Re: zero record syslog reports

jwright · ‎08-27-2009

I am getting reports of 0 records when running reports on at least one switch that is sending data to LMS. RME version is 4.1.1. I've viewed syslog.log and it contains the messages from the switch. I've disabled all message filters but still get nothing from any reports on the device. Ideas?

Joe Clarke · ‎08-27-2009

Disabling all message filters is probably the problem. If you disable all filters, make sure the mode is set to KEEP instead of the default DROP.

jwright · ‎08-27-2009

I tried that before posting but it still isn't working.

Joe Clarke · ‎08-27-2009

Post the output of the pdshow command as well as some of the sample messages not appearing in your syslog reports.

jwright · ‎08-28-2009

pdshow attached

sample messages include:

Aug 28 09:27:15: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.x.x.81

Aug 28 09:28:02: %SEC-6-IPACCESSLOGP: list ???_??? permitted tcp 10.x.x.x(xxxx) -> 0.0.0.0(xxx), 1 packet

Joe Clarke · ‎08-28-2009

This looks okay. Post the SyslogCollector.log and AnalyzerDebug.log.

jwright · ‎08-28-2009

analyzerdebug attached

jwright · ‎08-28-2009

syslog collector attached

Joe Clarke · ‎08-28-2009

This all looks healthy. In fact, I'm seeing evidence that syslogs are being processed. Exactly what reports are you running, and how are you running them? Post a screenshot of RME > Tools > Syslog > Syslog Collector Status.

jwright · ‎08-28-2009

I'm trying to run 24 hour reports on the devices in question. But even standard reports return zero records. A show logging from the devices via telnet shows plenty of snmp authentication failures within the past 24 hours but all reports return zero records. The messages are in the syslog.log file... I just checked again. The only difference being that I run the report based on host name while the log file shows the IP address for the device. The server is getting the data but RME won't show it in a report. The messages I posted earlier should show up in a 24 hour report correct?

Joe Clarke · ‎08-28-2009

Yes, they should. Try running an Unexpected Devices Report to see if the syslog messages show up there. Also, post the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat file.

jwright · ‎08-28-2009

Not showing up in unexpected devices... filters.dat attached.

Joe Clarke · ‎08-28-2009

Enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Loglevel Settings, regenerate some new messages, then re-post the AnalyzerDebug.log along with the messages that were generated.

jwright · ‎08-31-2009

Requested info attached.

Joe Clarke · ‎08-31-2009

According to this, device device generating the SEC-6-IPACCESSLOGP message is not properly managed by RME. It is either in a suspended state or a conflicting state. You need to fix that problem by either resuming management of the device, or correcting the device type.

The same is true for the CONFIG_I message and the AUTHFAIL message.