We have several CSS devices that are configured to send logs to our CiscoWorks server. The CSSs are also configured to log to another syslog system. We can see log entries for the devices at the other syslog server, but not the CiscoWorks server. I've seen posts about CSS logs not being supported in earlier versions of RME, but from what I've read this should have been fixed by LMS 3.2. Is there anything I need to configure so that CiscoWorks can process the log entries from the CSS?
CSS 11503, ver 07.50.3.03
Do you see the CSS syslog messages in the RME server's syslog log (i.e. syslog.log on Windows and /var/log/syslog_info on Solaris)? If not, then there is most likely a configuration issue on the CSS, or some kind of network filter blocking udp/514 between the CSS and the RME server.
Well I think I may have answered my own question. I see the log entries in syslog.log, but they are not coming from the management adress on the CSS.
I'm guessing this would cause them to not show up in the application since CiscoWorks is using the management address. Is that correct?
If that's the case, how can the source address of the syslogs be changed on the CSS?
Are the messages showing up in the RME "Unexpected devices" syslog report? RME should be able to determine all of the addresses of the device when matching syslogs.
I'm having a difficult time finding the messages in the unexpected device report because there are a couple of unexpected devices that are generating tons of messages. I get the 10,000 message limit for any 24 hour period I select, but haven't been able to locate any from the device in question. I know a time frame that has some messages from the device because I can see it in syslog.log, but I can't narrow the window down close enough to see them in the unexpected device report. Any ideas?
Can you generate a new message, then immediately check for it in the log and in the unexpected devices report? Also, post a sample message which is not showing up in RME.
I tried your suggestion but did not see an entry in the Unexpected Device report.
Here are a couple of exmples of messages not showing up in RME:
Jan 21 09:58:16 10.69.166.25 JAN 21 09:58:09 1/1 55309 VRRP-4: Virtual router 12
on interface 10.69.146.25 entering into VRRP negotiation
Jan 21 09:58:16 10.69.166.26 JAN 21 09:58:10 1/1 78692 VRRP-4: Virtual router 12
: master on interface 10.69.166.26
I found a subtle bug in the CSS syslog processing code. The messages are correct, and are most likely being added to the database. The problem is they are being added with a timestamp six hours in the future. So, messages which are generated immediately will not be seen in the reports for six hours. I wrote a patch which allows me to add your messages to the RME database, and view them in reports in real time. This would certainly explain why your live test did not work, and may also explain the other problem. In any event, I would recommend you try my patch as I see no other reason why only CSS messages would not be visible in RME reports.
If you open a TAC service request, and have your engineer contact me directly, I can provide the patch.
The patch worked on my 3.2 system. (top window in screenshot), thanks.
Can the same patch be applied to my 3.1 system (bottom window in screenshot)?
I still have the issue with log entries not showing up in RME if the log message does not come from the management IP address of the CSS. How can I validate the addresses associated with a device? I do not see IP addresses in the detailed device report for the CSS.
No, the patch cannot be used with LMS 3.1. It requires 3.2.
If the message comes from a different CSS IP, does it now show up in the Unexpected Device Report? I don't have a CSS with which to test, but DDR should show all IPs on the device that show up in the ipAddrTable.