Please advise why if the Syslog Collector not receiving any Syslog Messages for more than 1 day while the filter is set to keep and some facility codes are specified.
Syslog.log file is currently at 79MB where the limit is 1GB.
I have tried to unsubsrcibe and re-subscribe the syslog collector but problem persists.
Hope to hear some advices.
Thanks and Regards
Please post a screenshot of your filter configuration screen, as well as a scnreeshot of the syslog collector status screen.
All of your messages are being filtered. What messages are you receiving in the syslog.log file? You only care about a small subset of message types.
The number of messages that being received remained 1060 and 945 filtered for more than 1 day. Isn't this weird if the collector is properly receiving the Syslog Messages?
Since the syslog.log is more than 5MB, only the latest portion of syslog messages are posted. All are ASA entries.
Thanks & Regards,
RME is working as designed. All of the messages have the facility ASA, but you are not matching that facility in you message filters. You need to add ASA to your message filters, or change you filter mode to Drop.
In fact, I don't wish to receive Syslog Messages from ASA devices. Messages that I m interested are listed in the facility codes.jpg.
I am wondering how could 600 over switches do not send any syslog messages based on the facility codes configured in the past 24 hours.
However, if i change the filter mode to Drop, all the syslog messages received will be dropped, this actually defeat the purpose of setting all the facility codes to receive required syslog messages.
The ASA messages were the only ones you showed me. Go through your syslog.log. What messages do you see that match your desired facility filters?
Actually the whole syslog.log is only ASA entries, the file is really too big (about 75MB) for me to post here. If you really want to see it, I will separate them into few text files and post it here.
Thanks & Regards,
Then what you're seeing is expected. If you find that you are receiving messages which match the filter you have configured, then we can analyze that. It is entirely possible that your devices are not sending such messages. Those are not the most prevalent syslog message types.
Then I will be very surprised that since my message filter has already disabled IOS Firewall audit trail messages and PIX firewall audit messages, why is ASA syslog still being received? ASA doesn't belong to both of them?
The filters do not control what messages are written to the syslog.log. ALL messages sent by devices will be written to that file. The filters control what messages are written to the database.
The IOS Firewall audit trail message filter only matches FW-*-6-SESS_AUDIT_TRAIL:*.
Thanks for the reply. A last question is why doesn't syslog.log being updated in real time? As currently, I can only see the log file with the logs which are few hours back?
Thanks & Regards
The syslog daemon on Windows is tuned to allow for 200 messages per second by default. If you are getting less that this, you may notice some lag in when messages get written to the syslog.log.
You can tune some of the parameters under HKLM\SYSTEM\CurrentControlSet\Services\crmlog\Parameters in the Registry. In particular, try decreasing CrmMsgCount from 256 to 30, and see if messages start to show up quicker. After changing anything here, restart the crmlog service:
net stop crmlog
net start crmlog
Note: lowering these tunables will help messages show up quicker in the syslog.log, but will reduce the scalability of the syslog daemon.
Thanks for the reply. I have changed it to 30 Decimal and restart crmlog. But it seems the syslog collector still not receiving as many messages as what you have mentioned.
Is it normal to receive only 2000 messages for past 4 hours? for about 685 devices?
Maybe. You need to cross reference the local logs on these devices to what you're seeing in the syslog.log to see if you're missing any messages based on your logging trap level.