Solved: Re: Syslog Collector: Unable to resurrect connection to a subscr - Page 2

jeeyishyuan · ‎01-19-2009

Hi Experts,

I found this logs in SyslogCollector.log.

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:31:31,500, Logging System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:31:31,500, System Initialized.

SyslogCollector - [Thread: main] WARN , 19 Jan 2009 17:31:37,203, Unable to get the filters for subscriber ciscoworkProd. Default value will be used.

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

NMSROOT is C:/PROGRA~2/CSCOpx

propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,093, Logging System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,093, System Initialized.

SyslogCollector - [Thread: main] INFO , 19 Jan 2009 17:41:22,171, Subscriber list is empty!

Can the Experts advise me why is the collector properties file is not found? I have checked the NMS root directory, the file is there.

Secondly, how can I re-subscribe the collector? Unsubscribe the collector for troubleshooting purpose.

I really appreciate it greatly if the Experts can show me some light. Thanks a billion!!!

Regards,

Yi Shyuan

Joe Clarke · ‎01-20-2009

This filter will match any message. If you enable this filter, you will need to set your mode to KEEP to receive any messages. That said, you could also disable or remove all filters, set the mode to KEEP, and achieve the same result.

jeeyishyuan · ‎01-20-2009

Hi jclarke,

This is my current filter setting (attached screen shot).

Based on your last reply, I should be able to receive any syslog messages from switches that configured to log to LMS server. However, I still don't receive any log for that.

Thanks & Regards

YS

Joe Clarke · ‎01-20-2009

Are new messages being written to the syslog.log file? What does the Syslog Collector Status page look like?

jeeyishyuan · ‎01-20-2009

New messages are not being written in the syslog log file.

I have attached the Syslog Collector Status screen shot.

Joe Clarke · ‎01-20-2009

According to this, new messages are being written to syslog.log. The Collector has forwarded 483 messages to the Analyzer for database insertion since the server was rebooted. Why exactly do you think it's not working?

jeeyishyuan · ‎01-20-2009

As I don't see any syslog messages from other devices beside the ASA devices in syslog.log

However, I am able to view records for switches in the recent generated 24 hour report.

As I need to achieve all the received syslog messages for audit purpose, I need to make sure that all the syslog messages are received in the log file (if I'm not wrong, syslog.log should be the one).

If possible, you can advise me on the archive portion too?

Thank you very much!!!

Joe Clarke · ‎01-20-2009

The messages must be making it to syslog.log, then. There is no other log file. Messages are first written to syslog.log by crmlog. Then, the SyslogCollector reads the messages from that file, and applies filters. If the messages pass the filters, then they are forwarded to the Analyzer which inserts the messages into the database.

Since you can run reports, and see the desired messages, they must be in syslog.log. You can use the logview command to tail syslog.log in real-time to look at incoming messages. For example:

C:\> logview C:\PROGRA~1\CSCOpx\log\syslog.log

jeeyishyuan · ‎01-20-2009

Yes, the logview command does show me the log from syslog.log but the logs shown are not real time as well. I have refreshed the syslog collector status a few times, where the number of the received message doesn't seem to increase in short duration as well.

I find this strange as more syslog messages are received by Kiwi Syslog Server.

Joe Clarke · ‎01-21-2009

In order to scale, the crmlog daemon doesn't immediately write the syslog messages it receives to syslog.log. It buffers then, then does periodic flushes, or writes when the buffer becomes full. It depends on the amount of syslog messages being received as to how often it writes out the messages. There are ways to increase this flush period. If you open a TAC service request, those techniques can be explained to you.

jeeyishyuan · ‎01-21-2009

Thanks jclarke for the info!

I would like to ask for question in archiving Syslog 24 hour report. Should I start a new conversation or continue here?

My question is how can I view the report once it is archived? As I realized that the output file format is not readable using notepad.

Thanks & Regards

YS

Joe Clarke · ‎01-21-2009

Syslog messages that are purged from the database, and written to a flat file can be viewed simply by opening the archive files in a text editor/browser. The syslog messages are stored in a format similar to that of syslog.log.

Syslog Collector: Unable to resurrect connection to a subscriber