12-17-2012 06:08 AM
I'm seeing tons of syslog in in var/log/messages. when I look at the logs they are mostly duplicate of what I see in the syslog_info file. Due to this my var/log is filling up so fast. Do I need to update my syslog.conf file, what is the recommended settings for prime LMS 4.2 ?
-rw------- 1 root root 808570913 Dec 16 04:05 messages.1
-rw-rw-r-- 1 root sys 14259416649 Dec 17 08:59 syslog_info
-rw------- 1 root root 201355173 Dec 17 08:59 messages
Here is my current syslog.conf file
local6.info /var/log/ade/ADE.log
*.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
#Application LMS Generated config
#BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
#
local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug /var/adm/CSCOpx/log/dmgtd.lo
g
#
#END CSCOmd DO NOT EDIT BEFORE THIS LINE 1
local7.info /var/log/syslog_info
12-27-2012 02:15 AM
Usually we dont recommend to change anything on syslog.conf. Syslog_info is the file where all the syslogs coming from network pointed to LMS server is written.
Usually they should be controlled at the device level by checking the logging level of devices.
Mostly ASA/FW's send excessively huge amount of syslogs to LMS server which should be controlled. Also, you can check the logrot utility to control the syslog_info log size to keep in check. Logrot is an Log file rotation utilit in LMS.
Log files can expand and fill up disk space. Log files rotation helps you manage the log files more efficiently. See
Maintaining Log Files for an overview of maintaining the log files in LMS Server.
For more details on logrot check userguide :
-Thanks
06-20-2013 02:28 AM
I have thought the same, it is quite strange to duplicate all (remote) syslog into /var/log/messages as well. If you use facility local7, the messages are as well written into /var/log/boot.log.
Both should be changed in my opinion.
Further, LMS 4.2.3 still doesn't conserve /etc/syslog.conf opposed to what is marked in CSCtz10020
I had to edit the file to add another Syslog Severity configured on some devices and the config was gone when I checked it again.
The workarounds noted in the bug seem to work.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz10020
Greetings
Rufer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide