Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1170
Views
5
Helpful
13
Replies

LMS 4.2.4 intermittent Syslog issue

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1

ā€Ž07-01-2014 05:51 AM

Hi All,

syslogs services on the LMS stops all of a sudden and doesn't reflect the current logs from the devices till we restart services.

Performed below steps

-> Found the device logs are making its way to syslog.log file(CSCOpx>logs)

-> SyslogCollector and SyslogAnalyzer are in healthy state.

-> Even the collector subscription status is fine.

After the restart of the SyslogCollector and SyslogAnalyzer  the logs reflects back on lms. Issue is intermittent and reappeared couple of times. any suggestions to find root of the problem ??

 

Regards,

Channa

 

Labels:
syslogcollector.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee

ā€Ž07-01-2014 10:29 AM

Hi Channa,

 

If after restrating the syslog collector and anaylzer it start working then it Must be a port issue.

Kindly check the UDP 514 should be in the listening by crmlog (which is the background process of Syslog.log), no other process should be listening to this port

port 514 is the port for syslog communication.

> netstat -an | grep 514

 

Also check and make sure the port no 4444 is not getting blocked by any firewall.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

View solution in original post

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-04-2014 06:57 AM

Hi Channa,

 

yes you can change the port too .check below::

1) stop the daemon manager:
     net stop crmdmgtd

2>  Go to the directory CSCOpx\bin
2>  Run the perl script =    perl syslogConf.pl

It will give you the options like this :-

[1] Change Syslog Analyzer Port
[2] Change Syslog Collector Port
[3] Configure Remote Syslog Collector(RSAC) Address and Port
[4] Change Syslog File Location
[Q] Quit

 

hope it will help

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

View solution in original post

0 Helpful
13 Replies 13

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee

ā€Ž07-01-2014 10:29 AM

Hi Channa,

 

If after restrating the syslog collector and anaylzer it start working then it Must be a port issue.

Kindly check the UDP 514 should be in the listening by crmlog (which is the background process of Syslog.log), no other process should be listening to this port

port 514 is the port for syslog communication.

> netstat -an | grep 514

 

Also check and make sure the port no 4444 is not getting blocked by any firewall.

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to AFROJ AHMAD

ā€Ž07-04-2014 03:31 AM

Hi Afroj,

Thanks for the reply.

I would check the port status and update.

can we change these port numbers ?

Regards,

Channa

 

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-04-2014 06:53 AM

these are the default ports no.s for these services.

Thanks-

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to AFROJ AHMAD

ā€Ž07-04-2014 03:30 PM

Hi Afroj,

Thanks for your timely reply...

I have checked the port status by stopping the deamon manager and cw syslog service. mentioned ports are free(514 UDP,4444).

as you said these ports are default ports and they were free. i don't want to change.i did make sure these ports are not blocked by the firewall.

please let know if any other suggestions.

Regards,

Channa

0 Helpful

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to ChannaBasava Kalapurmath

ā€Ž07-09-2014 11:03 PM

Hi Afroj,

 

Please let me know if any suggestions??

 

Thanks & Regards,

Channa

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-10-2014 01:30 AM

share the syslogcollector.log  and syslogAnalyzer.log

analyzerdebug.log

Thanks-

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to AFROJ AHMAD

ā€Ž07-10-2014 10:25 AM

Hi Afroj,

 

Please find the logs file attached.

Regards,

Channa

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-10-2014 10:25 AM

Hi Channa,

 

looks like , you are getting huge no. of syslogs from your devices..

 

SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,389, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,391, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,392, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,395, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,397, Anonymous Dropping the syslog as queue is full 100000

 

and which is why they are getting dropped.

 

2 suggestions:

check the filters > configure the filters for only those messages that you want

 

second :

plan to upgrade the LMS from 4.2.4 to 4.2.5 .  LMS 4.2.5 have a fix of  the syslogs issue . in 4.2.5 syslogs are well managed.

 

BUG:CSCul38962 : Syslog dropping issue

above BUG is fixed in 4.2.5

 

Thanks-

Afroz

***Ratings Encourages Contributors ****

 

 

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to AFROJ AHMAD

ā€Ž07-10-2014 10:34 AM

Hi Afroj,

Thanks for your help Afroj..

Means the queue limit is 100000 once its full it starts dropping. once services are restarted the queue empty and works fine till reaches the limit.

Regards,

Channa


 

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-10-2014 04:30 PM

Yes that is the Queue limit  but these syslog dropping issue been taken care in LMS 4.2.5.

hope upgrading to 4.2.5 should help

 

Thanks-

Afroz

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Go to solution
ChannaBasava Kalapurmath
Level 1
Level 1
In response to AFROJ AHMAD

ā€Ž07-16-2014 01:10 PM

Hi Afroj,

I was trying to upgrade  the version 4.2.5

And found another bug : CSCun08513

Installation hanging in Checking Locked Files

i have tried setting the deamon manager serrvice  to manual and rebooted the server and continuing the installation.

Even after that there were some processes running in the background. didn't allow me to install.

 

Regards,

Channa

0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-16-2014 04:32 PM

Hi Channa,

Reboot the server .

Start the Installation again.

Now this time ,if it stuck . Open the Task Manager ( look for process stuck there usually some  "dbsrv" or "smserver" get stuck . if you find any other LMS process stuck there then kill it " end the process tree and resume the installation.

 

you can share the sceen shot of the installation as well if you stuck this time along with the task manager output and Installation.log

 

Thanks-

Afroz

 

 

 

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee
In response to ChannaBasava Kalapurmath

ā€Ž07-04-2014 06:57 AM

Hi Channa,

 

yes you can change the port too .check below::

1) stop the daemon manager:
     net stop crmdmgtd

2>  Go to the directory CSCOpx\bin
2>  Run the perl script =    perl syslogConf.pl

It will give you the options like this :-

[1] Change Syslog Analyzer Port
[2] Change Syslog Collector Port
[3] Configure Remote Syslog Collector(RSAC) Address and Port
[4] Change Syslog File Location
[Q] Quit

 

hope it will help

 

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful
Customers Also Viewed These Support Documents