Re: Syslog Message Filter Device Selection

jamie.gleeson · ‎08-09-2011

We have installed LMS 3.0.1 with RME 4.1.1. I have enabled the Syslog Link Up/Down Message Filter that comes preconfigured with CiscoWorks. When the message filter is configured for All Managed Devices it works perfectly and filters out all the Up/Down messages. But if if select the Choose Devices option and specify certain devices it does not seem to work at all. All the Up/Down messages appear for all devices for some reason. Any idea what I'm doing wrong?

Thanks

Jamie

ngoldwat · ‎08-16-2011

Hi,

Did you change anything other than the devices selected?

What do 'Drop' and 'Keep' options in syslog message filters mean?

+++++++++++++++++++++++++++++++++++++++++++++++++

Scenario 1:

All filters are disabled. Mode: Keep

All messages will be forwarded.

Scenario 2:

All filters are disabled. Mode: Drop

All messages will be filtered.

Scenario 3:

At least one filter is enabled. Mode: Keep

Only those syslog messages that satisfy the enabled filters will be forwarded and all others will be filtered.

Scenario 4:

At least one filter is enabled. Mode: Drop

Only those syslog messages that satisfy the enabled filters will be filtered and all others will be forwarded

jamie.gleeson · ‎08-16-2011

Yes, that is all I have changed on the rule is the devices it applies to. See the image below.

ngoldwat · ‎08-17-2011

The way this is *supposed* to work is:

1)  Create the filter and specify which devices you want to apply it to. 
It should not be necessary to create multiple filters for the same message, 
unless not all devices were included in your original filter.

2)  Drop certain messages, for which you have defined filters, so we should 
Enable the filter and choose Drop. Set "Include interfaces of selected 
devices" to No.

3)  RME > Admin > System Preferences > Loglevel Settings, verify 
SyslogAnalyzer is set to DEBUG. The UI module should be INFO. 

4)  Stop the daemon manager (net stop crmdmgtd). Also, go to 
Control Panel > Admin Tools > Services and stop the syslog service.

5)  On Windows, please delete any huge *.log file. When the daemon 
manager and syslog service are restarted, these files will be regenerated. 

Be sure to delete these:

- AnalyzerDebug.log
- SyslogAnalyzer.log
- SyslogCollector.log
- syslog.log

6)  Restart the syslog service, then restart the daemon manager 
(net start crmdmgtd).

When a message that you feel should be filtered out occurs, send me 
the following:

(a) Portion of syslog.log file showing the specific message.
(b) AnalyzerDebug.log showing the corresponding message.
(c) Send current screenshot of your Message Filter page.
(d) Click on the filter name and send screenshot of the resulting page.
(e) Also include a screenshot of the Syslog Collector Status page.

7)  Remove the debug settings.

jamie.gleeson · ‎08-17-2011

All set...hope I did it correctly. It was a little difficult to determine in the AnalyzerDebug.log where to cut the entry but I think I got it all.

Thanks again

Jamie

ngoldwat · ‎08-19-2011

Have you tried deleting the filters and then re-adding them?

the default is

Mode: DROP

Filter expressions:

^((\S+);;;(PIX)(-(\S+))?-(6)-(302002\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(302001\s*)\s*:\s*.*)$

^((\S+);;;(PIX)(-(\S+))?-(6)-(304001\s*)\s*:\s*.*)$

^((\S+);;;(FW)(-(\S+))?-(6)-(SESS_AUDIT_TRAIL\s*)\s*:\s*.*)$

^((\S+);;;(\S+)(-(\S+))?-(7)-(.*\s*)\s*:\s*.*)$

It would also be helpful to get the SyslogAnalyzer.log

I also ran across the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr84556

Thanks

jamie.gleeson · ‎08-23-2011

TAC had me upgrade to LMS 3.2.1 for a separate RME problem I was having. This version has resolved both problems. So I am to assume there was a bug in the 3.0.1 version of the software that was causing the Syslog filter issue.

Thanks for all the help.

Jamie