I am having problems with our client's Ciscoworks LMS server losing so much disk space in just a short time. Their server's capacity is 83GB and was setup last June 2006. They started experiencing the problem 2 weeks ago. The database files: SyslogFirst, SyslogSecond, and SyslogThird under the folder C:\Program Files\CSCOpx\databases\rmeng are 16GB, 62GB, and 6GB respectively. The SyslogFirst was transferred to a different partition so that they can still have space on drive C:. We noticed that the file size of SyslogSecond is incrementing but not as fast as the syslog file under C:\Program Files\CSCOpx\log which is incrementing at a rate of 8-10 MB per minute. Whenever the server is experiencing low disk space, he transfers the syslog file to another partition to free up the C: drive.
Things that we did:
(1) We tried accessing the previous syslog file but it cannot be opened because it's about 16GB in size. The file might help us which device is frequently sending logs to the server.
(2) We just assumed that their Cisco PIX 535 is sending a lot of logs to the server so we deleted the device from the database under Common Services, but still the syslog file is incrementing. Tried ânet stop crmdmgtdâ but did not work. The only way that it stopped incrementing was to stop CWCS syslog service with a path C:\Program Files\CSCOpx\bin\crmlog.exe under Services on Computer Management of Windows 2003 Server.
(3) We have already setup a backup purge for syslog when it reaches 100MB.
(1) Is it ok if we delete/reduce the files SyslogFirst, SyslogSecond, and SyslogThird under C:\Program Files\CSCOpx\databases\rmeng?
(2) Is their any way on we can check what device sends the most logs to the server?
(3) Why is the Collection settings and Purge Settings window under RME\ Administration\Config Management\Archive Mgmt closes when we try to access it?
Your immediate response to this matter is highly appreciated. Thanks!
You cannot move these data spaces. You cannot read them, either, as they are binary.
1. You cannot simply delete them as you will corrupt the rmeng database. You can open a TAC service request, and a class file called DBSpaceReclaimer.class can be provided that will remove these files safely.
2. You can check NMSROOT\log\syslog.log to see the device sending the most messages. You can also run a syslog report in RME to get information as to what messages are currently in the database.
3. This sounds like a completely separate issue. I recommend you start a new thread on this issue with more details as to what you are seeing (with screenshots) as well as what browser you are using.
Thank you for your immediate response on my queries.
1. Is the file DBSpaceReclaimer.class be provided only when I open a TAC case?
2. I have ran a syslog report and have set it from July 3, 2007 upto January 3, 2008. I've noticed that their Cisco PIX 535 frequently sends logs to the server that it occupied all 500 pages of the report and the date of the logs were mostly December 26, 2007. What syslog report does is that it posts logs from the latest date up until the oldest date. This is the reason why I assumed that their PIX 535 eats up a lot of the syslog file, that I removed it from the server's list of devices.
3. Yes I will start a new thread on the Collection settings and Purge settings.
1. Yes, if you ask for the class to free up syslog-related disk space, TAC will provide it.
2. Removing a device from RME or DCR will not prevent its syslog messages from being added into the syslog data spaces. They will be added as unexpected device messages. If you want to stop the messages, you must remove the syslog destination from the device itself.
Is there a way that we can limit the log messages being received by Ciscoworks? Like having just critical or warning logs and not those of informational ones?
You can either do this filtering on the device, or using RME's Syslog message filter feature (RME > Tools > Syslog > Message Filters).
We are trying to setting up our CiscoWorks-Syslog, in order to separate the logs that comming from CISCO-ASA and CISCO-6500. Today ASA and 6500 send the logs to Syslog Server and the log file is too big (more then 15Gb). We'd like to separate those.
Someone here knows how can we set this up?
I'm not sure what you mean when you say separate. CiscoWorks doesn't separate syslog messages. It combines them into one database which allows you to run reports across all of them. By using the reporting feature, you can look at certain sets of messages, so I guess this could be considered separation. Since it already sounds like you're receiving syslog messages on the CiscoWorks server, you must likely have this analysis component working. The reports can be run by going to RME > Reports > Report Generate, and selecting one of the Syslog Reports.
If you want to filter out (i.e. drop) certain syslog messages, then as I said before, that can be done under RME > Tools > Syslog > Message Filters.
Once the syslog messages make it to the syslog log file, they will enter the syslog system. If a filter is in place, they will be dropped before making it to the database. If the message is allowed by filters, then it will be written to the database, but it will also remain in the syslog log file. It is up to you to maintain the size of this file. That can be done with the NMSROOT/bin/logrot.pl script. The steps to configure this script are documented in the Common Services online help.
Thanks Clarke, your explanation was very helpfull. Just one more question, is that possible to limit the syslog file size(syslog.log) and DB's (first, second and third)? We are using the feature PURGED to let only the last 20 days, but we would like to set this using SIZE and not DAYS. Thanks again.
The syslog dataspaces cannot be limited in size. The syslog.log can be limited by using the NMSROOT\bin\logrot.pl tool. This tool is documented in the online help.
Hi, I am attempting to move the syslog.db from it's current dir /opt/CSCOpx/databases/rme on a UNIX system as the file is too large and filling up a partition. We can't open a browser to use the GUI (compatability problems...), so I am trying to do it from a command prompt. I read somewhere that there is a script to run to move the dir of the syslog file in /opt/CSCOpx/bin/perl , however perl is not a dir & doesn't contain any scripts. Running ./perl it'self doesn't do anything either. Does anyone know of a command I can run from UNIX to move the dir / file location? I'm not familiar with Cisco Works, I'm just trying to free up space on the /opt/ partition.