Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
15
Helpful
9
Replies

Cisco works 2.6 syslog problem

Go to solution
paul2_uk
Level 1
Level 1

‎01-17-2007 05:31 AM

Hi

I have a problem with LMS 2.6 with syslog, whenever a device sends a syslog message to the LMS server it does not register with the server for about 30 mins yet if I get the switch to send to another device it is pretty much instant. Is there something I can change to get LMS to update quicker?

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to boldizsar.nagy

‎05-15-2007 09:01 AM

As Dave said, the new syslog damon on Windows was optimized to support more messages per second. The downside of this is that installations with fewer messages per second will see big delays. The solution is to re-tune the crmlog daemon. By tuning this daemon to provide more real-time syslog updates, you will reduce its scalability factor.

Try setting CrmMsgCount to 30 in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\crmlog\Parameters then restart the crmlog service (net stop crmlog / net start crmlog). This will reduce the number of messages needed to fill the flush buffer. The lower you make this number, the more real-time syslog becomes, but the fewer messages per-second you can handle.

View solution in original post

9 Replies 9

Go to solution
David Stanford
Cisco Employee
Cisco Employee

‎01-17-2007 06:03 AM

How many syslog messages are you sending to the server per minute?

Also, does it take 30 minutes for it to reach the syslog.log or syslog_info or to get into the RME reports?

0 Helpful

Go to solution
paul2_uk
Level 1
Level 1
In response to David Stanford

‎01-17-2007 09:14 AM

Couldn't tell you how many per minute.

It seems like the syslog.log file gets updated once every 30 mins with all the information so all my traps within that 30 mins are logged as all happening at the same time.

example:

Jan 17 2007 15:50:38 PORT_SECURITY 2 SECURITYREJECT Security violation occurred on module 0 port 14 caused by MAC address xxxx.xxxx.xxxx

Jan 17 2007 15:50:38 ILPOWER 3 CONTROLLER_PORT_ERR Controller port error, Interface Fa0/5: Power given, but link is not up

These traps are from different switches, I have used RME reporting to get the info.

0 Helpful

Go to solution
nickmaiolo
Level 1
Level 1
In response to paul2_uk

‎01-17-2007 01:31 PM

Try monitoring the syslog_info file (/var/log/syslog_info on solaris) and see if syslogs are received there in real time or not.

If they're delayed in this file, then its an Operating system issue.

0 Helpful

Go to solution
paul2_uk
Level 1
Level 1
In response to nickmaiolo

‎01-18-2007 01:00 AM

I have implemented the windows version which uses the syslog.log file. Has anyone come across any OS problems with LMS on Windows Server 2003?

0 Helpful

Go to solution
dcwalker
Level 1
Level 1

‎01-30-2007 03:56 PM

I have just installed LMS 2.6 and noticed that messages don't instantly appear.

It looks like there is a process running that peridically kicks in and processes the new messages in bulk.

We get a few hundred messages an hour and I notice that the syslog won't change for at least 10 minutes and then dozens of messages appear.

I suspect they have tried to reduce the load of processing messages by batching them up a bit.

0 Helpful

Go to solution
David Stanford
Cisco Employee
Cisco Employee
In response to dcwalker

‎01-30-2007 07:36 PM

The delay is usually due to a few variables including a socket time of 30 seconds and other variables including CrmMsgCount, MaxFlushCount, and FlushIntervalInMillis.

crmlog listens for syslogs on 514/udp. It will block on the UDP socket for no more than 30 seconds PER MESSAGE. This timeout is hard-coded. It will not return the total messages read until either the 30 second timeout expires for at least one message or CrmMsgCount messages have been read.

Once it does return, it passes the messages off to be written to the syslog.log file. Those messages will not be flushed to the file, however, until either the message count reaches MaxFlushCount or the FlushIntervalInMillis timer expires.

Go to solution
boldizsar.nagy
Level 1
Level 1
In response to David Stanford

‎05-14-2007 10:46 PM

30 sec delay is acceptable, but we get usually 5-10 minutes delay which is not.

We upgraded our system from LMS 2.1 which worked well, but now LMS 2.6 syslogs are delayed. There was no change on the transport network. I'm sure this is LMS specific.

What could casuse this behaviour?

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to boldizsar.nagy

‎05-15-2007 09:01 AM

As Dave said, the new syslog damon on Windows was optimized to support more messages per second. The downside of this is that installations with fewer messages per second will see big delays. The solution is to re-tune the crmlog daemon. By tuning this daemon to provide more real-time syslog updates, you will reduce its scalability factor.

Try setting CrmMsgCount to 30 in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\crmlog\Parameters then restart the crmlog service (net stop crmlog / net start crmlog). This will reduce the number of messages needed to fill the flush buffer. The lower you make this number, the more real-time syslog becomes, but the fewer messages per-second you can handle.

Go to solution
paul2_uk
Level 1
Level 1
In response to Joe Clarke

‎05-16-2007 12:25 AM

Thanks, now I have changed that registry setting everything is coming through quicker.

0 Helpful
Customers Also Viewed These Support Documents