Solved: Prime LMS: Syslog filter issue

alex.dersch · ‎09-25-2011

Hello,

for a subset of my devices i do not receive syslog messages. I believe they get filtered out. I deleted all syslog filters and set the Message Filter Type to Keep and the Include interface of selected devices to Yes. Then I restared the system.

But I still see under Admin > Collection Settings > Syslog that there a messeages are filtered.

Any ideas?

regards

alex

Joe Clarke · ‎10-11-2011

Okay, it looks like the problem is hostname resolution. Check the hostname fx-ch-hom-sw13.frox.com and make sure it resolves to an IP. If not, either fix DNS or add an entry to the server's hosts file so that the hostname resolves.

View solution in original post

Joe Clarke · ‎09-25-2011

You should check NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/filters.dat to make sure the filters look right there. These will be pushed down to the SyslogCollector.

Also, there is a bug in LMS 4.1 if your server's timezone is not one of the common all uppercase timezones. In that case, syslog messages may not appear when you expect them to. The bug is CSCts11531.

alex.dersch · ‎09-25-2011

We use the timezone clock timezone Europe/Zurich. Do you recommend to change the time GMT+1?

This is the content of the filters.dat

Filters for the server: nos-ch-wbn-lms1

Mode: KEEP

Filter expressions:

^((\S+);;;(\S+)(-(\S+))?-(.*)(-(.*\s*))?\s*:\s*.*)$

...................

Joe Clarke · ‎09-25-2011

Yes, you'll need to use GMT+1 or the like to workaround the bug.

The filters do look okay. All messages should be kept. Likely they are being written to the DB, just with the wrong timezone offset.

alex.dersch · ‎09-25-2011

I updated the clock timesetting on the soft appliance. But still i get 135 filtered messages.

nos-ch-wbn-lms1

1433

0

135

0

1702

Sep 25 2011 18:23:45 Greenwich Mean Time(GMT +00:00:00)

Sep 25 2011 19:16:08 Greenwich Mean Time(GMT +00:00:00)

Joe Clarke · ‎09-25-2011

Are you still missing syslogs?

alex.dersch · ‎09-25-2011

yes, i see them in the syslog_info but not in the syslog report

Joe Clarke · ‎09-25-2011

Enable debugging in NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties by setting log level to DEBUG. Then restart SyslogCollector and SyslogAnalyzer. Generate new syslog messages that are not being seen in the reports, then post the SyslogCollector.log. When you changed the server's timezone, did you reboot? What is the TZ value in /etc/TIMEZONE?

alex.dersch · ‎09-25-2011

I attached the syslog.collector file.After changing the timezone i restarted the system.

The /etc/TIMEZONE i didn't find.

Joe Clarke · ‎09-26-2011

What syslog messages are not appearing in the reports? What version of Solaris is this? You should definitely have an /etc/TIMEZONE file.

alex.dersch · ‎09-26-2011

Sorry I forgot to mention, i miss the syslogs for switch fx-ch-hom-sw13 and fx-ch-hom-sw14. I think it is because of this

SyslogCollector - [Thread: FilterThread-0] DEBUG, 26 Sep 2011 05:08:59,051, getInterestedSubscribers() - No interested subscribers. Returning null.

the version is

show version

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.1.043

ADE-OS System Architecture: x86_64

Hostname: nos-ch-wbn-lms1

Version information of installed applications

---------------------------------------------

Cisco Prime LAN Management Solution

-----------------------------------

Version : 4.1

Vendor : Cisco Systems, Inc.

-----------------------------------

Joe Clarke · ‎09-26-2011

The parser doesn't support ADE-OS syslogs. They are being parsed using the generic syslog parser, but the hostname is being set blank (I believe). I think this will need special attention to get it supported. This would be worth a TAC SR to get an enhancement bug filed.

alex.dersch · ‎09-26-2011

Why you assume they are ADE-OS syslogs? The missing syslog messages are from Catalyst 3560 and 2960?

Joe Clarke · ‎09-26-2011

Because you posted a show version from an ADE-OS device. I had assumed this was other CARS appliances in your network. The messages were also not in a typical format. There appears to be an extra component in the message. Post the config from one of these switches.

alex.dersch · ‎09-27-2011

The ADE-OS is the Soft Appliance i run the LMS 4.1 on. Here is the config from the switch i removed the interface part.

!

! Last configuration change at 14:41:44 CEST Sun Sep 25 2011 by cwuser

! NVRAM config last updated at 14:41:50 CEST Sun Sep 25 2011 by cwuser

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname FX-CH-HOM-SW13

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

!

username cwuser privilege 15 password 7 ********

username fxadmin privilege 15 password 7 ********

!

no aaa new-model

clock timezone cet 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

authentication mac-move permit

ip subnet-zero

!