Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LMS RME - Syslog Alert

Why on the RME main home page or LMS Portal "System" view, I can't see any alert show on the Syslog Alert.

I did shut/unshut interface the syslog did send to CW server. I can view by issue " logview.exe" command , but it does not show on Syslog Alert windows.

C:\Documents and Settings\hpadmin>logview

ar 03 21:48:25 122.255.98.14 156: *Mar 3 05:41:18: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 1 packet

Mar 03 21:50:22 122.255.97.4 24: *Mar 3 13:49:30.737: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:53:56 122.255.97.5 52: *Mar 3 13:54:45: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:57:33 122.255.98.14 157: *Mar 3 05:50:27: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 3 packets

Mar 03 22:01:53 122.255.97.6 518: Mar 3 22:02:21.780: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:19 122.255.97.6 519: Mar 3 22:02:47.448: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to reset

Mar 03 22:02:25 122.255.97.6 520: Mar 3 22:02:52.984: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:25 122.255.97.6 521: Mar 3 22:02:53.168: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down

Regards

12 REPLIES
Cisco Employee

Re: LMS RME - Syslog Alert

Once the syslog messages make it to syslog.log, they are read by the SyslogCollector daemon which then performs filtering on those messages. Please post the output of the pdshow command as well as the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

New Member

Re: LMS RME - Syslog Alert

Hi Clarke,

Please refer to attached file.

Thanks.

Cisco Employee

Re: LMS RME - Syslog Alert

Your filters are wrong. According to this, the only messages you will process are PIX and firewall audit trail messages, and sev 7 messages. Change your filter mode from KEEP to DROP under RME > Tools > Syslog > Message Filters, then you should start seeing new messages get processed.

New Member

Re: LMS RME - Syslog Alert

Hi Clarke,

So far no luck. I had did the change you recommended but no help.

I can see log in logview but not in Syslog Alert.

Attached is screenshot of collector status and filter setting.

Not where I did wrong.

Thanks

Cisco Employee

Re: LMS RME - Syslog Alert

It looks like you also changed the include interfaces option as well. You should not have done this. Set "Include interfaces of selected devices:" back yo Yes.

New Member

Re: LMS RME - Syslog Alert

Done that, but still no syslog message on "Syalog Alert" panel.

Logview shown the log message , when I shut/ not shut one of device interface.

thanks

Cisco Employee

Re: LMS RME - Syslog Alert

Assuming you haven't enabled the Link Up/Down Message filter, you should be seeing these messages in your syslog reports. You are getting forwarded messages. Try running a Syslog Standard Report under RME > Reports > Report Generator to see what messages are being written to the RME database.

New Member

Re: LMS RME - Syslog Alert

Please see attached, there was log in the reports.

regards

Re: LMS RME - Syslog Alert

what are your settings for the portlet; check the options for the refresh cycle as descibed here:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lms_portal/1.0.1/user/guide_new/pcofe.html#wp1484686

also I think only severity 0 - 3 messages are displayed.

Cisco Employee

Re: LMS RME - Syslog Alert

Good. So syslog analysis is now working. Now, as mermel said, the syslog alerts portlet only shows the messages in the past 24 hours that are of severity 0, 1, and 2 (emerg, alert, crit). Now that you have syslog analysis working, you should start to see that count increase when a message of a high enough severity comes in.

New Member

Re: LMS RME - Syslog Alert

That mean all the while it is working. Just the Syslog Alert portlet only shown severity 0/1/2 only.

BTW can we change the setting so it can also display up to severity 5 or 6 ? The reason was sometime the bgp peering or OSPF neighbor was down, it also important to be shown on portlet. Otherwise, we only knew it when we manually generate the report.

Severity 0/1/2 is rarely occur, unless CPU/Memory or system failed happend.

Thanks

Regards

Cisco Employee

Re: LMS RME - Syslog Alert

The severities displayed cannot be changed. However, you can create Automated Actions for the syslog messages that you care about, and have RME email you when those important messages are processed. This is done under RME > Tools Syslog > Automated Actions.

416
Views
5
Helpful
12
Replies