cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
2
Replies

LMS4 Syslog automated action anomaly

jedavis
Level 4
Level 4

LMS 4.2.1 on W2K8 R2

I just want to send an email for any sev 1 or 2 syslog messages received.  I set up an automated action that looks like this:

Automated Action Summary
Name: Critical Events Email
Devices: *
State: Enabled
Parameters: TO=John.Doe@example.com, SUB=LMS4 Syslog AA, TEXT=
Action Type: Email
Messages: *-*-1-*:* *-*-2-*:*

Yet I seem to be getting emails triggered by messages from ASA devices that are not severity 1 or 2, like:

%ASA-session-4-106023

%ASA-auth-3-109023

%ASA-auth-6-109001

Am I doing something wrong, or is there some sort of bug I am hitting?  I can't believe that I am the first person to try this.

Thanks,

-Jeff

2 Replies 2

Martin Ermel
VIP Alumni
VIP Alumni

I do not know what exactly you have done so far but in your situation I would enable the following debugs:

open that file in a text editor

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

and change the debug level from Info to Debug:

    DEBUG_LEVEL=DEBUG

also enable SyslogAnalyzer debugging here:

Admin > System > Debug Settings > Config and Image Management Debugging Settings

    Set Application Logging Levels >> SyslogAnalyzer (scroll down)

        set Syslog Analyzer and Syslog Analyzer User Interface from INFO to DEBUG

in a DOS box check the status of the following processes (the should be started) and restart them:

    pdshow SyslogAnalyzer SyslogCollector

    pdterm SyslogAnalyzer SyslogCollector

    pdexec SyslogAnalyzer SyslogCollector

    pdshow SyslogAnalyzer SyslogCollector

When the issue happens again check the following log files and post them on the forum:

    NMSROOT\log\SyslogCollector.log

    NMSROOT\log\AnalyzerDebug.log

I have a case open with TAC and I have supplied them with the debug logs.  Apparently I am not the only one to report this.  The case has been escalated and I am waiting for a solution.  I expect that a patch will be required.

Review Cisco Networking for a $25 gift card