Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
12
Replies

LMS RME - Syslog Alert

tckoon
Level 1
Level 1

‎03-03-2008 06:15 AM

Why on the RME main home page or LMS Portal "System" view, I can't see any alert show on the Syslog Alert.

I did shut/unshut interface the syslog did send to CW server. I can view by issue " logview.exe" command , but it does not show on Syslog Alert windows.

C:\Documents and Settings\hpadmin>logview

ar 03 21:48:25 122.255.98.14 156: *Mar 3 05:41:18: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 1 packet

Mar 03 21:50:22 122.255.97.4 24: *Mar 3 13:49:30.737: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:53:56 122.255.97.5 52: *Mar 3 13:54:45: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 21:57:33 122.255.98.14 157: *Mar 3 05:50:27: %SEC-6-IPACCESSLOGS: list MANAGEMENT denied 124.82.8.136 3 packets

Mar 03 22:01:53 122.255.97.6 518: Mar 3 22:02:21.780: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:19 122.255.97.6 519: Mar 3 22:02:47.448: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to reset

Mar 03 22:02:25 122.255.97.6 520: Mar 3 22:02:52.984: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (122.255.99.74)

Mar 03 22:02:25 122.255.97.6 521: Mar 3 22:02:53.168: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down

Regards

Labels:
Preview file
53 KB
0 Helpful
12 Replies 12

Joe Clarke
Cisco Employee
Cisco Employee

‎03-03-2008 10:40 AM

Once the syslog messages make it to syslog.log, they are read by the SyslogCollector daemon which then performs filtering on those messages. Please post the output of the pdshow command as well as the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

file.

0 Helpful

tckoon
Level 1
Level 1
In response to Joe Clarke

‎03-03-2008 04:38 PM

Hi Clarke,

Please refer to attached file.

Thanks.

Preview file
23 KB
0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to tckoon

‎03-03-2008 04:49 PM

Your filters are wrong. According to this, the only messages you will process are PIX and firewall audit trail messages, and sev 7 messages. Change your filter mode from KEEP to DROP under RME > Tools > Syslog > Message Filters, then you should start seeing new messages get processed.

0 Helpful

tckoon
Level 1
Level 1
In response to Joe Clarke

‎03-04-2008 04:55 AM

Hi Clarke,

So far no luck. I had did the change you recommended but no help.

I can see log in logview but not in Syslog Alert.

Attached is screenshot of collector status and filter setting.

Not where I did wrong.

Thanks

Preview file
114 KB
0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to tckoon

‎03-04-2008 10:11 AM

It looks like you also changed the include interfaces option as well. You should not have done this. Set "Include interfaces of selected devices:" back yo Yes.

0 Helpful

tckoon
Level 1
Level 1
In response to Joe Clarke

‎03-04-2008 05:13 PM

Done that, but still no syslog message on "Syalog Alert" panel.

Logview shown the log message , when I shut/ not shut one of device interface.

thanks

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to tckoon

‎03-04-2008 08:55 PM

Assuming you haven't enabled the Link Up/Down Message filter, you should be seeing these messages in your syslog reports. You are getting forwarded messages. Try running a Syslog Standard Report under RME > Reports > Report Generator to see what messages are being written to the RME database.

0 Helpful

tckoon
Level 1
Level 1
In response to Joe Clarke

‎03-05-2008 02:38 AM

Please see attached, there was log in the reports.

regards

Preview file
295 KB
0 Helpful

Martin Ermel
VIP Alumni
VIP Alumni
In response to tckoon

‎03-05-2008 03:35 AM

what are your settings for the portlet; check the options for the refresh cycle as descibed here:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lms_portal/1.0.1/user/guide_new/pcofe.html#wp1484686

also I think only severity 0 - 3 messages are displayed.

Joe Clarke
Cisco Employee
Cisco Employee
In response to tckoon

‎03-05-2008 07:38 AM

Good. So syslog analysis is now working. Now, as mermel said, the syslog alerts portlet only shows the messages in the past 24 hours that are of severity 0, 1, and 2 (emerg, alert, crit). Now that you have syslog analysis working, you should start to see that count increase when a message of a high enough severity comes in.

0 Helpful

tckoon
Level 1
Level 1
In response to Joe Clarke

‎03-05-2008 07:56 AM

That mean all the while it is working. Just the Syslog Alert portlet only shown severity 0/1/2 only.

BTW can we change the setting so it can also display up to severity 5 or 6 ? The reason was sometime the bgp peering or OSPF neighbor was down, it also important to be shown on portlet. Otherwise, we only knew it when we manually generate the report.

Severity 0/1/2 is rarely occur, unless CPU/Memory or system failed happend.

Thanks

Regards

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to tckoon

‎03-05-2008 08:45 AM

The severities displayed cannot be changed. However, you can create Automated Actions for the syslog messages that you care about, and have RME email you when those important messages are processed. This is done under RME > Tools Syslog > Automated Actions.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents