Why on the RME main home page or LMS Portal "System" view, I can't see any alert show on the Syslog Alert.
I did shut/unshut interface the syslog did send to CW server. I can view by issue " logview.exe" command , but it does not show on Syslog Alert windows.
C:\Documents and Settings\hpadmin>logview
ar 03 21:48:25 188.8.131.52 156: *Mar 3 05:41:18: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 184.108.40.206 1 packet
Mar 03 21:50:22 220.127.116.11 24: *Mar 3 13:49:30.737: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (18.104.22.168)
Mar 03 21:53:56 22.214.171.124 52: *Mar 3 13:54:45: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (126.96.36.199)
Mar 03 21:57:33 188.8.131.52 157: *Mar 3 05:50:27: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 184.108.40.206 3 packets
Mar 03 22:01:53 220.127.116.11 518: Mar 3 22:02:21.780: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (18.104.22.168)
Mar 03 22:02:19 22.214.171.124 519: Mar 3 22:02:47.448: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to reset
Mar 03 22:02:25 126.96.36.199 520: Mar 3 22:02:52.984: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (188.8.131.52)
Mar 03 22:02:25 184.108.40.206 521: Mar 3 22:02:53.168: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
Once the syslog messages make it to syslog.log, they are read by the SyslogCollector daemon which then performs filtering on those messages. Please post the output of the pdshow command as well as the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat
Your filters are wrong. According to this, the only messages you will process are PIX and firewall audit trail messages, and sev 7 messages. Change your filter mode from KEEP to DROP under RME > Tools > Syslog > Message Filters, then you should start seeing new messages get processed.
It looks like you also changed the include interfaces option as well. You should not have done this. Set "Include interfaces of selected devices:" back yo Yes.
Done that, but still no syslog message on "Syalog Alert" panel.
Logview shown the log message , when I shut/ not shut one of device interface.
Assuming you haven't enabled the Link Up/Down Message filter, you should be seeing these messages in your syslog reports. You are getting forwarded messages. Try running a Syslog Standard Report under RME > Reports > Report Generator to see what messages are being written to the RME database.
what are your settings for the portlet; check the options for the refresh cycle as descibed here:
also I think only severity 0 - 3 messages are displayed.
Good. So syslog analysis is now working. Now, as mermel said, the syslog alerts portlet only shows the messages in the past 24 hours that are of severity 0, 1, and 2 (emerg, alert, crit). Now that you have syslog analysis working, you should start to see that count increase when a message of a high enough severity comes in.
That mean all the while it is working. Just the Syslog Alert portlet only shown severity 0/1/2 only.
BTW can we change the setting so it can also display up to severity 5 or 6 ? The reason was sometime the bgp peering or OSPF neighbor was down, it also important to be shown on portlet. Otherwise, we only knew it when we manually generate the report.
Severity 0/1/2 is rarely occur, unless CPU/Memory or system failed happend.
The severities displayed cannot be changed. However, you can create Automated Actions for the syslog messages that you care about, and have RME email you when those important messages are processed. This is done under RME > Tools Syslog > Automated Actions.