06-07-2010 05:53 AM
Hello,
the syslog config fetch on my LMS 3.2 with RME 4.3.0 is not working.
I get syslog messages from devices and the count in the syslog collector status is okay.
But in the syslog message summary in device center the count is not getting higher with every message.
And the config fetch is not working.
I changed the logging level in the collector-properties to "debug" and got the following messages for a device which I want to fetch:
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssEmblemProcessor - About to process the syslog string : Jun 07 14:40:23 10.155.224.102 53: Jun 7 14:39:57: %SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssEmblemAFormatParser@13bd574
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssEmblemBFormatParser@13adc56
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.FcssGenericFormatParser@157aa53
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parser : com.cisco.nm.rmeng.fcss.common.CSSSyslogFormatParser@6f50a8
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemA not valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemB not valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, EmblemA valid.
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Setting daemon date
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, After adjusting the offset Mon Jun 07 14:40:23 CEST 2010 GMT 7 Jun 2010 12:40:23 GMT
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Parsed using the parser : com.cisco.nm.rmeng.fcss.common.FcssGenericFormatParser@157aa53
SyslogCollector - [Thread: EvaluatorThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssEmblemProcessor - Valid EMBLEM format. Passing on...
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Converted syslog to filter string. Filter string is 10.155.224.102;;;SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, ^((10\.161\.1\.45);;;(\S+)(-(\S+))?-(.*)(-(.*\s*))?\s*:\s*.*)$
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, FcssFilterPatternSet- inside 6
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, getInterestedSubscribers() - Incrementing filtered count for HNW2K3CISCO03
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, getInterestedSubscribers() - No interested subscribers. Returning null.
SyslogCollector - [Thread: FilterThread-0] DEBUG, 07 Jun 2010 14:40:24,546, Entered zero size
I attached the AnalyzerDebug.log, syslog_debug.log, SyslogAnalyzer.log and SyslogCollector.log for further informations.
Thanks for any advice!
Sven
Solved! Go to Solution.
06-14-2010 11:31 PM
The SyslogCollector.log looks good. Post the AnalyzerDebug.log along with a raw message which came in and should be shown in the log.
06-07-2010 10:11 PM
Post a screenshot of RME > Tools > Syslog > Message Filters.
06-07-2010 11:34 PM
Hi Joe,
thanks for your reply.
I read something about faulty filter settings in another thread and I checked the filters once again.
The only filter I enabled is a filter for all syslog messages from one device which has a problem we can't fix at the moment.
Please have a look on the screenshots.
Is there a possibility to see which syslog messages are forwarded, invalid, filtered, dropped and received?
There is a gap between the received and forwarded, invalid, filtered and dropped.
I thought that forwarded + invalid + filtered + dropped = received.
The strange thing is, that I see the SYS-5-CONFIG_I message in the device center view of my test device, but the config fetch will not be started.
Thanks!
Sven
06-08-2010 11:18 PM
This has all the visible symptoms of CSCtc18888. However, the logs aren't jiving. Can you post new SyslogCollector.log, AnalyzerDebug.log, and syslog.log over the same time period showing one specific CONFIG_I message?
06-08-2010 11:56 PM
Hello,
I will check this.
I created an email allert for SYS-5-CONFIG_I messages and sometimes last night I got this emails.
Is it possible that syslog messages from wireless controllers make this trouble to LMS?
Thanks!
06-09-2010 06:02 PM
Yes. The bug states that if an unexecpted message arrives in the buffer at the same time as a message to be processed, the automated action engine will skip both messages. A patch is available from TAC to correct this behavior.
06-10-2010 02:01 AM
Thanks a lot, Joe!
I opened a case to get the patch.
One more question to the Collector Status.
Is it possible to get informations about which devices are responsible for the "Invalid messages"?
This would be very useful to figure out which devices are wrong configured or something like that.
06-10-2010 11:13 PM
Chances are these messages are not coming from devices, but from Daemon Manager. On Windows, the syslog.log is shared by device messages and dmgtd messages. The latter are all considered invalid by SyslogCollector. But, if you do get invalid device messages, you'd have to comb through the SyslogCollector.log to find the device generating them.
06-14-2010 01:11 AM
Hello,
I got the patch, but the situation is the same.
I attached the the syslogCollector.log starting with the restart of the process syslog Collector.
Before I disabled all syslog filters and set the filter type to "keep".
Debug level is DEBUG.
I saw that the collector in collector status was not working. I did unsubscribe and a subscribe once again. Now I see new messages.
Thanks!
06-14-2010 11:31 PM
The SyslogCollector.log looks good. Post the AnalyzerDebug.log along with a raw message which came in and should be shown in the log.
06-14-2010 11:50 PM
Hello,
I did the test and all I can find in the AnalyzerDebug.log is the following message:
[ Tue Jun 15 08:40:23 CEST 2010 ],INFO ,[Thread-18],newsyslogqueue Dropping the syslog as queue is full 100000
I found another thread here in the community with that message, but now solution for it.
Thanks!
06-15-2010 12:43 AM
After I restarted the processes the syslog queue is empty and the config fetch works :-)
Output from syslog.log:
Jun 15 09:37:51 4.72.80.13 3131: Jun 15 09:36:59.881: %SYS-5-CONFIG_I: Configured from console by shru1307 on vty0 (4.26.16.20)
Output from AnalyzerDebug.log:
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,74,Invoking Config collection for syslog message
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,81,Before triggering syslog config fetch
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,83,Syslog Timestamp Tue Jun 15 09:37:51 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,85,DCMA Endtime String 2010-06-10 00:51:02.94
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,90,DCMA Endtime String after formatting Thu Jun 10 00:51:02 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,98,Buffer Time after adding 5 minutes Thu Jun 10 00:56:02 CEST 2010
[ Tue Jun 15 09:37:52 CEST 2010 ],INFO ,[Thread-2],com.cisco.nm.rmeng.dcma.client.RmeSaDcmaActionHandler,act,101,Triggering fetch on syslog since Timestamp > bufferTime
My last question is now, what can I do that the syslog queue will not getting full one more time?
Is logrot a solution? My syslog.log will be rotated at 128 MB.
Thanks a lot!
Sven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide