Solved: Re: duplicate ip address cannot receive from LMS server

thetnaing00 · ‎08-30-2007

hi,

i am aware that duplicate ip address is inside syslog as well as inside DFM. which one is sending out alert to user if there is any duplicate ip address problem occurs? i configure duplicate ip address trap inside DFM as well as configure syslog level to debugging.but i still don't receive any trap sending out to user as well as any syslog regarding about duplicate IP address.on the switch,i can see duplicate IP address logging and when i use kiwi syslog deamon, i also see duplicate ip address syslog.actually,in syslog collector status,receive syslog number increasing and filter syslog is also increasing.forward syslog is not much.why messages are filtered by LMS since i configured the syslog analyzer log level to debugging.any idea what is happening?please help me to find out the solution as there is ciritical virus outbreak on one switch.thanks in advance.

Joe Clarke · ‎08-31-2007

If you want to accept all messages, you should disable or delete all filters and set the mode to Keep.

More information on logrot can be found in the LMS online help in the "Maintaining Log Files" chapter. logrot_trunc is merely a supporting tool that logrot uses to do truncation of large files.

View solution in original post

Joe Clarke · ‎08-30-2007

Please provide a screenshot or screenshots showing all of your configured filters. also, provide a sample syslog message, and the configuration from your automated action that you configured to match on it.

thetnaing00 · ‎08-30-2007

hi

thanks for the reply.unfortunately,i cannot provide the screenshot as i am away from the system but i didn't filter anything and i am sure that because othere devices sending syslog messages to the server and i can see the syslog from other devices.the sample log message is 'duplicate ip address sending from "mac address of the interface"' and i didn't configure the automated action for the syslog.i only want to see that in report generator.i hope this could help.sorry for not to provide the information.thanks again.

Joe Clarke · ‎08-30-2007

Without a complete sample of the message and your filter configuration, I cannot offer any clue as to why these messages are not showing up in the report.

thetnaing00 · ‎08-30-2007

hi.

i am now on site and able to give your the information.hope this will help.furthermore,what is the filtered message and is it based on what criteria?i've got a lot of filter message though i configure to keep everything.please check.thanks.

Joe Clarke · ‎08-30-2007

Based on your filters, you are only keeping the following messages:

Link up/down

IOS Firewall Audit Trail

PIX Firewall Audit Trail

Sev 7

So every other message will be dropped. Change the type from Keep to Drop, and I think you will start seeing what you want.

thetnaing00 · ‎08-30-2007

hi

thanks.i am now trying to set the filter to drop and how can i keep ALL message from devices?shall i delete or disable all filters and mode set to keep?is it correct?i tried that before and i don't see the result.please point me out for this too and can you also tell me where i can learn more about logrot.pl command and logrot_trun.exe.thanks again

Joe Clarke · ‎08-31-2007

If you want to accept all messages, you should disable or delete all filters and set the mode to Keep.

More information on logrot can be found in the LMS online help in the "Maintaining Log Files" chapter. logrot_trunc is merely a supporting tool that logrot uses to do truncation of large files.

thetnaing00 · ‎08-31-2007

thank you very very much for your replies.