is the syslog service started and working? Have a "netstat -na" take a look for UDP and TCP port 514.
For normal the syslog is listening to UDP only, but some systems have the ability to get messages on TCP 514, too.
In Common Services -> Server -> Admin -> Processes have a look for the status of the Syslog Analyser and Syslog Collector Services.
Both services are shown as started and running, displaying "no messages received".
netstat -na shows
TCP 0.0.0.0:514 0.0.0.0 LISTENING
UDP 0.0.0.0:514 *:*
To my mind that seems to be correct ?.
just forgotten to ask:
Do you have any other syslog program on the server installed?
What OS do you have installed?
On Windows 2003 try netstat -nabv
This shows you the executed programs to the corresponding port.
On Windows 2000 try tcpview from www.systernals.com (it now leads to a microsoft Webpage)
Can you see the "CWCS Syslog Service" in the windows services list? And what status does it have?
Do you have a syslog.log file in the path PROGRAMDIR\CSCOpx\log ?
6 GB large!! Gigabyte??
Just stop the LMS with "net stop crmdmgtd" command from the dos box.
rename the syslog.log to e.g. syslog.log.sav
restart LMS with net start crmdmgtd
Try the Setup of Backup und Purge Policies in RME -> Admin -> Syslog.
syslog file size = 6,507,566 !!!
Had to manually stop the CWCS syslog collector service before I could rename the log file.
but now I cannot amend the default purge job, I get an error message , it is
"SLCA0119: Syslog default purge job could not be edited. Check the log for details."
Me thhinks our LMS is a sick puppy :-(
just do me the favour:
Stop and Start the whole LMS App.
Or reboot the server.
Do you have a syslog.log file in the log dir now.
I guess not. Thats why the Purge Job may fail.
Rebooted . Log file exists Purge job set.
Log file has device entries in it , but thats as far as it goes, the dont show in Device Centre or any "syslog" Report Jobs.
I am going to give up on this, its burning too many cycles for no result.
Will have to use a seperate syslog" application on a seperate box, it means another application but I dont think i have a choice.
Very many thanks for your help !!!
since i do not know how you send the syslog messages from your devices to the LMS i may assume a little chance of a misconfiguration.
Maybe we can resolve it here. The Syslog Report only use the real syslog messages not the syslog traps from the devices!
Setup the "logging host" command on the devices.
Have in mind that the following syslog messages are filtered by default and have to be ebabled: Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail.
Do not be sick about LMS 2.6 it is running fine now. The initial release of 2.5 was sometimes getting me nuts. But now the product is optimized and syslog should not be a problem.
Of course the Documentation for the LMS is sometimes a bit abstract and / or dry stuff.
Thanks for the encouragement !!!.
Here is a sample "logging" config fromone of our switches
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 378 messages logged
Exception Logging: size (4096 bytes)
File logging: disabled
Trap logging: level informational, 382 message lines logged
Logging to 172.26.1.254, 3 message lines logged
Logging to 172.26.2.21, 3 message lines logged
The syslog file on the LMS server is being populated. (see attachment), but this is the big but thats where it stops "device manager" shows no syslog entries and nor does "report generator".
So the process of LMS reading the log file and associating to device manager/report generator is not working.
I am stumped, but have a work around with a syslog app on another box, this works fine.
it seems to me that the logging level is misconfigured.
Have a look into
RME -> Admin -> System Preferences -> Log Level Settings
Choose syslog Analyser and have a look to its value. Could it be set to 3 or 4?
Change to 7 again for a test.
Do you have setup the LMS as Syslog Collector?? This means you end the syslogs generated from the LMS to istself!! This should not be neccessary.
I have seen things like this:
Feb 13 13:53:11 127.0.0.1 100: <30> dmgt: 3007(I):Started application(jrm) "D:\PROGRA~1\CSCOpx\bin\cwjava.exe -Xms64m -Xmx128m -Dvbroker.se.iiop_tp.scm.iiop_tp.dispatcher.threadMax=128 -Dvbroker.se.default.socket.manager.connectionMax=300 -cp:p MDC\tomcat\shared\lib\MICE.jar;MDC\tomcat\shared\lib\NATIVE.jar;MDC\tomcat\shared\lib\jdom.jar;MDC\tomcat\shared\lib\xalan.jar;MDC\tomcat\shared\lib\xerces.jar;MDC\tomcat\common\lib\servlet.jar com.cisco.nm.cmf.jrm.Server" pid=33044.
I guess it was setup in the RME -> Admin -> Tools -> Syslog. Delete the Syslog Collector entry!
I am not at work so i have no access to my installation.
But dont be afraid if you change the setings and the reports are still empty! The syslog Analyzer starts analyzing from the moment he is correctly configured not into the past!!
I have seen this in LMS 2.5.1 and maybe this behaviour is still valid!
I've seen the exact same symptoms and the fix is what I used also. No ex post facto analysis (after the fact) but as soon as you re-enrole the collector it'll start poulating.