Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21029
Views
39
Helpful
58
Replies

Prime Infrastructure 1.2 Syslog

Go to solution
Carlos Morais
Level 1
Level 1

‎10-29-2012 05:34 AM

Hi,

We are currently working on a solution comprising Cisco Prime Infrastructure 1.2 and we can't understand if Prime Infrastructure can work as a syslog collector, since we can't get it to show us any syslog messages sent from the network devices in its the Alarms & Events section. Is this a normal behavior? Is it necessary to use a remote syslog collector on another machine?

Best regards!

2 people had this problem
Labels:
0 Helpful
58 Replies 58

Go to solution
lo.mueller
Level 1
Level 1

‎02-12-2014 04:38 AM

Hi all,

thanks for this hack!

I'm very astonished having cisco release such sort of bugs!!!

0 Helpful

Go to solution
Andreas Herbst
Level 1
Level 1

‎08-03-2014 11:42 PM

Hi,

 

I´ve now configured my CPI (2.1) for receiving all syslog and SNMP Traps sent from my seitches (catalyst 2960s). Everything works fine so far.

Now i want CPI to send an email for the syslog event "security violation". I can see this event in Syslog view and also in events with severity cirtical like i defined in severity configuration but no email is generated. Do i have to configure something special if i want to have an email notification on this?

 

The reason for this problem (maybe there´s another solution): We use 802.1x authentication and i want to know when there´s a security violation and a port is set to error disabled state. I´ve configured my switches to send SNMP Traps for "errdisabled" but they never appear in CPI.

Because of that i´ve configured syslogs and saw that "security violation" is logged by syslog but no email is created :((

 

Thank you very much for you help!!

0 Helpful

Go to solution
n.ghafarzadeh
Level 1
Level 1
In response to Andreas Herbst

‎08-30-2014 12:53 AM

Hi,

I´ve now configured PI 2.1 for receiving syslog from devices. it work fine, but do not log juniper srx 650 logs. logs comes to PI but not shown.

 

Please help to find the problem...

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to n.ghafarzadeh

‎08-31-2014 09:31 PM

I'd look into the format of the log messages from the Juniper device. Compare a message using a packet capture from a working Cisco device's message and non-working Juniper device's message.

I would hypothesize that the Juniper is using a different logging facility or such to cause PI not to recognize the messages.

0 Helpful

Go to solution
Mohamed Sayed
Level 1
Level 1
In response to Marvin Rhoads

‎01-22-2015 03:06 AM

hi Marvin Rhoads,

i have cisco PI2.0 and not recieve syslog messages from the switches, i issued the following commands on cisco PI cli:

 

root_enable
then create your root password
then issue the following:

root
cd /opt/CSCOlumos/conf
/opt/CSCOlumos/conf/syslog_sev_filter.xml

<condition field='severity' op='EQUALS' value='3' />, and <condition field='severity' op='EQUALS' value='4' />    >>>> this line is not accepted on the cli

exit
ncs stop 
ncs start

 

please advice

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohamed Sayed

‎01-22-2015 06:01 AM

Mohammed,

The instructions are to EDIT the file. Either use the vi text editor in the Linux that Prime is running on or edit it offline on your desktop and copy the modified version into the PI file system.

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Marvin Rhoads

‎01-26-2015 05:28 PM

Hello folks,

I've been patiently waiting for the well advertized and spoken PI upgrade to version 2.2 to be able to collect syslog but there's still nothing. Hasn't it been added or just silently dropped from the list of improvement requests and not prioritized features ?

Do I have to edit this file /opt/CSCOlumos/conf/syslog_sev_filter.xml to collect syslog from 2960/3750 switches and also ASA firewall ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zheka_pefti

‎01-26-2015 08:12 PM

Please see my posting below from January.

PI 2.2 has updated the XML file to make the default to include syslog messages of all severity levels.

I have verified this on two separate installations - one that had previously modified the file manually and one that had not. Both are now receiving and displaying the full range of messages.

Be careful about ASA logs though - they can be VERY verbose if you are sending informational level messages. (i.e every single TCP connection and UDP flow in and out of your enterprise creating a message, quickly adding up to millions per day and making the server slow down and the function useless for most purposes).

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Marvin Rhoads

‎01-27-2015 06:44 PM

Thanks, Marvin,

To my surprise I discovered that the syslog on PI is now populated by events from ASA firewall. The level is set to "Warning" which should suffice for storing events related to denies and any unusual activity. I wonder if there's any way to set the size of the storage allocated to syslog events and how to do its house cleaning to purge events older than XXX days.

Go to solution
Mohamed Sayed
Level 1
Level 1
In response to zheka_pefti

‎01-28-2015 02:37 AM

Hi Marvin Rhoads,

thanks for your reply, also please I need to know if there is a way to know the size of disks to be able to know if the disks are completed or not due to receiving the syslog messages.

 

Thanks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohamed Sayed

‎01-28-2015 07:16 AM

Mohamed,

There are two things you can check.

1. Under Administration > Settings > System Settings > Alarms and Events, there is a setting for how many days of syslog you keep. By default PI will delete them after 30 days.

2. On the same setttings page also look at "PI Event configuration". There you will see a setting for Disk Utilization. By default the Major alarm threshold is set for 90%. If you have setup email notification for Major System events (under Monitor > Alarms and Events > Email notification) you should get an email when that threshold is reached.

Unfortunately there's not an automated syslog rotation / trimming option in PI just yet like we have in Prime LMS.

 

p.s. - you can also check the disk usage manually from the root shell. Most of the Prime Infrastructure stuff goes under /opt:

 

ade # df -akB G | grep Used      
Filesystem           1G-blocks      Used Available Use% Mounted on
ade # df -akB G | grep opt  
/dev/mapper/smosvg-optvol
                          447G      241G      184G  57% /opt
ade #
0 Helpful

Go to solution
jontornea
Level 1
Level 1

‎10-27-2015 08:37 PM

Will you be able to see the logs in REAL TIME as they come into PI?  Like a scrolling screen where new logs appear at the bottom and so on and so forth?

Like the freebie SWATCH?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jontornea

‎10-28-2015 04:01 AM

Not in the GUI. 

You could 'tail' the .log file in the Linux shell but I've never seen anyone use that as their mode of operations, Prime Infrastructure or not. 

0 Helpful

Go to solution
jontornea
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2015 07:07 PM

Thanks for the info Marvin. 

That's exactly what we are doing right now.  "Tail" the log file - Error level and down only, so we don't get too much.

Would you mind sharing what product/solution you found most are using?

TIA.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card