Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Blue

Syslog Severity Summary - No records found

Syslog Severity Summary returns "No records found" for today (10/04), but otherwise is fine reporting for days before 10/04. Syslog Collector Status is still showing new syslogs coming in, even after stop/starting SyslogAnalyzer. Followed TAC "solution" to stop /etc/init.d/syslogd and dmgtd, zeroing out syslog_info, and restarting dmgtd followed by syslogd. No dice.

11 REPLIES
Blue

Re: Syslog Severity Summary - No records found

What should the correct /etc/syslog.conf for Ciscoworks be? Would either work?

# Added for Cisco Syslog Analyzer (begin)

local7.info /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)

# Added for Cisco Syslog Analyzer (begin)

local7.debug /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)

Red

Re: Syslog Severity Summary - No records found

Either would work, this controls the severity of the messages that would get into the syslog_info file

If the messages are making it into the syslog_info file, then this probably has something to do with the RME database

Blue

Re: Syslog Severity Summary - No records found

I'd think it's with the RME database too, except I've run out of (obvious) places to check. Any suggestions? No changes were made anywhere. RME just just seemed to stop reporting/analyzing since Oct. 04.

Red

Re: Syslog Severity Summary - No records found

I just thought of something: could it be that there was a change to name resolution?

If you go to RME -> Administration -> Syslog Ananlysis -> Syslog Collector Status, do you see the Invalid Messages increasing?

Blue

Re: Syslog Severity Summary - No records found

Yeah, I noticed the higher than usual number of Invalid Messages, but didn't think it could have anything to do with the problem.

Here's the syslog collector status #s yesterday morning 10am:

Messages processed: 47262

Messages filterd: 1559

Invalid Messages 2334

Total: 51155

Then I did "cat /dev/null /var/log/syslog_info" as TAC insisted.

Yesterday afternoon, around 2:30pm.

Messages processed: 71392

Messages filterd: 1793

Invalid Messages 3967

Total: 77152

Red

Re: Syslog Severity Summary - No records found

Well, the messages processed are also increasing

I suspect that there are problems inserting the syslog messages into the RME database

New Member

Re: Syslog Severity Summary - No records found

I've have the same problem and couldn't see whether you found a solution???

And I also couldn't find the TAC case which was mentioned in the first message???

Any new findings?

thanks

frank

New Member

Re: Syslog Severity Summary - No records found

Finally I found the TAC case: K11072729 and tried the "solution":

- net stop crmdmgtd

- stop the CWCS syslog service

- Delete the syslog.log in $NMSROOT\log\directory

- start the CWCS syslog service.

- net start crmdmgtd command.

BUT there are still no records

Blue

Re: Syslog Severity Summary - No records found

IIRC, in my case, I had increased "Keep messages up to" from 7 days (default) to 14 days (the maximum allowed), and I ticked the "Backup required" checkbox. That combination appeared to be the culprit. Once I dropped it back down to 7 days and unchecked "Backup required", the problem went away. No other troubleshooting helped, as long as those two options were in force. The "backup" wasn't working very well either--it had syslogs from different dates all mixed up out of place in one giant file.

New Member

Re: Syslog Severity Summary - No records found

it doesnt work either with backup & purge after 14 days nor without backup & purge after 7 days. (I also deleted the syslog & restarted the daemons after the changes...)

Any ohter ideas??

thanks

frank

Blue

Re: Syslog Severity Summary - No records found

A senior TAC engineer told me "local7.info" must not be changed to "local7.debug", because debug-level syslogs had a different format that RME could not handle. That's another point I reverted.

# Added for Cisco Syslog Analyzer (begin)

local7.info /var/Log/syslog_info

# Added for Cisco Syslog Analyzer (end)

234
Views
7
Helpful
11
Replies