08-09-2011 12:17 PM
We have installed LMS 3.0.1 with RME 4.1.1. I have enabled the Syslog Link Up/Down Message Filter that comes preconfigured with CiscoWorks. When the message filter is configured for All Managed Devices it works perfectly and filters out all the Up/Down messages. But if if select the Choose Devices option and specify certain devices it does not seem to work at all. All the Up/Down messages appear for all devices for some reason. Any idea what I'm doing wrong?
Thanks
Jamie
08-16-2011 08:35 AM
Hi,
Did you change anything other than the devices selected?
What do 'Drop' and 'Keep' options in syslog message filters mean?
+++++++++++++++++++++++++++++++++++++++++++++++++
Scenario 1:
All filters are disabled. Mode: Keep
All messages will be forwarded.
Scenario 2:
All filters are disabled. Mode: Drop
All messages will be filtered.
Scenario 3:
At least one filter is enabled. Mode: Keep
Only those syslog messages that satisfy the enabled filters will be forwarded and all others will be filtered.
Scenario 4:
At least one filter is enabled. Mode: Drop
Only those syslog messages that satisfy the enabled filters will be filtered and all others will be forwarded
08-16-2011 10:19 AM
Yes, that is all I have changed on the rule is the devices it applies to. See the image below.
08-17-2011 08:49 AM
The way this is *supposed* to work is:
1) Create the filter and specify which devices you want to apply it to.
It should not be necessary to create multiple filters for the same message,
unless not all devices were included in your original filter.
2) Drop certain messages, for which you have defined filters, so we should
Enable the filter and choose Drop. Set "Include interfaces of selected
devices" to No.
3) RME > Admin > System Preferences > Loglevel Settings, verify
SyslogAnalyzer is set to DEBUG. The UI module should be INFO.
4) Stop the daemon manager (net stop crmdmgtd). Also, go to
Control Panel > Admin Tools > Services and stop the syslog service.
5) On Windows, please delete any huge *.log file. When the daemon
manager and syslog service are restarted, these files will be regenerated.
Be sure to delete these:
- AnalyzerDebug.log
- SyslogAnalyzer.log
- SyslogCollector.log
- syslog.log
6) Restart the syslog service, then restart the daemon manager
(net start crmdmgtd).
When a message that you feel should be filtered out occurs, send me
the following:
(a) Portion of syslog.log file showing the specific message.
(b) AnalyzerDebug.log showing the corresponding message.
(c) Send current screenshot of your Message Filter page.
(d) Click on the filter name and send screenshot of the resulting page.
(e) Also include a screenshot of the Syslog Collector Status page.
7) Remove the debug settings.
08-17-2011 10:48 AM
08-19-2011 06:29 AM
Have you tried deleting the filters and then re-adding them?
the default is
Mode: DROP
Filter expressions:
^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$
^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$
^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$
^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$
^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$
It would also be helpful to get the SyslogAnalyzer.log
I also ran across the following bug:
Thanks
08-23-2011 08:29 AM
TAC had me upgrade to LMS 3.2.1 for a separate RME problem I was having. This version has resolved both problems. So I am to assume there was a bug in the 3.0.1 version of the software that was causing the Syslog filter issue.
Thanks for all the help.
Jamie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide