i see in syslog collector that there are many invalid syslog message. i do not give any filter in syslog filter except severity 7 message. i found that our network change the source vlan of syslog. i check those devices that change the vlan, and i have no data of syslog. do i need to rediscover those device? or is there any other area that i need to look into? thanks.
Solved! Go to Solution.
On Windows, invalid messages are actually expected. On Windows, all of the dmgtd messages are written to the syslog.log file. Since these messages are not IOS-formatted device messages, RME counts them as invalid. This is perfectly normal.
As for why you're not seeing messages from certain devices, you need to find out where the messages are being dropped in the syslog system path. First, check the syslog.log to see if the messages are actually making it to the server, and being written to the log. If not, then you need to troubleshoot the devices to make sure they're sending the messages.
Given that other devices' messages are making it into RME (I'm assuming based on your description), I'm betting that the problem is the messages are missing from the syslog.log.
i have those syslog messages before from those devices, but now after changing the vlan source of syslog,i found that there is no syslog from those device. this is my problem. any guide?
If you changed the vlan in "logging source-interface vlan###", you need to correspondingly update either the DNS entries or the IP addr(es) by which CiscoWorks manages the device(s). RME does not report syslogs for devices it does not manage (or doesn't think it manages).
This may not be necessary if you use the default filter configuration, and process messages from all interfaces on all devices.
How does LMS/RME figure out the syslogs it receives from rtr1 sourced as Vlan999 (with interface IP addr of 10.x.x.x) should be reported under the lo0 addr (172.16.x.x) by which rtr1 is managed in DCR/RME? Does it get that correlation by deep-inspecting the device config?
That's a pleasant surprise. Wish RME had the similar level of sophistication when it comes to reporting device reloads/uptime though (sysUptime MIB vs syslog).
one mor question on this....
a router is discovered and managed in DCR as rtr1 with mgmt IP address of lo0;
given that DNS resolution for syslog messages is enabled.
the following is configured in DNS for rtr1:
IP of lo0 resolves to rtr1 and
IP of Vlan999 resolves to rtr1-vlan999
how would Syslog Analyzer behaves in this situation when changing the syslog source interface from lo0 to Vlan999
e.g. with regard to filter definitions for rtr1
- rtr1 resolves to lo0 but the incomming IP is from Vlan999 which resolves to rtr1-vllan999 - I mean when creating a filter, is the filter really bound to the deviceID and thus to all the interfaces or just to the management IP defined in DCR ?
BTW, can I exclude a specific _Interface_ of a device in a filter definition - if I understood Joe correctly ?
By default, the filter will apply to all interfaces on all selected devices. You can change that when defining the filter, but there is a bug with that, and it is not recommended.
No, you cannot exclude a particular interface when defining a filter.
with contribution of you two, i get the clear picture and i also get the answer. thanks to all.
now I know why I was confused about what you said about 'the filter will apply to all interfaces on all selected devices'. - I was looking at the syslog filter definition of RME 4.1.0 (LMS 3.1.0) and there is no such option when defining a filter. Will this option be removed constantly in RME 4.1.0 or will it be implemented again and does RME 4.1.0 behaves in the same way as you described for RME 4.0.5 (LMS 2.6)?
RME 4.1.0 has the same filter interface as 4.0.5. The "Include interfaces of selected devices" radio button is still there. Yes, the behavior in 4.1.0 is the same as in 4.0.5.
I am a little confused about my confusion - the option is now re-implemented in my installation of RME 4.1.0
as well :-) ...
I was looking at the interface when I have started to configure a filter (Create-button) and not at the very first page where all filter definitions are listed (thought it is a per-filter property and not a general setting - or just haven't thought anything... ;-))