Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1469
Views
5
Helpful
3
Replies

ARGGHHHHHHH, Syslog problem again!

yjdabear
VIP Alumni
VIP Alumni

‎10-21-2005 12:37 PM

I got these results this afternoon (10/21) with RME 3.5 IDU 11.0.

1. In Severity Level Summary, with all devices and 10/21 chosen, I get No records found.

2. In Severity Level Summary, with all devices and 10/16 through 10/21 chosen, I get No records found.

3. In Severity Level Summary, with all devices and 10/16 through 10/20 chosen, I get the regular report with syslogs up to 23:5x from 10/20.

4. In Standard Reports, with all devices and 10/20 through 10/21 chosen, I get "Invalid records received from server."

5. In Standard Reports, picking top half of the devices (alphabetically) and 10/20 through 10/21, I get the same "Invalid records received from server."

6. In Standard Reports, picking bottom half of the devices (alphabetically) and 10/20 through 10/21, I get a report back, with newest syslog messages from 00:58 today (10/21/2005) for only one device (a cat6k IOS). That means no other devices have any syslog messages for 10/21.

Based on these observations, I think either there's something wonky with the RME database that stores the syslog analysis or RME is falling terribly behind analyzing the messages. RME appears to have no problem reading syslog messages, as Syslog Collector Status "Last Activity" is only 5-7 mins behind real-time.

Labels:
0 Helpful
3 Replies 3

b.hsu
Level 5
Level 5

‎10-28-2005 06:10 AM

I think you are hitting a known issue. Try this

1. Edit /etc/syslog.conf and remove all local7 lines except the local7.info line

2. Change Storage Options

3. Add the deleted local7 lines to /etc/syslog.conf.

This should resolve the problem.

yjdabear
VIP Alumni
VIP Alumni
In response to b.hsu

‎10-28-2005 08:04 AM

Thanks! I'll give this a try.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to b.hsu

‎10-28-2005 11:45 AM

It seems to have worked! I think I tried the same steps a few weeks ago that cured it for a while until this last instance. Now I recall I had seen somewhere in the CiscoWorks admin guide that it could support with local7.info. I guess local7.debug is too much for it to handle after a few weeks.

Can I have the following in syslog.conf, 1) to get more detailed logs to nmslog, and 2) to satisfy CiscoWorks?

local7.debug /var/log/syslog_info

local7.info /dev/null

0 Helpful
Customers Also Viewed These Support Documents