Hello!

Thanks for your answer!

In the TIMEZONE file it's MET and in the Collector.properties file the configuration looks so:

*********************************************

# Timezone related properties

TIMEZONE=MEST

COUNTRY_CODE=CHE

TIMEZONE_FILE=/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.lst

# General properties

SYSLOG_FILES=/var/log/syslog_info

DEBUG_CATEGORY_NAME=SyslogCollector

DEBUG_FILE=/var/adm/CSCOpx/log/SyslogCollector.log

DEBUG_LEVEL=INFO

DEBUG_MAX_FILE_SIZE=5MB

DEBUG_MAX_BACKUPS=3

DOWNTIME_DIR=/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data

FILTER_DUMP_FILE=/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

# Miscellaneous properties. These are not important to users.

READ_INTERVAL_IN_SECS=1

QUEUE_CAPACITY=100000

PARSER_FILE=/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/FormatParsers.lst

SUBSCRIPTION_DATA_FILE=/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Subscribers.dat

FILTER_THREADS=1

COLLECTOR_PORT=4444

*************************************

But the messages arrives with the correct timestamp. Do you now some Cisco Documentations about the way from the syslog_info to RME??

I configured all how it is written there: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_4_x/rme405/405ug/syslog.htm

Please provide a sample syslog message as it appears in syslog_info.

Ok there is one!

Oct 4 11:42:50 zoer-cep-01.sbb.ch 193: Oct 4 11:42:49.544 MEST: %IP-4-DUPADDR: Duplicate address 172.23.5.2 on Vlan1355, sourced by 0017.0f48.8fc0

adn in the attachment is the RME report.

I wonder if the milliseconds are causing the problem here. Try this timestamp line in the config, and see if it helps:

service timestamps log datetime localtime show-timezone

Just copy this line in the Collector.properties file? or with a special format?

This is an IOS config command. You need to put this into the config of one of the problem devices, then see if it corrects the problem.

Ok I made it, but i still don't work!

I saw that in the syslog_info the timeformat has changed and the msec no longer displayed.

But in RME the messages arrives still with the rong time.

Strange is that today the RME displays the messages with 6 hour time offset but yesterday and the day before the messages had a 4 houre time offset.

Perhaps this is related to the following definitions:

timezone of

server: MET

syslog properties: MEST

if I check my TimeZone.lst file I see the following:

bash-2.05# more TimeZone.lst

# TIMEZONE LIST FOR SYSLOG COLLECTOR

# ----------------------------------

#

# This is the TimeZone list used by SyslogCollector.

# Each entry represents a timezone abbreviation, and its offset from GMT.

# Each offset given here is 10 multiplied by the actual offset;

# Example, the actual offset for IST is 5.5 hours, and the

# corresponding entry here is 55.

# Please use the same method while modifying it.

#

[...]

MEST=-20

MET=10

[...]

and with summertime in MET you will get a diff of 4 hours...

just an assumption, but what happens if you change MEST=-20 to MEST=20 (what I think it should be) and restart the syslogAnalyzer process

regards,

MArtin

Hmmm, good catch. This is either a bug, or there is another timezone, MEST, that has an offset of -2 hours from UTC. I highly suspect the former.

I changed the timzone and now it works correctly! Thanks a lot!!

Regards

Adrian Enkerli

I have filed CSCsg29573 to track this issue so that future releases will not have this problem. Again, good catch, mermel.