Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
My syslog.log file size is getting too large (about 9GB) within a month. Is there a way for me to run any job for me to archive syslog.log and compress it in a smaller file size?
Thanks and Regards,
Solved! Go to Solution.
Your Collector.properties is till pointing to NMSROOT\log\syslog.log. If your active syslog message file is a different file, you need to update the SYSLOG_FILES property in Collector.properties, then restart SyslogCollector and SyslogAnalyzer.
The backup directory is wherever you want it to be. This is where archives will be stored, so it needs to have enough space to hold them all. The number of revision is again, left up to you. How many old revisions do you want?
Thanks for the reply. I get what you mean now. But is it possible for me to automate or schedule this job to be run?
Thanks & Regards,
From the Common Services User Guide
Chapter 4 Configuring the Server
Administering Common Services
(pages 4-102 and 103), logrot works as follows:
Running Logrot Script
To run the Logrot Script enter:
â¢ On Windows:
Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl
â¢ On Solaris:
You can schedule log rotation so that the utility works on a specified time and day.
Hope this helps. Please rate this post if it does.
If you have LMS 3.1, you can schedule logrot from the Log Rotation screen. Else, here are the instructions:
logrot is typically run from UNIX cron or Windows AT. However, before
automating logrot, you should verify it runs on-demand. For example, to
run logrot on UNIX:
and on Windows:
Once you've verified things work on-demand, you can setup cron on UNIX:
0 1 * * * /opt/CSCOpx/bin/logrot.pl 2>&1 | /usr/lib/sendmail root
or AT on Windows:
at 01:00 /every:M,T,W,Th,F,S,Su C:\progra~1\CSCOpx\bin\perl.exe C:\progra~1\CSCOpx\bin\logrot.pl
(This assumes CiscoWorks is installed in the default location on Windows.)
Those commands will run logrot every day at 1:00 AM. The UNIX cron line will
also send all output of the command to root via email.
logrot accepts some command-line flags as well. If you pass -v to logrot,
logrot will output verbose messages as it runs. The -s option tells logrot
to shutdown dmgtd before rotating the logs. This can be a safer way of
doing log rotations (see the BUGS section below). The -c option can be
specified at any time to re-run the configurator.
Just would like to check with you, how can I view the scheduled job status in LMS login page (GUI)? When logrot job is started to run, will the syslog service and daemon manager being shutdown automatically?
Or is there such a need to stop syslog service for every logrot job to be done? As I realized the syslog collector status will be reset each time I shut down the crmlog service.
A crmlog error 1067 also encountered recently. Any way to correct it?
If you have schedule logrot to run using AT or cron, then there is no way to see its progress in LMS.
If you configure logrot to do an offline rotation (logrot.pl -s) then Daemon Manager will be shutdown. For some log files, it is necessary to do an offline rotation in order to properly rotate them.
I do not know what a 1067 error is. What other details did you get? When did you get this error? What were you doing?
I am running logrot for syslog.log, will offline rotation be necessary? How can I configure the scheduled logrot job to run offline rotation? How can I cancel logrot schedule job?
The error 1067 is encountered each time when I stop and start crmlog. Is stopping crmlog necessary when I am running logrot on syslog.log?
No, restarting crmlog is not necessary. However, this error could point to some other process binding to udp/514.
Just run logrot.pl -s to run an offline rotation. Logrot will handle automatically restarting Daemon Manager.
To cancel an AT job, just run:
AT ID /delete
Where ID is the ID of the schedule AT job. To cancel a cron job, just remove the entry from the crontab file.
How would advise me for the error I encountered when I stop and start CWCS Syslog service as my syslog collector status is not reset and number of syslog messages are now read as NA and the up time is not reachable. Please refer to the screen shot attached for more info.
Thanks n Regards,
These numbers have nothing to do with crmlog. These point to a problem with SyslogCollector and/or SyslogAnalyzer. Try:
pdterm SyslogCollector SyslogAnalyzer
pdexec SyslogCollector SyslogAnalyzer
Run the pdterm command again. Then, clear out the contents of NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat
. Then delete NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/sa/data/collectors.dat and NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Subscribers.dat. Then run the pdexec command to restart SyslogCollector and SyslogAnalyzer. See if the numbers go back to 0.
Thanks for the solution. I have get the syslog collector status back to with number 0 by restoring with previous backup. I will try again the solution if the same problem appeared.
One last question here is can I still retrieve the compressed syslog messages (currently stored in .gz file) from LMS GUI? If not, can I simply use winzip to extract the information?
Thanks and Regards,
As long as the syslog messages have not been purged from the RME database, then you can still look at them within LMS. However, there is no UI to look at purged syslog messages, or those found in logrot archives. If you unzip the logrot archives, you will have the original syslog.log back in its original format.
Thanks for the reply.
I have managed to get the syslog collector status back to 0 but it doesn't seem to be running as the number still remain 0 for more than a day. what could you advise here?
Yes, syslog.log file size is increasing every minute and message filter is set to keep.
Another question is why the scheduled rotation job is not running as i realized the syslog.log file size is still the same and the content is not saved to the compressed file (.gz).
What messages are coming into syslog.log, and what exactly does your filter configuration look like?
How often are you running logrot? What does your AT config look like? What is the output of NMSROOT\bin\perl NMSROOT\bin\logrot.pl -v?
The syslog.log is currently too huge to be posted here. It is is now more than 500MB.
A few messages that I have captured are
Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302015: Built inbound UDP connection 1778348 for Outside:172.17.21.40/67 (172.17.21.40/67) to Inside:10.71.13.14/68 (10.71.13.14/68)
Mar 30 10:01:20 172.26.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.216.139/63311 gaddr 10.71.209.251/0 laddr 10.71.209.251/0
Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302013: Built outbound TCP connection 1778349 for Outside:172.17.16.93/139 (172.17.16.93/139) to Inside:10.71.192.39/1374 (10.71.192.39/1374)
Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built inbound ICMP connection for faddr 172.17.16.93/768 gaddr 10.71.192.39/0 laddr 10.71.192.39/0
Mar 30 10:01:20 172.24.207.9 Mar 30 2009 10:01:18: %ASA-6-302020: Built outbound ICMP connection for faddr 172.17.16.93/768 gaddr 10.71.192.39/0 laddr 10.71.192.39/0
Filter config is in the screen shot.
As for the schedule logrot job query, I just figured out the running directory path is wrong. Thanks for the help.
Post NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties. What is the path of your syslog.log?