cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2988
Views
0
Helpful
24
Replies

Prime LMS: Syslog filter issue

alex.dersch
Enthusiast
Enthusiast

Hello,

for a subset of my devices i do not receive syslog messages. I believe they get filtered out. I deleted all syslog filters and set the Message Filter Type to Keep and the Include interface of selected devices to Yes. Then I restared the system.

But I still see under Admin > Collection Settings > Syslog that there a messeages are filtered.

Any ideas?

regards

alex

1 Accepted Solution

Accepted Solutions

Okay, it looks like the problem is hostname resolution.  Check the hostname fx-ch-hom-sw13.frox.com and make sure it resolves to an IP.  If not, either fix DNS or add an entry to the server's hosts file so that the hostname resolves.

View solution in original post

24 Replies 24

Joe Clarke
Cisco Employee
Cisco Employee

You should check NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat to make sure the filters look right there.  These will be pushed down to the SyslogCollector.

Also, there is a bug in LMS 4.1 if your server's timezone is not one of the common all uppercase timezones.  In that case, syslog messages may not appear when you expect them to.  The bug is CSCts11531.

We use the timezone clock timezone Europe/Zurich. Do you recommend to change the time GMT+1?

This is the content of the filters.dat

Filters for the server: nos-ch-wbn-lms1

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)(-(.*\s*))?\s*:\s*.*)$

...................

Yes, you'll need to use GMT+1 or the like to workaround the bug.

The filters do look okay.  All messages should be kept.  Likely they are being written to the DB, just with the wrong timezone offset.

I updated the clock timesetting on the soft appliance. But still i get 135 filtered messages.

nos-ch-wbn-lms11433013501702Sep 25 2011 18:23:45 Greenwich Mean Time(GMT  +00:00:00)Sep 25 2011 19:16:08 Greenwich Mean Time(GMT +00:00:00)

Are you still missing syslogs?

yes, i see them in the syslog_info but not in the syslog report

Enable debugging in NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties by setting log level to DEBUG.  Then restart SyslogCollector and SyslogAnalyzer.  Generate new syslog messages that are not being seen in the reports, then post the SyslogCollector.log.  When you changed the server's timezone, did you reboot?  What is the TZ value in /etc/TIMEZONE?

I attached the syslog.collector file.After changing the timezone i restarted the system.

The /etc/TIMEZONE i didn't find.

What syslog messages are not appearing in the reports?  What version of Solaris is this?  You should definitely have an /etc/TIMEZONE file.

Sorry I forgot to mention, i miss the syslogs for switch fx-ch-hom-sw13 and fx-ch-hom-sw14. I think it is because of this

SyslogCollector - [Thread: FilterThread-0] DEBUG, 26 Sep 2011 05:08:59,051, getInterestedSubscribers() - No interested subscribers. Returning null.

the version is

show version

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.1.043

ADE-OS System Architecture: x86_64

Copyright (c) 2005-2010 by Cisco Systems, Inc.

All rights reserved.

Hostname: nos-ch-wbn-lms1

Version information of installed applications

---------------------------------------------

Cisco Prime LAN Management Solution

-----------------------------------

Version  : 4.1

Vendor   : Cisco Systems, Inc.

-----------------------------------

The parser doesn't support ADE-OS syslogs.  They are being parsed using the generic syslog parser, but the hostname is being set blank (I believe).  I think this will need special attention to get it supported.  This would be worth a TAC SR to get an enhancement bug filed.

Why you assume they are ADE-OS syslogs? The missing syslog messages are from Catalyst 3560 and 2960?

Because you posted a show version from an ADE-OS device.  I had assumed this was other CARS appliances in your network.  The messages were also not in a typical format.  There appears to be an extra component in the message.  Post the config from one of these switches.

The ADE-OS is the Soft Appliance i run the LMS 4.1 on. Here is the config from the switch i removed the interface part.

!

! Last configuration change at 14:41:44 CEST Sun Sep 25 2011 by cwuser

! NVRAM config last updated at 14:41:50 CEST Sun Sep 25 2011 by cwuser

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname FX-CH-HOM-SW13

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

username cwuser privilege 15 password 7 ********

username fxadmin privilege 15 password 7 ********

!

!

no aaa new-model

clock timezone cet 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

authentication mac-move permit

ip subnet-zero

!

!

!

archive

  log config

  logging enable

  logging size 1000

  notify syslog contenttype plaintext

  hidekeys

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

spanning-tree uplinkfast

!

!

!

interface Vlan913

  ip address 172.16.9.38 255.255.255.248

!

ip default-gateway 172.16.9.33

ip http server

ip http secure-server

logging trap debugging

logging 10.0.128.19

snmp-server group NOSNOCLMS v3 auth read NOSNOC write NOSNOC

snmp-server view NOSNOC iso included

snmp-server location xxxxxxxxxxx

snmp-server contact xxxxxxxxxx

snmp-server system-shutdown

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps config

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps errdisable

snmp-server host 10.0.128.19 ********

snmp ifmib ifindex persist

!

line con 0

line vty 0 4

  logging synchronous

  login local

line vty 5 15

  no login

!

ntp clock-period 22518506

ntp server 172.16.2.241

end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: