We are currently working on a solution comprising Cisco Prime Infrastructure 1.2 and we can't understand if Prime Infrastructure can work as a syslog collector, since we can't get it to show us any syslog messages sent from the network devices in its the Alarms & Events section. Is this a normal behavior? Is it necessary to use a remote syslog collector on another machine?
Solved! Go to Solution.
I´ve now configured my CPI (2.1) for receiving all syslog and SNMP Traps sent from my seitches (catalyst 2960s). Everything works fine so far.
Now i want CPI to send an email for the syslog event "security violation". I can see this event in Syslog view and also in events with severity cirtical like i defined in severity configuration but no email is generated. Do i have to configure something special if i want to have an email notification on this?
The reason for this problem (maybe there´s another solution): We use 802.1x authentication and i want to know when there´s a security violation and a port is set to error disabled state. I´ve configured my switches to send SNMP Traps for "errdisabled" but they never appear in CPI.
Because of that i´ve configured syslogs and saw that "security violation" is logged by syslog but no email is created :((
Thank you very much for you help!!
I´ve now configured PI 2.1 for receiving syslog from devices. it work fine, but do not log juniper srx 650 logs. logs comes to PI but not shown.
Please help to find the problem...
I'd look into the format of the log messages from the Juniper device. Compare a message using a packet capture from a working Cisco device's message and non-working Juniper device's message.
I would hypothesize that the Juniper is using a different logging facility or such to cause PI not to recognize the messages.
hi Marvin Rhoads,
i have cisco PI2.0 and not recieve syslog messages from the switches, i issued the following commands on cisco PI cli:
then create your root password
then issue the following:
<condition field='severity' op='EQUALS' value='3' />, and <condition field='severity' op='EQUALS' value='4' /> >>>> this line is not accepted on the cli
The instructions are to EDIT the file. Either use the vi text editor in the Linux that Prime is running on or edit it offline on your desktop and copy the modified version into the PI file system.
I've been patiently waiting for the well advertized and spoken PI upgrade to version 2.2 to be able to collect syslog but there's still nothing. Hasn't it been added or just silently dropped from the list of improvement requests and not prioritized features ?
Do I have to edit this file /opt/CSCOlumos/conf/syslog_sev_filter.xml to collect syslog from 2960/3750 switches and also ASA firewall ?
Please see my posting below from January.
PI 2.2 has updated the XML file to make the default to include syslog messages of all severity levels.
I have verified this on two separate installations - one that had previously modified the file manually and one that had not. Both are now receiving and displaying the full range of messages.
Be careful about ASA logs though - they can be VERY verbose if you are sending informational level messages. (i.e every single TCP connection and UDP flow in and out of your enterprise creating a message, quickly adding up to millions per day and making the server slow down and the function useless for most purposes).
To my surprise I discovered that the syslog on PI is now populated by events from ASA firewall. The level is set to "Warning" which should suffice for storing events related to denies and any unusual activity. I wonder if there's any way to set the size of the storage allocated to syslog events and how to do its house cleaning to purge events older than XXX days.
Hi Marvin Rhoads,
thanks for your reply, also please I need to know if there is a way to know the size of disks to be able to know if the disks are completed or not due to receiving the syslog messages.
There are two things you can check.
1. Under Administration > Settings > System Settings > Alarms and Events, there is a setting for how many days of syslog you keep. By default PI will delete them after 30 days.
2. On the same setttings page also look at "PI Event configuration". There you will see a setting for Disk Utilization. By default the Major alarm threshold is set for 90%. If you have setup email notification for Major System events (under Monitor > Alarms and Events > Email notification) you should get an email when that threshold is reached.
Unfortunately there's not an automated syslog rotation / trimming option in PI just yet like we have in Prime LMS.
p.s. - you can also check the disk usage manually from the root shell. Most of the Prime Infrastructure stuff goes under /opt:
ade # df -akB G | grep Used Filesystem 1G-blocks Used Available Use% Mounted on ade # df -akB G | grep opt /dev/mapper/smosvg-optvol 447G 241G 184G 57% /opt ade #
Will you be able to see the logs in REAL TIME as they come into PI? Like a scrolling screen where new logs appear at the bottom and so on and so forth?
Like the freebie SWATCH?
Not in the GUI.
You could 'tail' the .log file in the Linux shell but I've never seen anyone use that as their mode of operations, Prime Infrastructure or not.
Thanks for the info Marvin.
That's exactly what we are doing right now. "Tail" the log file - Error level and down only, so we don't get too much.
Would you mind sharing what product/solution you found most are using?