How do I verify the Ciscoworks syslog configuration?
I can run and see the results of inventory reports and config archives, but I see nothing when running a report on syslog.
I see in the router and switches that syslog is pointing to the ciscoworks server, but when I run a report I get nothing.
How can I verify that Ciscoworks is configured to collect and hold these events properly?
Do i need to enter logging host command on devices and what IP address and port should i use to access syslog from CiscoWorks?
To help answer your first question, can you post:
"show running | include logging"
for each type of device you want CiscoWorks to do syslog analysis for?
I don't quite understand the second part of the question: "what IP address and port should i use to access syslog from CiscoWorks". Can you elaborate?
Great, since you have Kiwi syslog server listening on a non-standard port and through tcp no less, all you need is to configure "logging host 192.168.100.32" on the 2800. It's implicitly equivalent to "logging host 192.168.100.32 transport udp port 514", I think, but you don't need to configure the extra parts. Then check NMSROOT\log\syslog.log to make sure you're seeing the 2800's logs making into that file. If not, one thing to check is whether Windows' built-in software firewall is blocking incoming traffic on UDP port 514.
Do you actually see the syslogs from the 2800 in NMSROOT\log\syslog.log? Because the Windows OS also logs to syslog.log as "Invalids", so I'm not necessarily convinced the 2800 is logging to LMS yet. To verify, can you post a few lines from NMSROOT\log\syslog.log that indicate they're from the 2800?
I finally found what the problem was. Yes, it logged into syslog.log , and showed them as invalid. The problem was that i couldnt generate reports, because there were no data. Well, the problem was the source interface's IP address. I didn't configure which interface should the device use, so Ciscoworks put all the logs into " Unexpected devices" and marked them "invalid" . Anyway, now everithyng's just fine. Thanks again for the efforts!
I'm having the same issue, somewhat. All syslog messages are getting getting received and forwared except level 7, debugging. It seems like level 7 messages are getting invalidated by ciscoworks. Can you go into more detail about the part "I didn't configure which interface should the device use"? Thank you.
try "logging source ?" on your device
the interface with the IP you use to mangen the device with should send the syslog