Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Blue

imported Syslog filters ignored

To recover from the RME reinit quickly, I imported the Syslog filters from another LMS 2.6 box. Of the eight custom filters imported, none appears to be taking effect. I even went as far as editing each custom filter and resaving it. It didn't seem to work. Unsubscribing from the SyslogCollector, which I assume is as good as restarting it, has made no difference either.

6 REPLIES
Cisco Employee

Re: imported Syslog filters ignored

Please post the /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

Blue

Re: imported Syslog filters ignored

I gave in and restarted SyslogCollector and SyslogAnalyzer. That got the imported filters working. As a result, the filters.dat file has the last modified timestamp of the restart time:

-rw-r----- 1 casuser casusers 1170 Sep 20 10:28 /opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

Process= SyslogCollector

State = Program started - No mgt msgs received

Pid = 18752

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

Process= SyslogAnalyzer

State = Program started - No mgt msgs received

Pid = 18749

RC = 0

Signo = 0

Start = 09/20/07 10:28:43

Stop = Not applicable

Core = Not applicable

Info = Application started by administrator request.

If filters.dat is backed up, I can go dig it out from this morning's db backup. The filters were imported yesterday during daytime, so that should show what filters.dat looked like before the restart.

Cisco Employee

Re: imported Syslog filters ignored

I wanted to see the contents of this file. But, no, filters.dat is not backed up. It is regenerated from the RME database.

Blue

Re: imported Syslog filters ignored

Filters for the server: nms.fqdn.com

Mode: DROP

Filter expressions:

^((\S+);;;(ACL)(-(\S+))?-(5)-(ARPINSPECTPKTDENIED.*\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$

^((\S+);;;(SNMP)(-(\S+))?-(3)-(AUTHFAIL\s*)\s*:\s*Authentication failure.*)$

^((\S+);;;(ETHC)(-(\S+))?-(5)-(PORT.*STP\s*)\s*:\s*Port.*bridge port.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(IP)(-(\S+))?-(4)-(PERMITFAIL\s*)\s*:\s*Unauthorized.*from.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(SPAN_CFGSTATECHG\s*)\s*:\s*local span session.*)$

^((\S+);;;(LINK)(-(\S+))?-(3)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINEPROTO)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(CHANGED\s*)\s*:\s*.*)$

^((\S+);;;(LINK)(-(\S+))?-(5)-(UPDOWN\s*)\s*:\s*.*)$

^((\S+);;;(SEC)(-(\S+))?-(6)-(IPACCESSLO.*\s*)\s*:\s*.*)$

^((\S+);;;(SYS)(-(\S+))?-(5)-(AUTOSAVE\s*)\s*:\s*Autosaving.*NVRAM)$

...................

Cisco Employee

Re: imported Syslog filters ignored

All of these look good. The Collector should be dropping all matching messages. If this is not the case, enable SyslogCollector debugging, send a message that should be dropped, then post the SyslogCollector.log.

Blue

Re: imported Syslog filters ignored

This is the picture when it's working now, after I bounced SyslogCollector and SyslogAnalyzer. I suspect it's not so before the bounce, even though the GUI showed all the imported filters. Or, maybe something else was awry if filters.data has been this way since the import yesterday.

178
Views
0
Helpful
6
Replies
CreatePlease login to create content