I have been having some problems with the syslog reports. We are running CiscoPrime 4.1.
What I noticed is this:
lets say a syslog message was created at 10:00 (timestamp from "show log" on the device). The syslog report showed the same message with a timestamp of 13:00 (that is GMT + 3, which is our time zone).
This caused confusion in reading and presenting any syslog reports. It also meant that if an incident occured at 10:00 and at 10:30 I wanted to get a syslog report, the report wouldn't be populated with the data. The data in question would appear at 13:00
This does not happen for all devices, only for those with configuration:
service timestamps log datetime localtime show-timezone
with "show-timezone" seeming to be the keyword that causes the problems.
As a test I removed that "show-timezone" keyword from a few devices and the issue seems to be resolved.
Has anybody seen this before? Is this the correct behaviour of LMS - adding hours to the timestamps of the received syslog messages? Is there a parameter in the server that needs to be changed so as not to add these hours or do I need to change the device configs? I would prefer not to change the device configs.
What also puzzles me is this:
Since the installation of CiscoPrime 4.1 is fairly new, our old LMS2.6 is still up and running. Syslog messages on the older version show the correct timestamp.