Solved: Syslog not shown in LMS 4.2

jaira · ‎05-04-2015

Hi All

I have generated a 24 hour Syslog Report but the reports comes out totally empty (no records).

Also in the Monitoring Dashboards under Syslog Summary, Syslog Alerts, Syslog Messages and Top-N syslog sender doesn´t appear ("No data is available" messsage).

All the switches has been configured with logging trap 7.

Pls also check the image attached regarding Status and subscription.

I´ll appreciate your comments/feedback

thanks

Marvin Rhoads · ‎05-04-2015

OK.

Can you please go to command line on the LMS server and run:

show application status LMS | i log

You should see something like this:

lms01/sysadmin# show application status LMS | i log
  SyslogCollector       Running normally                          25033
  SyslogAnalyzer        Running normally                          29175

View solution in original post

Marvin Rhoads · ‎05-04-2015

The collector screenshots you have included are generally referring to a scheme where you use a separate server as a remote syslog collector.

Is that how you have your LMS setup?

jaira · ‎05-04-2015

Thanks for your soon response.

We are not using separate server. Sorry, the ip address and hostname that appears in the image are the same server.

Marvin Rhoads · ‎05-04-2015

OK.

Can you please go to command line on the LMS server and run:

show application status LMS | i log

You should see something like this:

lms01/sysadmin# show application status LMS | i log
  SyslogCollector       Running normally                          25033
  SyslogAnalyzer        Running normally                          29175

jaira · ‎05-04-2015

Here is the status

vwarbazu0002/sysadmin# show application status LMS | i log

SyslogCollector Running normally 4142
SyslogAnalyzer Running normally 9502

Marvin Rhoads · ‎05-04-2015

Hmm, the collector and analyzer processes are running properly as expected.

Can you confirm (perhaps with a packet capture on the LMS server) that syslog messages are being received from the devices? You can get a pcap from the GUI as a tool under Device Center or drop into the shell and use tcpdump (be sure to filter on a specific device in any case and then do something that is known to generate a syslog message).

I did notice you said you have "logging trap 7". You do also have the "logging host <LMS server address>" set as well - yes?

jaira · ‎05-04-2015

First of all, the logging host command was set up.

On the other hand, I have checked two files under \var\log directory

messages

syslog_info

For example: in syslog_info I found the following and it is correct. We were making some changes in the switch today in the morning. It was at 10:00 a.m.

May 4 18:52:08 10.133.36.8 28: .May 4 13:52:01.459: %LINK-5-CHANGED: Interface GigabitEthernet1/0/1, changed state to administratively down
May 4 18:52:08 10.133.36.8 29: .May 4 13:52:01.475: %LINK-5-CHANGED: Interface GigabitEthernet1/0/2, changed state to administratively down
May 4 18:52:08 10.133.36.8 30: .May 4 13:52:01.490: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down
May 4 18:52:08 10.133.36.8 31: .May 4 13:52:01.506: %LINK-5-CHANGED: Interface GigabitEthernet1/0/4, changed state to administratively down
May 4 18:52:08 10.133.36.8 32: .May 4 13:52:01.522: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down
May 4 18:52:08 10.133.36.8 33: .May 4 13:52:01.538: %LINK-5-CHANGED: Interface GigabitEthernet1/0/6, changed state to administratively down
May 4 18:52:08 10.133.36.8 34: .May 4 13:52:01.553: %LINK-5-CHANGED: Interface GigabitEthernet1/0/7, changed state to administratively down
May 4 18:52:08 10.133.36.8 35: .May 4 13:52:01.569: %LINK-5-CHANGED: Interface GigabitEthernet1/0/8, changed state to administratively down
May 4 18:52:08 10.133.36.8 36: .May 4 13:52:01.585: %LINK-5-CHANGED: Interface GigabitEthernet1/0/9, changed state to administratively down
May 4 18:52:08 10.133.36.8 37: .May 4 13:52:01.606: %LINK-5-CHANGED: Interface GigabitEthernet1/0/10, changed state to administratively down
May 4 18:52:08 10.133.36.8 38: .May 4 13:52:01.621: %LINK-5-CHANGED: Interface GigabitEthernet1/0/11, changed state to administratively down
May 4 18:52:08 10.133.36.8 39: .May 4 13:52:01.637: %LINK-5-CHANGED: Interface GigabitEthernet1/0/12, changed state to administratively down
May 4 18:52:08 10.133.36.8 40: .May 4 13:52:01.653: %LINK-5-CHANGED: Interface GigabitEthernet1/0/13, changed state to administratively down
May 4 18:52:08 10.133.36.8 41: .May 4 13:52:01.690: %LINK-5-CHANGED: Interface GigabitEthernet1/0/14, changed state to administratively down
May 4 18:52:08 10.133.36.8 42: .May 4 13:52:01.705: %LINK-5-CHANGED: Interface GigabitEthernet1/0/15, changed state to administratively down
May 4 18:52:08 10.133.36.8 43: .May 4 13:52:01.721: %LINK-5-CHANGED: Interface GigabitEthernet1/0/16, changed state to administratively down
May 4 18:52:08 10.133.36.8 44: .May 4 13:52:01.737: %LINK-5-CHANGED: Interface GigabitEthernet1/0/17, changed state to administratively down
May 4 18:52:08 10.133.36.8 45: .May 4 13:52:01.758: %LINK-5-CHANGED: Interface GigabitEthernet1/0/18, changed state to administratively down
May 4 18:52:09 10.133.36.8 46: .May 4 13:52:01.773: %LINK-5-CHANGED: Interface GigabitEthernet1/0/19, changed state to administratively down
May 4 18:52:09 10.133.36.8 47: .May 4 13:52:01.789: %LINK-5-CHANGED: Interface GigabitEthernet1/0/20, changed state to administratively down
May 4 18:52:09 10.133.36.8 48: .May 4 13:52:01.805: %LINK-5-CHANGED: Interface GigabitEthernet1/0/21, changed state to administratively down
May 4 18:52:09 10.133.36.8 49: .May 4 13:52:01.821: %LINK-5-CHANGED: Interface GigabitEthernet1/0/22, changed state to administratively down
May 4 18:52:09 10.133.36.8 50: .May 4 13:52:01.836: %LINK-5-CHANGED: Interface GigabitEthernet1/0/23, changed state to administratively down
May 4 18:52:09 10.133.36.8 51: .May 4 13:52:01.852: %LINK-5-CHANGED: Interface GigabitEthernet1/0/24, changed state to administratively down
May 4 18:53:02 10.133.96.13 12037: .May 4 10:52:54: %SFF8472-5-THRESHOLD_VIOLATION: Gi1/0/27: Tx power low alarm; Operating value: -40.0 dBm, Threshold val
ue: -13.5 dBm.
May 4 18:53:14 10.133.36.8 52: .May 4 13:53:06.557: %SYS-5-CONFIG_I: Configured from console by javierf on vty0 (10.133.48.80)
May 4 18:55:36 10.133.88.10 10101: .May 4 10:55:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
May 4 18:55:37 10.133.88.10 10102: .May 4 10:55:28: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to down
May 4 18:55:54 10.133.36.8 53: .May 4 10:55:46: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:55:46 ARG Mon May 4 2015 to 10:55:46 AR Mon May 4
2015, configured from console by javierf on vty0 (10.133.48.80).

So, I assume that the switches are sending messages to the LMS server.

The only thing that it takes me the attention is that the switches have a different time regarding the time of the LMS server.

See the example:

Switch:

sw#show clock
.17:24:12.615 AR Mon May 4 2015

LMS server:

[vwarbazu0002/root-ade log]# clock
Tue May 5 01:24:54 2015 -0.924738 seconds

The server is 8 hours ahead. Do you think that this time sync has something to do?

Marvin Rhoads · ‎05-04-2015

The timezone discrepancy shouldn't affect whether any messages are seen. IIRC sylog messages are always sent with UTC time and the timezone offset in the message body. In any event, LMS will always display them in the server's time.

I did vaguely recall another thread and a search uncovered this 3 year old thread. Does this situation perhaps apply to you? (See Martin Ermel's reply in the thread.)