07-16-2009 07:58 AM
Syslog is collecting information, but I have some general questions about the config:
The Syslog Collector Status is showing up and the name of the CiscoWorks Server itself.
Accoring to the Help screen this is where you configure the common syslog collector.
This has to be configured even though the CiscoWorks server is doing the collection to itself?
And the idea is that CiscoWorks could be pointed to a third party collector to create reports from off box syslog files?
Backup/Purge
Currently the purge is set up for once a month and the backup file size is 200M, but I am not sure this is the best configuration.
My understanding is that once the file is backed up, it is no longer viewed and no reports pulled in CiscoWorks, correct?
So with my current config, I am able to view/report a month back as long as the month of data is not bigger than 200M, is this correct?
Also, on the purge, does it delete files?
07-16-2009 08:19 AM
You can point the SyslogAnalyzer in RME to remote SyslogCollectors. They are not third party collectors, but either remote RME servers, or installations of the Remote Syslog Collector. Yes, the Analyzer needs to be registered to at least the local Collector in order to be able to process anything.
Correct, purged syslog messages will be backed up to a flat text file, and will not be viewable in the RME reports. You must comb through the backup file. The purge is from the database. RME purges old syslog messages, and will then write them to the specified backup file (if configured). You will be able to view reports in RME for syslog messages which are less than a month old.
07-16-2009 10:01 AM
Thanks Joe,
You have been busy today.
On the Message Filters,
If the Message Filter Type is set to "Drop" and the filters are created,
does "Enabled" mean that filter is active to drop those messages?
For example:
Drop (Message Filter Type)
+
Enabled (Message Filter) =
------------------------
Anything matching enabled filter is dropped
Drop (Message Filter Type)
+
Disabled (Message Filter) =
------------------------
Anything matching disabled filter is allowed
07-16-2009 10:44 AM
If the filter mode is set to drop, all enable filters will drop matching messages. So your first example is correct.
07-17-2009 07:41 AM
Joe,
Is there an implicit deny after a "keep" + "Enabled" rule?
For example if I configure:
Keep
+
Enabled (allow Severity 7)=
-------------------------
Only Severity 7 messages
Is there a baseline or samples of filter configs that would be typically used?
07-17-2009 09:45 AM
Yes. If you want to set the mode to Keep, then be aware that only the messages which match enabled filters will be forwarded to the SyslogAnalyzer.
No, there is really no baseline. It really depends on the technologies deployed in your network, and what you are interested in. Personally, I prefer to be notified about config changes, all S0, 1, and 2 messages, and anything generated by EEM (%HA_EM...).
07-17-2009 10:05 AM
Joe,
Here is how I have the ASA appliances configured to collect severity 7 messages for the ASAs:
Facility Sub-Facility Severity Mnemonic Description
ASA * 7 * *
I can see how you would possibly configure the 0, 1 and 2:
Facility Sub-Facility Severity Mnemonic Description
* * 0 * *
* * 1 * *
* * 2 * *
How would the EEM messages be allowed?
07-17-2009 10:07 AM
Facility : HA_EM
Sub-facility : *
Severity : *
Mnemonic : LOG
07-17-2009 10:19 AM
Thanks Joe,
I can see the collector status is showing that it was updated when I made a filter change,
Does it need to be re subscribed, or these changes can be made on the fly?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: