cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1670
Views
0
Helpful
13
Replies

Syslog messages not able to find in reports

ravirepaka
Level 1
Level 1

Hi

I am facing the following problem with syslog messages:

I am using Cisco IOS nodes my environment,In IOS node I did the following configuration

Sys logging on

Syslogging host 10.60.165.67(IP address of ciscoworks)

I am able to find the messages processed in RME->Syslog collector status ,messages processed :12563 and messages filted 0,invalid 0

I am not able see them in in any kind of reports[custom/standard/custom summary repot].Do I need make any changes to find the syslog messages in reports

Any kind of help is appreciated

Thanks

Ravi

13 Replies 13

nhabib
Level 9
Level 9

Which version of Resource Manager Essentials are you running? Is it on Windows or Solaris?

dany.datacraft
Level 1
Level 1

Ravi,

Check the following file: C:\Program Files\CSCPpx\log\syslog.log (if running on windows box)

See if you can find syslogs coming from your device here.

If yes, you can follow the steps in the following link to troubleshoot syslog:

http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2073/products_user_guide_chapter09186a0080357718.html#wp1037688

mapones
Level 1
Level 1

Ravi, you need to also tell the router what interfaces IP address to use as the source. Usually you use a loopback interface. Use the following command:

logging source-interface loopback0 (or whatever interface you want)

You also need to make sure that the source IP address that you use for the syslog resolves to the same name as the IP address that you added the device into ciscoworks as. So if you add "Router1" and it resolves to 1.1.1.1 you need to make sure the the reverse lookup for 1.1.1.1 resolves to "Router1" otherwise it will not know what device to associate the syslog msg with.

I just went through this for the past few days. I hope this makes sense.

Mike

If you don't configure logging source-interface loopback0, or whatever interface, what other kind of issues did or could you see?

I'm in the process of configuring a few thousand devices of many different models to log to a syslog server. I think the messages are coming in but I can't be 100% sure they are...

The RME servers we have are getting messages from a remote syslog server which is using the Remote Syslog Analyzer Collector (RSAC) software to do this. I just found out today from nhabib that the messages don't get written to a file on the RME server but in turn get written directly to the DB.

It would really be a drag if I have to go back through all of those devices and add the source-interface statement.

Hi Mapones,

I did enter the logging source-interface valan XX ,But could not find the messages in reports,when i give sh logging in the routers I can see messages getting forwarded to my ciscoworks!!!,but cannot see them in the RME-Syslogmessgaes->standard/custom reports

And I discovered the devices/entered the devices into RME inventory by Ip address,so name to Ip address resolution doesnot come in to picture.!!!!

Does any one have any other solution??

PLease help

Do the messages show up in the Unexpected Device Report under RME > Syslog Analysis > Unexpected Device Report?

Perhaps the messages are getting filtered out by the message filter....

Well,this is a new installation and I have not applied any filter till now,

I can see the syslogs messages in unexpected messages,but those messages are from the devices that are not being monitored by LMS ,like firewall and undiscovered devices.

I am having problem with the devices that are being monitored[CISCO IOS 6509 and 7206 with IOS 12.2(17d)sxb8] nodes

on an IOS devices, I'm using:

logging on

logging 1.1.1.1

logging trap information (logs level 6,5,4,3,2,1 and 0)

I noticed you were missing the last statement.

Also, check through the link the guy posted earlier:

http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2073/products_user_guide_chapter09186a0080357718.html#wp1037688

Good luck.

Just to clarify. If one configures the IOS device using:

logging trap informational

then the command will not show up in the running configuration

In this case, the messages seem to be making it to the CiscoWorks server (based on the first post in the thread, number of processed messages is non-zero), but are not getting displayed.

A couple of reasons for this:

- the messages are not getting mapped properly to the device (incorrect source ip address migh tbe the reason)

- RME database is corrupt

Ravi, nhabib is correct. My experiance has been that the first reason he gives, it is not getting mapped to the device properly.

Regarding your qestion about not using source-interface command, if you dont use that command the source of the syslog packet will could be any interface (mostly the interface the packet leaves the device on). If you use the command the packet will ALWAYS be sourced from the same interface. And that IP is what you need entered into Ciscoworks.

Did you ever tell us what version of Ciscoworks you are using and on what platform (Solaris or Windows)? This will help in the troubleshooting.

You NEED to make sure that the IP address (you said you were not using dns) you added the device into Ciscoworks with is the same IP that the syslog packet comes from. So that IP needs to be in the source-interface statement.

Mike

Hi Mike,

Let me clear few things

with the help of previous replies,I configured on cisco IOS nodes the following configuration

i)Logging on

ii)Logging host 192.168.0.1[Ip addrress of Ciscoworks/RME)

iii)Logging source-host vlan191(This is the management valn,this Vlan has only one Interface and the Ip 10.60.191.0X under vlan 191,The discovery was made on the same IP address and found the discovery)

iii)Logging trap informational

2,I dont suspect any problem with the RME database as I am able to see the syslogs getting logged into ciscoworks from firewalls and other undiscovered nodes)

3.I am using ciscoworks LMS 2.2 with RME 3.5 with IDU 13.0 on WINDOWS box

4) syslog service is running under start->access-

>services

Please let me know if you need any information on this.

Thanks

RR

ravirepaka, sorry I was unable to reply for a while. I was out of town.

Is this still an issue? If so look in the "install directory"/log/syslog.txt (I think it is .txt, but it will be called syslog). See if you can create a syslog entry from the device you are having issues with. Ususally I just do a config t and then exit. That will generate a config change message in syslog. Look in the syslog to make sure you see it going out. Then open the syslog.txt file on the server and you should see the syslog message come in. Note the IP address and make sure it is what you think it is (10.60.191.0X).

Let me know if you get that far and then we can check some other things.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco