/2010 - 23:58
User Badges:
  • Bronze, 100 points or more

Hi Martin,


okay....now I understand :-)


Maybe it is a little bit bad description of syslog messages....but the allocation of the variables is as I wrote before.


%SYS-5-CONFIG_I: Configure....


means:

Facility: SYS

Sub-Facility: not present -> so it will be a * in the filter

Severity: 5

Mnemonic: CONFIG_I

Description: Configuration..... -> so it will be a * in the filter because I am not sure if there are different descriptions between device types.


I never saw a syslog message with sub-facility, so I can't tell you how this would look like.


Is the default auto action for config fetch enabled?


Do the messages arrive at the LMS server?



I had the same problem with config fetch some times ago.

https://supportforums.cisco.com/thread/2026181?tstart=0


Please check if the auto action for another syslog message is working? If you have a test device you can create a filter for that single device and filter for a special syslog message and send an email to you.

If this is not working, too, it is possible that you have the same analyser problem then me.



Sven

Martin Smid Mon, 08/02/2010 - 00:19
User Badges:

Hehe, yeah. Sorry for the little confusion.


Here are the screenshots of the configured actions and message filters. (In the previous posts I was referring to message filters and in fact I meant message types, sorry for that :-) )

Sven Hruza Mon, 08/02/2010 - 00:57
User Badges:
  • Bronze, 100 points or more

Please check if another auto action is working as I wrote in my last post.


If no, it could be a problem with the queue of SyslogAnalyser.

Please restart the services with "net stop crmdmgtd" and "net start crmdmgtd" so the queue should be empty and the action should work.



Sven

Martin Smid Mon, 08/02/2010 - 01:08
User Badges:

This does not work for a long time (3 months roughly) and I found enought time just now. The server was restarted several times and also upgraded. I will wait for Joe to show up or anyone else from Cisco and I will probably have to raise a TAC request.


Thanks for the help though. I will post the solution when we get it


Cheers,


Martin

Martin Smid Tue, 08/31/2010 - 13:14
User Badges:

This was fixed by a patch. The bug caused NON-RME devices to affect the response to the RME devices. In other words if you have non-RME devices it could cause troubles with automated syslog actions.

Actions

This Discussion

Related Content