Post the SyslogCollector.log.

Here's the file.

Run the pdterm command again. Then, clear out the contents of NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat

. Then delete NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/sa/data/collectors.dat and NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Subscribers.dat. Then run the pdexec command to restart SyslogCollector and SyslogAnalyzer. See if the numbers go back to 0.

Hi Joe,

Thanks for the solution. I have get the syslog collector status back to with number 0 by restoring with previous backup. I will try again the solution if the same problem appeared.

Regards

YS

Hi Joe,

One last question here is can I still retrieve the compressed syslog messages (currently stored in .gz file) from LMS GUI? If not, can I simply use winzip to extract the information?

Thanks and Regards,

YS

As long as the syslog messages have not been purged from the RME database, then you can still look at them within LMS. However, there is no UI to look at purged syslog messages, or those found in logrot archives. If you unzip the logrot archives, you will have the original syslog.log back in its original format.

Hi Joe,

Thanks for the reply.

I have managed to get the syslog collector status back to 0 but it doesn't seem to be running as the number still remain 0 for more than a day. what could you advise here?

Regards

YS

Make sure messages are still coming into your syslog.log file, and that those messages are allowed by your filters.

Yes, syslog.log file size is increasing every minute and message filter is set to keep.

Another question is why the scheduled rotation job is not running as i realized the syslog.log file size is still the same and the content is not saved to the compressed file (.gz).

What messages are coming into syslog.log, and what exactly does your filter configuration look like?

How often are you running logrot? What does your AT config look like? What is the output of NMSROOT\bin\perl NMSROOT\bin\logrot.pl -v?

The syslog.log is currently too huge to be posted here. It is is now more than 500MB.

A few messages that I have captured are

Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302015: Built inbound UDP connection 1778348 for Outside:172.17.21.40/67 (172.17.21.40/67) to Inside:10.71.13.14/68 (10.71.13.14/68)

Mar 30 10:01:20 172.26.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.216.139/63311 gaddr 10.71.209.251/0 laddr 10.71.209.251/0

Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302013: Built outbound TCP connection 1778349 for Outside:172.17.16.93/139 (172.17.16.93/139) to Inside:10.71.192.39/1374 (10.71.192.39/1374)

Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built inbound ICMP connection for faddr 172.17.16.93/768 gaddr 10.71.192.39/0 laddr 10.71.192.39/0

Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built outbound ICMP connection for faddr 172.17.16.93/768 gaddr 10.71.192.39/0 laddr 10.71.192.39/0

Filter config is in the screen shot.

As for the schedule logrot job query, I just figured out the running directory path is wrong. Thanks for the help.

Are all of the numbers on the status page 0, or is it just the forwarded count?

The number is all 0 now.

Post NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties. What is the path of your syslog.log?