Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Syslog Collector

I have LMS 2.5. I have been trying to get the syslog portion set up. I get an error in the syslogcollector log that says unable to add monitor. I know next to nothing about syslog. I have tried to find info on the web, and it always talks about a Remote Syslog Collector. Can the syslog collector and the syslog analyzer be the same box? Because that is all I have, one box.

Thanks,

Kari

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Syslog Collector

This is exactly what I thought. You have bad filter settings. When you disable or delete all of your filters, but keep the mode set to DROP, all messages will be dropped (hence the Forwaded count of 0). If you just want to verify syslog is working, disable all your filters, and set the mode to KEEP. Send some test messages, and the Forwarded count should start increasing. Once that happens, syslog messages should be written to the database.

12 REPLIES
Cisco Employee

Re: Syslog Collector

Absolutely they can be on the same machine. If you cannot subscribe the Analyzer to the Collector, There could be quite a few problems. The most obvious is that TCP ports 3333 and 4444 may be occupied by other services. Shutdown dmgtd, then look at netstat -a -n to see if either of those ports are in still in use.

New Member

Re: Syslog Collector

Okay, I looked and they are not in use. I tried again to subscribe, and again the log told me "unable to add monitor". When I go to subscribe, it gives me a box that talks about the certificate, and making sure it is on the peer server, but if it is the same server, do I need to do anything special? And when I look at Server-Security, it says that the self-signed certificate is found and valid, but whenever I log in with IE it says there is a problem with the certificate. I always ignore it and carry on, but I thought that information might be helpful.

Thank you,

Kari

Cisco Employee

Re: Syslog Collector

Please post your SyslogCollector.log, SyslogAnalzyer.log, SyslogAnalyzerUI.log, and AnalyzerDebug.log.

New Member

Re: Syslog Collector

The sysloganalyzer.log was completely empty.

And if there is a glaringly obvious error, I apologize. I know very little about syslog. That is why I am trying to get this configured, so I can learn.

Cisco Employee

Re: Syslog Collector

There is nothing obvious here which means that SyslogCollector debugging needs to be enabled. This is done in the Collector.properties file which can be found by searching under NMSROOT. After enabling debug, pdterm/pdexec SyslogCollector, reproduce the problem, then post the new SyslogCollector.log.

New Member

Re: Syslog Collector

At first I set it to debug. Then I stopped the service, set it to warning. Both times when I went into syslog status collector, it had the ip of the server and a bunch of NAs in the other fields. I clicked on subscribe, it asks for the ip. I have been giving it its ip. Clicked okay, it changed from the address to the name of the server.

Cisco Employee

Re: Syslog Collector

Looks like it's working now. However, you may have a problem with your filters. Please include a screenshot of your syslog filters screen.

New Member

Re: Syslog Collector

Honestly, I haven't done anything to the filters page. I thought that if I left it alone, all messages would be sent to the Analyzer. But when I run a report, I don't see anything. And after I change the debug back to info and go back into Collector and try to subscribe and go look at the log, it still says unable to add monitor. Is there some sort of delay in when the collector collects and the analyzer grabs it and analyzes?

Thanks for all the time you've spent posting.

Kari

Cisco Employee

Re: Syslog Collector

There is a delay on Windows depending on the number of messages coming in per second. As soon as the message is written to the syslog.log file, SyslogCollector should process it, though. There is no delay in the Cisco pieces on Solaris.

I would still like to see screenshots from your filter page and from the Syslog Collector Status page.

New Member

Re: Syslog Collector

I was hoping that if I left it alone, it would magically be working when I came back in today, but no. When I run a syslog report, there are no records. I can see from the syslog collector page that the devices are sending messages, it just isn't getting to the syslog analyzer.

The screenshot of the message filter is how it was configured originally. I did try clicking on Keep and enabling some of the filters (and on the syslog collector page, it shows that a lot of the messages were filtered), but that didn't seem to help either.

Cisco Employee

Re: Syslog Collector

This is exactly what I thought. You have bad filter settings. When you disable or delete all of your filters, but keep the mode set to DROP, all messages will be dropped (hence the Forwaded count of 0). If you just want to verify syslog is working, disable all your filters, and set the mode to KEEP. Send some test messages, and the Forwarded count should start increasing. Once that happens, syslog messages should be written to the database.

New Member

Re: Syslog Collector

Alright, I'm an idiot, you're a genius. Thank you so much for your help. I can see it forwarding, and I can run reports.

462
Views
5
Helpful
12
Replies
CreatePlease to create content