LMS4 Syslog automated action anomaly

jedavis · ‎07-17-2012

LMS 4.2.1 on W2K8 R2

I just want to send an email for any sev 1 or 2 syslog messages received. I set up an automated action that looks like this:

Automated Action Summary
Name:	Critical Events Email
Devices:	*
State:	Enabled
Parameters:	TO=John.Doe@example.com, SUB=LMS4 Syslog AA, TEXT=
Action Type:	Email
Messages:	--1-: --2-:

Yet I seem to be getting emails triggered by messages from ASA devices that are not severity 1 or 2, like:

%ASA-session-4-106023

%ASA-auth-3-109023

%ASA-auth-6-109001

Am I doing something wrong, or is there some sort of bug I am hitting? I can't believe that I am the first person to try this.

Thanks,

-Jeff

Martin Ermel · ‎08-10-2012

I do not know what exactly you have done so far but in your situation I would enable the following debugs:

open that file in a text editor

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

and change the debug level from Info to Debug:

DEBUG_LEVEL=DEBUG

also enable SyslogAnalyzer debugging here:

Admin > System > Debug Settings > Config and Image Management Debugging Settings

Set Application Logging Levels >> SyslogAnalyzer (scroll down)

set Syslog Analyzer and Syslog Analyzer User Interface from INFO to DEBUG

in a DOS box check the status of the following processes (the should be started) and restart them:

pdshow SyslogAnalyzer SyslogCollector

pdterm SyslogAnalyzer SyslogCollector

pdexec SyslogAnalyzer SyslogCollector

pdshow SyslogAnalyzer SyslogCollector

When the issue happens again check the following log files and post them on the forum:

NMSROOT\log\SyslogCollector.log

NMSROOT\log\AnalyzerDebug.log

jedavis · ‎08-10-2012

I have a case open with TAC and I have supplied them with the debug logs. Apparently I am not the only one to report this. The case has been escalated and I am waiting for a solution. I expect that a patch will be required.