Syslog Forwarding to My PC

rst3785 · ‎04-26-2013

I'm running CW LMS 4.0.1 and I see in packet captures on my PC that my CiscoWorks server is sending syslog entries to my PC that are getting rejected because I'm not running a syslog server application. I want to stop receiving these syslog entries. I'm sure this is a simple setting somewhere, but for the life of me I can't find it anywhere. Does anybody know how I can stop receiving these syslog entries? Any help would be much appreciated.

Thank you,

Rob

Marvin Rhoads · ‎04-26-2013

It could have been setup as a remote syslog collector under Admin > Collection Settings > Syslog > Syslog Collection Settings. (Reference)

rst3785 · ‎04-26-2013

That was my first thought, but there is nothing entered there. I wonder if something was left behind from a previous version after an upgrade.

Rob

Marvin Rhoads · ‎04-26-2013

If you're running on a Windows host, there might be another forwarder operating outside of LMS. These can sometimes run as a service and not be obvious at first (or second) glance.

Check your Services from the Windows admin tools. Also, if you run tcpview (free Microsoft download) on the server you can confirm what process (and thus what application) is opening the connections to your local machine.

rst3785 · ‎04-26-2013

It definitely looks like it's the Ciscoworks application running as a system process over port 1741.

ngoldwat · ‎04-26-2013

Can you provide a packet capture?

rst3785 · ‎04-26-2013

Packet capture added to my original post.

Marvin Rhoads · ‎04-26-2013

That capture shows syslog messages from a Cisco router at 10.80.1.1 to a Dell host at 10.96.17.10.

So that capture would seem to indicate the router (not LMS) has the host defined as a log server.

ngoldwat · ‎04-26-2013

Oops. My bad.

ngoldwat · ‎04-26-2013

In addition it seems FastEthernet0/170 & FastEthernet0/180 seem to be going up & down often.