Re: Syslog Severity Summary - No records found

yjdabear · ‎10-04-2005

Syslog Severity Summary returns "No records found" for today (10/04), but otherwise is fine reporting for days before 10/04. Syslog Collector Status is still showing new syslogs coming in, even after stop/starting SyslogAnalyzer. Followed TAC "solution" to stop /etc/init.d/syslogd and dmgtd, zeroing out syslog_info, and restarting dmgtd followed by syslogd. No dice.

yjdabear · ‎10-04-2005

What should the correct /etc/syslog.conf for Ciscoworks be? Would either work?

# Added for Cisco Syslog Analyzer (begin)

local7.info /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)

# Added for Cisco Syslog Analyzer (begin)

local7.debug /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)

nhabib · ‎10-04-2005

Either would work, this controls the severity of the messages that would get into the syslog_info file

If the messages are making it into the syslog_info file, then this probably has something to do with the RME database

yjdabear · ‎10-05-2005

I'd think it's with the RME database too, except I've run out of (obvious) places to check. Any suggestions? No changes were made anywhere. RME just just seemed to stop reporting/analyzing since Oct. 04.

nhabib · ‎10-05-2005

I just thought of something: could it be that there was a change to name resolution?

If you go to RME -> Administration -> Syslog Ananlysis -> Syslog Collector Status, do you see the Invalid Messages increasing?

yjdabear · ‎10-05-2005

Yeah, I noticed the higher than usual number of Invalid Messages, but didn't think it could have anything to do with the problem.

Here's the syslog collector status #s yesterday morning 10am:

Messages processed: 47262

Messages filterd: 1559

Invalid Messages 2334

Total: 51155

Then I did "cat /dev/null /var/log/syslog_info" as TAC insisted.

Yesterday afternoon, around 2:30pm.

Messages processed: 71392

Messages filterd: 1793

Invalid Messages 3967

Total: 77152

nhabib · ‎10-05-2005

Well, the messages processed are also increasing

I suspect that there are problems inserting the syslog messages into the RME database

FRANK SCHADE · ‎08-09-2006

I've have the same problem and couldn't see whether you found a solution???

And I also couldn't find the TAC case which was mentioned in the first message???

Any new findings?

thanks

frank

FRANK SCHADE · ‎08-09-2006

Finally I found the TAC case: K11072729 and tried the "solution":

- net stop crmdmgtd

- stop the CWCS syslog service

- Delete the syslog.log in $NMSROOT\log\directory

- start the CWCS syslog service.

- net start crmdmgtd command.

BUT there are still no records

yjdabear · ‎08-10-2006

IIRC, in my case, I had increased "Keep messages up to" from 7 days (default) to 14 days (the maximum allowed), and I ticked the "Backup required" checkbox. That combination appeared to be the culprit. Once I dropped it back down to 7 days and unchecked "Backup required", the problem went away. No other troubleshooting helped, as long as those two options were in force. The "backup" wasn't working very well either--it had syslogs from different dates all mixed up out of place in one giant file.

FRANK SCHADE · ‎08-17-2006

it doesnt work either with backup & purge after 14 days nor without backup & purge after 7 days. (I also deleted the syslog & restarted the daemons after the changes...)

Any ohter ideas??

thanks

frank

yjdabear · ‎08-18-2006

A senior TAC engineer told me "local7.info" must not be changed to "local7.debug", because debug-level syslogs had a different format that RME could not handle. That's another point I reverted.

# Added for Cisco Syslog Analyzer (begin)

local7.info /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)