cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
20
Helpful
8
Replies

RME Syslog Questions

wilson_1234_2
Level 3
Level 3

Syslog is collecting information, but I have some general questions about the config:

The Syslog Collector Status is showing up and the name of the CiscoWorks Server itself.

Accoring to the Help screen this is where you configure the common syslog collector.

This has to be configured even though the CiscoWorks server is doing the collection to itself?

And the idea is that CiscoWorks could be pointed to a third party collector to create reports from off box syslog files?

Backup/Purge

Currently the purge is set up for once a month and the backup file size is 200M, but I am not sure this is the best configuration.

My understanding is that once the file is backed up, it is no longer viewed and no reports pulled in CiscoWorks, correct?

So with my current config, I am able to view/report a month back as long as the month of data is not bigger than 200M, is this correct?

Also, on the purge, does it delete files?

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

You can point the SyslogAnalyzer in RME to remote SyslogCollectors. They are not third party collectors, but either remote RME servers, or installations of the Remote Syslog Collector. Yes, the Analyzer needs to be registered to at least the local Collector in order to be able to process anything.

Correct, purged syslog messages will be backed up to a flat text file, and will not be viewable in the RME reports. You must comb through the backup file. The purge is from the database. RME purges old syslog messages, and will then write them to the specified backup file (if configured). You will be able to view reports in RME for syslog messages which are less than a month old.

Thanks Joe,

You have been busy today.

On the Message Filters,

If the Message Filter Type is set to "Drop" and the filters are created,

does "Enabled" mean that filter is active to drop those messages?

For example:

Drop (Message Filter Type)

+

Enabled (Message Filter) =

------------------------

Anything matching enabled filter is dropped

Drop (Message Filter Type)

+

Disabled (Message Filter) =

------------------------

Anything matching disabled filter is allowed

If the filter mode is set to drop, all enable filters will drop matching messages. So your first example is correct.

Joe,

Is there an implicit deny after a "keep" + "Enabled" rule?

For example if I configure:

Keep

+

Enabled (allow Severity 7)=

-------------------------

Only Severity 7 messages

Is there a baseline or samples of filter configs that would be typically used?

Yes. If you want to set the mode to Keep, then be aware that only the messages which match enabled filters will be forwarded to the SyslogAnalyzer.

No, there is really no baseline. It really depends on the technologies deployed in your network, and what you are interested in. Personally, I prefer to be notified about config changes, all S0, 1, and 2 messages, and anything generated by EEM (%HA_EM...).

Joe,

Here is how I have the ASA appliances configured to collect severity 7 messages for the ASAs:

Facility Sub-Facility Severity Mnemonic Description

ASA * 7 * *

I can see how you would possibly configure the 0, 1 and 2:

Facility Sub-Facility Severity Mnemonic Description

* * 0 * *

* * 1 * *

* * 2 * *

How would the EEM messages be allowed?

Facility : HA_EM

Sub-facility : *

Severity : *

Mnemonic : LOG

Thanks Joe,

I can see the collector status is showing that it was updated when I made a filter change,

Does it need to be re subscribed, or these changes can be made on the fly?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: