Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3962
Views
0
Helpful
8
Replies

CiscoPrime LMS 4.1 Syslog Report Empty

ben
Level 1
Level 1

‎02-08-2012 03:22 PM

I have a new install of LMS 4.1 on a Windows server I'm trying out.  I have switches and firewalls syslogging to the system, but when I run any kind of Syslog report (Reports > Fault and Event > Syslog) it's always blank.  I ran a Wireshark capture on the server and it's definitely receiving a ton of syslog data from the systems.  What am I missing here? :-)

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-08-2012 06:40 PM

So packets are coming in - good. Is the syslog daemon process running and listening (on udp port 514) on the server?

For the first check from your Windows services control applet or on *nix "ps -ef > grep syslog" (or from within LMS - Admin > System > Server Monitoring > Processes.).

For the second, "netstat -a" from command line and look for a listener on udp 514.

0 Helpful

ben
Level 1
Level 1
In response to Marvin Rhoads

‎02-08-2012 09:23 PM

Hey Marvin,

Thanks for the reply, but it all looks like it's listening correctly:

58.SyslogAnalyzerRunning normally9944002/8/2012 6:32:10 PMNot applicable
59.SyslogCollectorRunning normally3160002/8/2012 6:30:44 PMNot applicable

  UDP    0.0.0.0:514            *:*

I got frustrated with it and blew out LMS and re-installed it, and it's doing the same thing. :-)

0 Helpful

jahamby
Level 1
Level 1
In response to ben

‎03-12-2012 07:25 AM

Ben,

I'm having exactly the same problem, and my results for the tests above are the same. The syslog.log file is being updated, but the syslog reports are empty. Did you ever get this resolved?

Thanks,

0 Helpful

MARK GRABER
Level 1
Level 1

‎03-13-2012 11:14 AM

I'm having this issue with a new LMS 4.2 on the LINUX virtual appliance.   I'm not seeing any syslog messages on the server, but they are definitely being sent to it.

0 Helpful

Dan Knight
Level 1
Level 1
In response to MARK GRABER

‎07-18-2012 01:26 PM

Hi Mark.  Did you ever get this resolved?  I'm getting syslog message but not all of them.

0 Helpful

Martin Ermel
VIP Alumni
VIP Alumni
In response to Dan Knight

‎08-10-2012 07:52 AM

perhaps this is of some help for anybody....

I just troublshoot a LMS 4.2.1 installation on windows where the syslog report did not show any syslog message ("no data available") nor did any syslog report had any data.

SyslogCollector and SyslogAnalyzer where running fine and the server itself was successfully subscribed to the SyslogCollector (Admin > Collection Settings > Syslog > Syslog Collector Status). What was really suprising was the fact, that the counter for "Forwarded" messages was rising when syslogs arrived in the syslog.log file.

In the end it turns out, that this was a fresh installation of LMS 4.2 (updated to LMS 4.2.1) and the effort to restore the database from the old LMS 3.2.1 system failed. To get the minimum data form the old LMS system, only the devices were exported form the old system and imported into the new system - a discovery was never done.

In the AnalyzerDebug.log I found that while the system was trying to insert the messages into the syslog db the process fails because it could not associate a DcrId to the IP which was sending the syslog message.

Also DNS was running in round-robin mode in the network. I finially added the devices to the hosts file, did run a discovery and the syslog messages started to show up in the report.

to see the relevant messages in the AnalyzerDebug.log, debugging for SyslogAnalyzer must be turned on.

these are the troubleshooting steps and this is what I saw in the AnalyzerDebug.log:

=======================================

enable debugging

Admin > System > Debug Settings > Config and Image Management Debugging Settings

    Set Application Logging Levels >> SyslogAnalyzer (scroll down)

        set Syslog Analyzer and Syslog Analyzer User Interface from INFO to DEBUG

(do not foret to reset debugging when finished!)

NMSROOT\log\AnalyzerDebug.log

[...]

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],com.cisco.nm.rmeng.util.DCRWrapperAPIs,getResultFromQuery,4008,Counter : 17

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],com.cisco.nm.rmeng.inventory.InvAPIs,getDeviceIdsFromIPAddresses,3038,For IP Address: 192.168.x.x Device id is:null

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Device id not found even in the inventory

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Found the device id as null

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Attempting to insert the syslog into database

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Preparing to hand of syslog to the database handler

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Syslog length=1

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3], Time stamp of the syslog received is : Fri Aug 10 14:34:02 CEST 2012 GMT 10 Aug 2012 12:34:02 GMT

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Inside execute mothod

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Insert into SYSLOG_20120710(Syslog_Device_Id,Syslog_Device_Name,Syslog_TimeStamp,Syslog_Facility,Syslog_SubFacility,Syslog_Severity, Syslog_Mnemonic,Syslog_Description )values(?,?,?,?,?,?,?,?)

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Inside Retry count

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Connection is now false

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Recreated the statement object

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Row count 1

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Added syslog to the database handler

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Insertion of syslog into database is done

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Attempting to find interested actions, bypassing

[ Fri Aug 10  14:34:54 CEST 2012 ],DEBUG,[ActionThread3],Syslog is found to be unexpected. No actions will be taken, returing

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Preparing to get collector status

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Current no. of collectors is 1

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Processing for the subscription LMSServerNmeLMSServerName

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],getCollector =192.168.y.y

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Port4444

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Connected to the collector 192.168.y.y@4444

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Gathered status from collector

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Captured the status from the collector

[ Fri Aug 10  14:36:33 CEST 2012 ],DEBUG,[Thread-15],Done with the status collection

[...]

==================================================

0 Helpful

jbhanderi671
Level 1
Level 1

‎06-24-2013 12:01 PM

I am having a same problem with linux base server. Any body know how to resolved it ??

0 Helpful

ayuditskiy
Level 1
Level 1

‎07-07-2013 11:35 PM

I have had same problem with LMS Prime 4.1 Linux.

it was decided by the correct record in  DNS

of the switch and server LMS

0 Helpful
Customers Also Viewed These Support Documents