03-23-2010 07:19 AM
Of course I can log into each of my 100 routers and switches and peforms "sh loggin" to look for problems, but how do I use LMS 3.2 to consolidate all those logs into one location? Can I set up something so I can see those logs in more or less real time?
Thanks in advance.
03-23-2010 09:11 AM
RME provides the Syslog Analysis tool for centralized reporting. Here's a guide written for RME 3.x, but the same applies to RME 4.x of LMS 3.2:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00800a7275.shtml
Of course, the reports need to be either scheduled or run manually, so I don't consider it "real-time". OTOH, "interesting" syslogs can be acted upon in real-time via the Automated Actions feature of RME (email or triggering a custom script).
03-23-2010 08:46 PM
The terminology is confusing me.
Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?
What's the benefit of scheduling a report to run automatically? Is it saved somewhere that is easier/quicker to get to?
Can new syslog messages from devices be posted to an RSS feed?
03-24-2010 08:26 PM
>> Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?
The latter.
If for some reason, the devices cannot log directly to LMS, there're a few options: 1) Devices log to a central syslog server, which in turn exposes the syslogs to LMS' Syslog Analyzer, either via the Cisco-supplied Remote Syslog Collector or some unsupported methods such as NFS mount, or 2) Install Syslog-ng on the central syslog server, relay the logs to LMS, as described in this whitepaper: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-571038.html
>> What's the benefit of scheduling a report to run automatically? Is it saved somewhere that is easier/quicker to get to?
It's the usual benefits of automation. Scheduled syslog reports apparently write outputs to /var/adm/CSCOpx/files/rme/cri/archives/syslog/reports/output/[jobID_runID], on Solaris, for example. The structure inside is rather muddy. So it might be easier to have something like a VBscript to screen-scrape the LMS web GUI for the report outputs instead.
>> Can new syslog messages from devices be posted to an RSS feed?
That's a novel idea. Though obviously not from the devices directly, it most likely coud be done through some "syslog2rss" relay residing on the syslog server. I think the potential volumes of logs could be too much for RSS, unless careful filtering/deduplication takes place on the relay before posting to a feed.
03-25-2010 08:41 AM
perhaps you can use this EEM script wich let your device tweet....
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2121
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide