cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
5
Helpful
13
Replies

LMS 4.2.4 intermittent Syslog issue

Hi All,

syslogs services on the LMS stops all of a sudden and doesn't reflect the current logs from the devices till we restart services.

Performed below steps

-> Found the device logs are making its way to syslog.log file(CSCOpx>logs)

-> SyslogCollector and SyslogAnalyzer are in healthy state.

-> Even the collector subscription status is fine.

After the restart of the SyslogCollector and SyslogAnalyzer  the logs reflects back on lms. Issue is intermittent and reappeared couple of times. any suggestions to find root of the problem ??

 

Regards,

Channa

 

2 Accepted Solutions

Accepted Solutions

AFROJ AHMAD
Cisco Employee
Cisco Employee

Hi Channa,

 

If after restrating the syslog collector and anaylzer it start working then it Must be a port issue.

Kindly check the UDP 514 should be in the listening by crmlog (which is the background process of Syslog.log), no other process should be listening to this port

port 514 is the port for syslog communication.

> netstat -an | grep 514

 

Also check and make sure the port no 4444 is not getting blocked by any firewall.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

View solution in original post

Hi Channa,

 

yes you can change the port too .check below::

1) stop the daemon manager:
     net stop crmdmgtd

2>  Go to the directory CSCOpx\bin
2>  Run the perl script =    perl syslogConf.pl

It will give you the options like this :-

[1] Change Syslog Analyzer Port
[2] Change Syslog Collector Port
[3] Configure Remote Syslog Collector(RSAC) Address and Port
[4] Change Syslog File Location
[Q] Quit

 

hope it will help

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

View solution in original post

13 Replies 13

AFROJ AHMAD
Cisco Employee
Cisco Employee

Hi Channa,

 

If after restrating the syslog collector and anaylzer it start working then it Must be a port issue.

Kindly check the UDP 514 should be in the listening by crmlog (which is the background process of Syslog.log), no other process should be listening to this port

port 514 is the port for syslog communication.

> netstat -an | grep 514

 

Also check and make sure the port no 4444 is not getting blocked by any firewall.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Afroj,

Thanks for the reply.

I would check the port status and update.

can we change these port numbers ?

Regards,

Channa

 

these are the default ports no.s for these services.

Thanks-

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Afroj,

Thanks for your timely reply...

I have checked the port status by stopping the deamon manager and cw syslog service. mentioned ports are free(514 UDP,4444).

as you said these ports are default ports and they were free. i don't want to change.i did make sure these ports are not blocked by the firewall.

please let know if any other suggestions.

Regards,

Channa

Hi Afroj,

 

Please let me know if any suggestions??

 

Thanks & Regards,

Channa

share the syslogcollector.log  and syslogAnalyzer.log

analyzerdebug.log

Thanks-

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Afroj,

 

Please find the logs file attached.

Regards,

Channa

Hi Channa,

 

looks like , you are getting huge no. of syslogs from your devices..

 

SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,389, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,391, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,392, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,395, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,397, Anonymous Dropping the syslog as queue is full 100000

 

and which is why they are getting dropped.

 

2 suggestions:

check the filters > configure the filters for only those messages that you want

 

second :

plan to upgrade the LMS from 4.2.4 to 4.2.5 .  LMS 4.2.5 have a fix of  the syslogs issue . in 4.2.5 syslogs are well managed.

 

BUG:CSCul38962 : Syslog dropping issue

above BUG is fixed in 4.2.5

 

Thanks-

Afroz

***Ratings Encourages Contributors ****

 

 

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Afroj,

Thanks for your help Afroj..

Means the queue limit is 100000 once its full it starts dropping. once services are restarted the queue empty and works fine till reaches the limit.

Regards,

Channa


 

Yes that is the Queue limit  but these syslog dropping issue been taken care in LMS 4.2.5.

hope upgrading to 4.2.5 should help

 

Thanks-

Afroz

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Afroj,

I was trying to upgrade  the version 4.2.5

And found another bug : CSCun08513

Installation hanging in Checking Locked Files

i have tried setting the deamon manager serrvice  to manual and rebooted the server and continuing the installation.

Even after that there were some processes running in the background. didn't allow me to install.

 

Regards,

Channa

Hi Channa,

Reboot the server .

Start the Installation again.

Now this time ,if it stuck . Open the Task Manager ( look for process stuck there usually some  "dbsrv" or "smserver" get stuck . if you find any other LMS process stuck there then kill it " end the process tree and resume the installation.

 

you can share the sceen shot of the installation as well if you stuck this time along with the task manager output and Installation.log

 

Thanks-

Afroz

 

 

 

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Hi Channa,

 

yes you can change the port too .check below::

1) stop the daemon manager:
     net stop crmdmgtd

2>  Go to the directory CSCOpx\bin
2>  Run the perl script =    perl syslogConf.pl

It will give you the options like this :-

[1] Change Syslog Analyzer Port
[2] Change Syslog Collector Port
[3] Configure Remote Syslog Collector(RSAC) Address and Port
[4] Change Syslog File Location
[Q] Quit

 

hope it will help

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****