cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
2
Replies

LMS4 Syslog automated action anomaly

jedavis
Level 4
Level 4

LMS 4.2.1 on W2K8 R2

I just want to send an email for any sev 1 or 2 syslog messages received.  I set up an automated action that looks like this:

Automated Action Summary
Name: Critical Events Email
Devices: *
State: Enabled
Parameters: TO=John.Doe@example.com, SUB=LMS4 Syslog AA, TEXT=
Action Type: Email
Messages: *-*-1-*:* *-*-2-*:*

Yet I seem to be getting emails triggered by messages from ASA devices that are not severity 1 or 2, like:

%ASA-session-4-106023

%ASA-auth-3-109023

%ASA-auth-6-109001

Am I doing something wrong, or is there some sort of bug I am hitting?  I can't believe that I am the first person to try this.

Thanks,

-Jeff

2 Replies 2

Martin Ermel
VIP Alumni
VIP Alumni

I do not know what exactly you have done so far but in your situation I would enable the following debugs:

open that file in a text editor

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

and change the debug level from Info to Debug:

    DEBUG_LEVEL=DEBUG

also enable SyslogAnalyzer debugging here:

Admin > System > Debug Settings > Config and Image Management Debugging Settings

    Set Application Logging Levels >> SyslogAnalyzer (scroll down)

        set Syslog Analyzer and Syslog Analyzer User Interface from INFO to DEBUG

in a DOS box check the status of the following processes (the should be started) and restart them:

    pdshow SyslogAnalyzer SyslogCollector

    pdterm SyslogAnalyzer SyslogCollector

    pdexec SyslogAnalyzer SyslogCollector

    pdshow SyslogAnalyzer SyslogCollector

When the issue happens again check the following log files and post them on the forum:

    NMSROOT\log\SyslogCollector.log

    NMSROOT\log\AnalyzerDebug.log

I have a case open with TAC and I have supplied them with the debug logs.  Apparently I am not the only one to report this.  The case has been escalated and I am waiting for a solution.  I expect that a patch will be required.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: