I am getting reports of 0 records when running reports on at least one switch that is sending data to LMS. RME version is 4.1.1. I've viewed syslog.log and it contains the messages from the switch. I've disabled all message filters but still get nothing from any reports on the device. Ideas?
Disabling all message filters is probably the problem. If you disable all filters, make sure the mode is set to KEEP instead of the default DROP.
sample messages include:
Aug 28 09:27:15: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.x.x.81
Aug 28 09:28:02: %SEC-6-IPACCESSLOGP: list ???_??? permitted tcp 10.x.x.x(xxxx) -> 0.0.0.0(xxx), 1 packet
This all looks healthy. In fact, I'm seeing evidence that syslogs are being processed. Exactly what reports are you running, and how are you running them? Post a screenshot of RME > Tools > Syslog > Syslog Collector Status.
I'm trying to run 24 hour reports on the devices in question. But even standard reports return zero records. A show logging from the devices via telnet shows plenty of snmp authentication failures within the past 24 hours but all reports return zero records. The messages are in the syslog.log file... I just checked again. The only difference being that I run the report based on host name while the log file shows the IP address for the device. The server is getting the data but RME won't show it in a report. The messages I posted earlier should show up in a 24 hour report correct?
Yes, they should. Try running an Unexpected Devices Report to see if the syslog messages show up there. Also, post the NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat file.
Enable SyslogAnalyzer debugging under RME > Admin > System Preferences > Loglevel Settings, regenerate some new messages, then re-post the AnalyzerDebug.log along with the messages that were generated.
According to this, device device generating the SEC-6-IPACCESSLOGP message is not properly managed by RME. It is either in a suspended state or a conflicting state. You need to fix that problem by either resuming management of the device, or correcting the device type.
The same is true for the CONFIG_I message and the AUTHFAIL message.
I don't show any devices in a conflicting or suspended state. They are either normal or aliases. Is there someplace else to look? I've even deleted the device and rediscovered again with no results.
There is no error, but something is wrong with getting the information from the database. I suggest you open a TAC service request so the database contents can be analyzed.