I have configured our switches with syslog traps and syslog server as LMS server, but I don't see any messages under "syslog Alerts" in RME module. The messages are collected fine on another linux box. I don't see much configuration of syslog server on LMS.
In RME, Syslog collector Status under Tools, shows 1855, 12, 1867 under Invalid,Filtered and Received respectively, but when I tried to run syslog report it doesn't show anything. I would like to collect all switches syslog messages on LMS box. Any help will be appreciated.
The Syslog Alerts module only shows sev 0, 1, and 2 messages. You may not have received any of these. Go to RME > Reports > Report Generator, and run a Syslog Standard Report for all your devices. Do you see anything?
I don't see any records. I did disconnect and reconnect one of the switch port to generate a message, but still didn't get anything. I did get that on another linux box.
Post a screenshot of RME > Tools > Syslog > Message Filters. Verify that the messages being sent by your devices are appearing in NMSROOT/log/syslog.log.
We are running LMS 3.1 on windows. What do you mean by verifing the messages being sent by your devices are appearing in NMSROOT/logs/syslog.log? I couldn't attach the screen shot file. Cut and paste of screen text is given below.
Message Filters Type: Drop Keep
Include interfaces of selected devices: Yes No
Showing 5 records
1. Link Up/Down Message Filter Enabled
2. IOS Firewall Audit Trail Messages Enabled
3. PIX Firewall Audit Messages Disabled
4. Severity 7 Message Filter Enabled
5. Otsa switches message filter Enabled
What is the configuration for your Otsa switches filter? I know you're on Windows. The NMSROOT directory is the path into which you installed LMS. Within that directory there will be a log subdirectory. And in that subdirectory will be a file called syslog.log. Make sure your device messages are showing up in that file.
11:05:17 10.10.10.218 294: Aug 7 11:05:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to down
Aug 07 11:05:17 10.10.10.218 295: Aug 7 11:05:13: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to down
Aug 07 11:05:21 10.10.10.218 296: Aug 7 11:05:17: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up
Aug 07 11:05:21 10.10.10.218 297: Aug 7 11:05:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/16, changed state to up
You have enabled the linkup/down filter which means those messages will be dropped. Disable this filter, generate some new messages, then run your syslog report. They should show up.
I have disabled all filters. Messages do show when I run report, but they still don't show on RME main screen under Syslog Alerts. It still shows "No Records Found".
As I said, the Syslog Alerts portlet only shows the most severe alerts (Severity 0, 1, and 2). If you are not receiving any of these, then nothing will show up in the portlet. This is actually a good thing as it means your network isn't experiencing any high-severity issues.
No, the severity levels for the portlet are hardcoded. However, LMS 3.2 offers a new portlet called Syslog Summary which displays the 24-hour syslog event distribution as a pie graph along with the specific syslog counts.
So my understanding is that after installing the LMS3.1 license it will remain 3.2. I hope LMS3.2 will accept 3.1 license key.
I will try and let you know. Thanks for your help.
Not at all. If you install the eval on a licensed copy of LMS 3.1, it will simply upgrade your copy to a licensed install of 3.2. There won't be any eval involved in that case.
Thanks for that info. I couldn't download 3.2 eval, but I have contacted our sales rep for assistance. This matter can be considered resolved.