Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

zero record syslog reports

I am getting reports of 0 records when running reports on at least one switch that is sending data to LMS. RME version is 4.1.1. I've viewed syslog.log and it contains the messages from the switch. I've disabled all message filters but still get nothing from any reports on the device. Ideas?

18 REPLIES
Cisco Employee

Re: zero record syslog reports

Disabling all message filters is probably the problem. If you disable all filters, make sure the mode is set to KEEP instead of the default DROP.

Community Member

Re: zero record syslog reports

I tried that before posting but it still isn't working.

Cisco Employee

Re: zero record syslog reports

Post the output of the pdshow command as well as some of the sample messages not appearing in your syslog reports.

Community Member

Re: zero record syslog reports

pdshow attached

sample messages include:

Aug 28 09:27:15: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.x.x.81

Aug 28 09:28:02: %SEC-6-IPACCESSLOGP: list ???_??? permitted tcp 10.x.x.x(xxxx) -> 0.0.0.0(xxx), 1 packet

Cisco Employee

Re: zero record syslog reports

This looks okay. Post the SyslogCollector.log and AnalyzerDebug.log.

Community Member

Re: zero record syslog reports

analyzerdebug attached

Community Member

Re: zero record syslog reports

syslog collector attached

Cisco Employee

Re: zero record syslog reports

This all looks healthy. In fact, I'm seeing evidence that syslogs are being processed. Exactly what reports are you running, and how are you running them? Post a screenshot of RME > Tools > Syslog > Syslog Collector Status.

Community Member

Re: zero record syslog reports

I'm trying to run 24 hour reports on the devices in question. But even standard reports return zero records. A show logging from the devices via telnet shows plenty of snmp authentication failures within the past 24 hours but all reports return zero records. The messages are in the syslog.log file... I just checked again. The only difference being that I run the report based on host name while the log file shows the IP address for the device. The server is getting the data but RME won't show it in a report. The messages I posted earlier should show up in a 24 hour report correct?

Cisco Employee

Re: zero record syslog reports

Yes, they should. Try running an Unexpected Devices Report to see if the syslog messages show up there. Also, post the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat file.

Community Member

Re: zero record syslog reports

Not showing up in unexpected devices... filters.dat attached.

Cisco Employee

Re: zero record syslog reports

Enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Loglevel Settings, regenerate some new messages, then re-post the AnalyzerDebug.log along with the messages that were generated.

Community Member

Re: zero record syslog reports

Requested info attached.

Cisco Employee

Re: zero record syslog reports

According to this, device device generating the SEC-6-IPACCESSLOGP message is not properly managed by RME. It is either in a suspended state or a conflicting state. You need to fix that problem by either resuming management of the device, or correcting the device type.

The same is true for the CONFIG_I message and the AUTHFAIL message.

Community Member

Re: zero record syslog reports

I don't show any devices in a conflicting or suspended state. They are either normal or aliases. Is there someplace else to look? I've even deleted the device and rediscovered again with no results.

Cisco Employee

Re: zero record syslog reports

There must be a failure getting the current device state, then. Post the EssentialsDM_Server.log and EssentialsDM.log.

Community Member

Re: zero record syslog reports

Here you go:

Cisco Employee

Re: zero record syslog reports

There is no error, but something is wrong with getting the information from the database. I suggest you open a TAC service request so the database contents can be analyzed.

216
Views
0
Helpful
18
Replies
CreatePlease to create content