LMS 3.2 setting up syslog

shaanismath · ‎01-06-2011

How do I go about setting up LMS 3.2 to show syslog messages in the device center,

I know my device is sending syslog messages out.

   Count and timestamp logging messages: disabled
   File logging: disabled
   Trap logging: level informational, 384946 message lines logged
       Logging to 192.168.10.21, 3336 message lines logged, xml disabled,
              filtering disabled

There are no ACL's blocking and LMS has SNMP access to the device because it can do config backups.

Syslog deamon is enabled on the LMS and I have tried a few other things, but cant get LMS to see the syslog messages from my device (Catalyst 3560)

TIA,

Regards

Michel Hegeraat · ‎01-07-2011

There is a syslog.log in CSCOpx\log.

Do you receive messages from other devices?

If the messages you know you rdevice has sent are in there then the problem is just getting these messages associated with the device in LMS.

You may want to tell your device to send the syslog and traps with the same IP address you use in LMS to manage the device.

Something like logging source-interface .....

LMS has a sniffer tool that can help

In CSCOpx\objects\jet\bin there is a winpcap you can install or you can google for a more recent version

Then you can launch a capture via the GUI in the devices center

Let it run for the syslog port and the ip with which the device is sending the messages

Cheers,

Michel

shaanismath · ‎01-07-2011

Hi Michel,

The syslog.log file has a lot of system generated messages, but nothing from

cisco devices it is supposed to be receiving from. I have only configured a

few devices but I am not receiving syslog from any of them indicating the

problem is likely to be at the LMS end.

How can we associate a syslog message with a device?

The source interface should not be a problem since the switch is running

Layer 2 mode.

I did the packet capture and there is nothing on the packet capture though a

syslog message is getting generated in the switch every minute. When I did

the netstat on the LMS box, the UDP port is not open, but I definitely

enabled the syslog service.

Any further troubleshooting steps?

TIA

On Sat, Jan 8, 2011 at 12:06 AM, michel.hegeraat <

Michel Hegeraat · ‎01-08-2011

The source IP address is used to associate the device with the message.

The syslog receiver is active if you get something in the syslog.log file.

Is the path between your LMS server and the switches L2? Is the device IP address in the same subnet then the LMS server IP address?

Is there a (windows) firewall on the server active?

Can you send a syslog message from a PC to the LMS?

There is software that can do this on http://www.kiwisyslog.com/ or use google

Cheers,

Michel

shaanismath · ‎01-09-2011

Michel,

FYI, I have included source interface in the config. So my cisco config

looks like

logging buffered 51200 debugging

logging console informational

logging source-interface Vlan10

logging 192.38.10.11

192.38.10.11 is my LMS. The path between the 2 is not Layer 2, but there are

no ACL's in the L3 path.

SW003#telnet 192.38.10.11 514

Trying 192.38.10.11, 514 ...

% Connection timed out; remote host not responding

SW003#telnet 192.38.10.11 1741

Trying 192.38.10.11, 1741 ... Open

If I do it on the server itself..

Telnet 127.0.0.1 514

I get an open connection which suggests to me the syslog deamon is up and

running.

I didnot quite understand your bit about kiwi syslog. Did you want me to

install kiwisyslog on the LMS server and see if I can get messages from my

pc in kiwi syslog??

TIA

On Sat, Jan 8, 2011 at 10:24 PM, michel.hegeraat <

Michel Hegeraat · ‎01-10-2011

So vlan 10 has got the IP address you use to manage the switch?

And if you telnet from the LMS server to this IP address you end up on SW003 ?

kiwi syslog has a syslog sender utility you can install on a PC to send syslog messages

You can install the sender utility on your LMS server and sent a message to 127.0.01 to know it works.

The telnet to 514 is on TCP, the syslog from the switch can be UDP 514

Cheers,

Michel

shaanismath · ‎01-10-2011

If I do an nmap of the server, tcp port 514 is open, but udp is not. Portqry

returns udp 514 as listening or filtered.

There is no windows or any other firewall running on this server, I wonder

why the UDP port 514 doesnot seem to be open

On Mon, Jan 10, 2011 at 9:19 PM, michel.hegeraat <

Michel Hegeraat · ‎01-10-2011

On the server side you can check the open ports using netstat.

On my test server I get this

C:\Documents and Settings\Administrator>netstat -a | find "syslog"
UDP didata:syslog *:*

Maybe you can install the syslog sender on a PC in the same range as the LMS server and send some test messages

Cheers,

Michel