I am facing the following problem with syslog messages:
I am using Cisco IOS nodes my environment,In IOS node I did the following configuration
Sys logging on
Syslogging host 10.60.165.67(IP address of ciscoworks)
I am able to find the messages processed in RME->Syslog collector status ,messages processed :12563 and messages filted 0,invalid 0
I am not able see them in in any kind of reports[custom/standard/custom summary repot].Do I need make any changes to find the syslog messages in reports
Any kind of help is appreciated
Check the following file: C:\Program Files\CSCPpx\log\syslog.log (if running on windows box)
See if you can find syslogs coming from your device here.
If yes, you can follow the steps in the following link to troubleshoot syslog:
Ravi, you need to also tell the router what interfaces IP address to use as the source. Usually you use a loopback interface. Use the following command:
logging source-interface loopback0 (or whatever interface you want)
You also need to make sure that the source IP address that you use for the syslog resolves to the same name as the IP address that you added the device into ciscoworks as. So if you add "Router1" and it resolves to 18.104.22.168 you need to make sure the the reverse lookup for 22.214.171.124 resolves to "Router1" otherwise it will not know what device to associate the syslog msg with.
I just went through this for the past few days. I hope this makes sense.
If you don't configure logging source-interface loopback0, or whatever interface, what other kind of issues did or could you see?
I'm in the process of configuring a few thousand devices of many different models to log to a syslog server. I think the messages are coming in but I can't be 100% sure they are...
The RME servers we have are getting messages from a remote syslog server which is using the Remote Syslog Analyzer Collector (RSAC) software to do this. I just found out today from nhabib that the messages don't get written to a file on the RME server but in turn get written directly to the DB.
It would really be a drag if I have to go back through all of those devices and add the source-interface statement.
I did enter the logging source-interface valan XX ,But could not find the messages in reports,when i give sh logging in the routers I can see messages getting forwarded to my ciscoworks!!!,but cannot see them in the RME-Syslogmessgaes->standard/custom reports
And I discovered the devices/entered the devices into RME inventory by Ip address,so name to Ip address resolution doesnot come in to picture.!!!!
Does any one have any other solution??
Well,this is a new installation and I have not applied any filter till now,
I can see the syslogs messages in unexpected messages,but those messages are from the devices that are not being monitored by LMS ,like firewall and undiscovered devices.
I am having problem with the devices that are being monitored[CISCO IOS 6509 and 7206 with IOS 12.2(17d)sxb8] nodes
on an IOS devices, I'm using:
logging trap information (logs level 6,5,4,3,2,1 and 0)
I noticed you were missing the last statement.
Also, check through the link the guy posted earlier:
Just to clarify. If one configures the IOS device using:
logging trap informational
then the command will not show up in the running configuration
In this case, the messages seem to be making it to the CiscoWorks server (based on the first post in the thread, number of processed messages is non-zero), but are not getting displayed.
A couple of reasons for this:
- the messages are not getting mapped properly to the device (incorrect source ip address migh tbe the reason)
- RME database is corrupt
Ravi, nhabib is correct. My experiance has been that the first reason he gives, it is not getting mapped to the device properly.
Regarding your qestion about not using source-interface command, if you dont use that command the source of the syslog packet will could be any interface (mostly the interface the packet leaves the device on). If you use the command the packet will ALWAYS be sourced from the same interface. And that IP is what you need entered into Ciscoworks.
Did you ever tell us what version of Ciscoworks you are using and on what platform (Solaris or Windows)? This will help in the troubleshooting.
You NEED to make sure that the IP address (you said you were not using dns) you added the device into Ciscoworks with is the same IP that the syslog packet comes from. So that IP needs to be in the source-interface statement.
Let me clear few things
with the help of previous replies,I configured on cisco IOS nodes the following configuration
ii)Logging host 192.168.0.1[Ip addrress of Ciscoworks/RME)
iii)Logging source-host vlan191(This is the management valn,this Vlan has only one Interface and the Ip 10.60.191.0X under vlan 191,The discovery was made on the same IP address and found the discovery)
iii)Logging trap informational
2,I dont suspect any problem with the RME database as I am able to see the syslogs getting logged into ciscoworks from firewalls and other undiscovered nodes)
3.I am using ciscoworks LMS 2.2 with RME 3.5 with IDU 13.0 on WINDOWS box
4) syslog service is running under start->access-
Please let me know if you need any information on this.
ravirepaka, sorry I was unable to reply for a while. I was out of town.
Is this still an issue? If so look in the "install directory"/log/syslog.txt (I think it is .txt, but it will be called syslog). See if you can create a syslog entry from the device you are having issues with. Ususally I just do a config t and then exit. That will generate a config change message in syslog. Look in the syslog to make sure you see it going out. Then open the syslog.txt file on the server and you should see the syslog message come in. Note the IP address and make sure it is what you think it is (10.60.191.0X).
Let me know if you get that far and then we can check some other things.