Hi Vinod

Thank a lot for the explaination. There are a few think that make me confuse about the configuration.

On the Nexus Router i had configured Logging server and point to our LMS and also our Syslog server.

logging server 10.1.1.218 >>syslog server

logging server 10.1.1.219 >>syslog server

logging server 10.3.3.3 >> Cisco Prime LMS

1. When i check on LMS syslog.log. I really not understand about the log. Appreciate if you can advise.

2. I go to Syslog collector and i can see my LMS server appear which is the server name is VPCISCOPRA012.  I am not sure why its appear and i also do some test collector. The result is on screeshot.

3. THen i also do a Test Collect by inserting my router ip 10.7.7.1 and the result as per screenshot.

4. Actually Syslog Message filter should i enable all or no need. Actually what the main purpose Syslog Message Filter?

5. I also provide the syslog monitoring dashbord. On the Monitoring dashbord i didn't see any data available

Usually syslog.log is a flat text file, and it has the basic Raw syslogs, as they appear in show log in your device, so it should be pretty easy and comprehensive.

To check further, you may try to search for device IP Address.

Example, i have from my LMS server # IP = 10.10.10.1:

Under Syslog.log

Mar 13 06:23:40 10.10.10.1 2961606: .Mar 13 00:39:37: %SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU Utilization(Total/Intr): 13%/3%, Top 3 processes(Pid/Util):  310/4%, 9/2%, 67/0%

Mar 13 06:25:45 10.10.10.1 2961607: .Mar 13 00:41:42: %SYS-1-CPUFALLINGTHRESHOLD: Threshold: Total CPU Utilization(Total/Intr) 7%/1%.

So if you don't see such messages, chances are the syslog aren't coming to the syslog.log.

Infact, mostly it is so dynamic, that when you test generate a syslog on your device, and the device is configured to forward it to LMS server, you might see the trap, instantly within seconds.

As per your syslog collector screenshot :

Marked in RED is forwarded, which shows number of syslog messages, which are forwarded from syslog.log file to LMS Database. It being 0 means no syslog in any reports or database.

Please check once, if your devices are sending syslogs properly and they are in syslog.log. Unless they reach there, LMS cant do anything.

-Thanks
Vinod
**Appriciate Contributors. RATE them.**

HI Vinod

Regarding about your advise to check our device are sending syslog or not. May i have your advise how can i check? Its because in my device i already turn on the logging configuration. I will share with you my config and the show logging result.

Regarding about the LMS can't do anything. May i know what means LMS can't do anything?

Base on the information that i given to you. Do you see any missing step or confguration?

Usually even if we use terminal monitor command on an IOS device, and try anything which can generate syslog, like clear counter command, it should show on the terminal, which is enough to show syslogs are working and being generated.

By LMS can't do anything I meant, it is important and essential to have syslogs atleast reach syslog.log for further processing. Without syslogs being received by syslog.log, LMS is not responsible for syslog issues.

Device<----------L2/L3----------->syslog.log<----internal I/O---->LMS Database

(Cisco device                          (LMS receives                            (collected from syslog.log

Sending Syslog)                        log here)                                   after filtering)

You have to make sure on device are sending properly + syslog are received by syslog.log.

Make sure if any firewall is in place, please allow syslog and port 514.

Here is an old, but very apt and relevant troubleshooting guide, which may help for syslogs and LMS :

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/works-resource-manager-essentials-35/13477-rme-syslog.html

Please check and update.

-Thanks

Vinod
**Rating Encourages contributors, and its really free. **

Hi Vinod

Thank for the explaination. May i have your advise regarding about my setup for syslog lms? Below is the setup

Device Cisco----------------------------------------------WAN------------------------------------------------------> Cisco Prime LMS (10.3.3.3)

logging server 10.1.1.218 > Syslog Server

logging server 10.1.1.219 > Syslog Server

logging server 10.3.3.3 > LMS Server

Is it correct that i pointing logging server to my Cisco Prime LMS? as per you mentioned that need to open firewall. Is it mean i need to open firewall connection between my LMS server to the Cisco Device?

Alhafiz,

Your configuration on the device seems fine and it should suffice to send syslogs to LMS server.

For FW yes, you need to allow syslog traffic (open port 514) and allow LMS IP to have syslog received properly.

To test, you can try TFTPD32 software which has a small syslog server on any other PC or the LMS server to see on its GUI if syslog come as testing.

If you try it on LMS server, you have to stop LMS daemon (Win - net stop crmdmgtd | Sol/Linux - /etc/init.d/dmgtd stop) and also, stop the syslog listening service (only on windows- net stop crmlog).

And run the software to see syslog instantly. Download software from here :

http://tftpd32.jounin.net/tftpd32_download.html

-Thanks

Vinod
**Rating Encourages contributors, and its really free. **