cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1747
Views
0
Helpful
9
Replies

Syslog Purge

estelamathew
Level 2
Level 2

Hello,

I have configured syslog message filter to severity level 4 and also i have specified logrot rotation for syslog to size 2 MB and also i have specified syslog purge after 7 days still my RME syslog database file such as syslogfirst.db,syslogsecond.db and syslogthird.db are increasing and consuming hardisk space and also the syslog.log file in NMSroot.

Please suggest me where things are going wrong for me. Need help very badly, this is twice happening with me ,1st time i cleared the RME datebase file in which i lost all configuration  then configured the filters and syslog purge data for 7 days to go with smooth operations but still i m facing the same issue.

Thanks

9 Replies 9

Martin Ermel
VIP Alumni
VIP Alumni

to get a clear picture, wich version of LMS do you have and on which plattform is it installed. How many devices are sending syslog messages to the LMS server;

logrot.pl acts on the raw syslog file (NMSROOT\log\syslog.log - on windows);the syslog purge job deletes the messages from the database;

The problem could be the way how the syslog database works (or databases in general). The space once used by the syslog database cannot be reclaimed by the operating system, even when all messages are purged. To get the space back, the database must be unloaded - but there is a procedure how to do it. Depending on your LMS version the required java class file was installed or can be requested from TAC.

See also these threads on how the syslog processing works in LMS:

https://supportforums.cisco.com/message/3209945#3209945

https://supportforums.cisco.com/message/3422957#3422957

https://supportforums.cisco.com/message/3369193#3369193

Dear Martin,

Before Posting i have been  to these link by google, I have done accoding to the same what they are discussing,  BUT My question is after purging,rotating still why the syslogs databases are occupying spaces.

According to thred what i understood:

  • If we set purging policy for suppose 7 days all syslogsfor 7 days will be deleted and will not be collected in syslog database???? please correct me if i m wrong

  • Log rotaion is for the rotation of the system's logs that has been configured for example syslog.log,, then why they are not getting replace the C:Drive goes out of space????? because of syslog.log file

PLEASE ANSWERS THE ABOVE QUERIES.

From where i can get the JAVA Class file,???? My Common Services is 3.2 and RME is 4.2

yes, a purge policy of 7 days will delete all syslog messages from the syslog database syslogfirst.db, syslogsecond.db, syslogthird.db)

yes, logrot.pl is to maintain the file size of the "raw" syslog file (syslog.log)

You have LMS 3.1. As far as I know you need to open a TAC case to get the correct verions of DBSpaceReclaimer.class, but you can check if it is shipped with LMS 3.1, also. If yes, you should find it here:

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\debugTools\syslog

The command to execute should be (if you have installed in C:\Program Files\CSCOpx):

C:\progra~1\cscopx\lib\jre\bin\java -classpath C:\temp;C:\progra~1\cscopx\lib\classpath;C:\progra~1\cscopx\www\classpath;C:\progra~1\cscopx\MDC\tomcat\webapps\rme\WEB-INF\classes;C:\progra~1\cscopx\MDC\tomcat\webapps\rme\WEB-INF\lib\log4j.jar DBSpaceReclaimer

in the past there have been issues if syslog.log is very huge in size (< 4 GB)

with logrot check if the process is scheduled (type "at" in a DOS box)

if the syslog.log is huge you can try to just truncate the syslog.log file with

NMSROOT\CSCOpx\log>logrot_trunc

to get the space of syslogfirst.db, syslogsecond.db, syslogthird.db back you need to run DBSpaceReclaimer.class

Hello Mermel,

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\debugTools\syslog

Actually it is not LMS but Cisco Security Manager with RME 4.2 and CS 3.2, If i m using this DBSpaceReclaimer from LMS 4.0 will it work.

I dont have a debug tools folder in the above path which you have mentioned in previous mail.suppose if i copy the debug tools\syslog folder in the rmeng folder of RME 4.2and run the command will it work.

I hope they are 2 seperate commands and not 1 command.

  1. C:\progra~1\cscopx\lib\jre\bin\java -classpath
  2. C:\temp;C:\progra~1\cscopx\lib\classpath;C:\progra~1\cscopx\www\classpath;C:\progra~1\cscopx\MDC\tomcat\webapps\rme\WEB-INF\classes;C:\progra~1\cscopx\MDC\tomcat\webapps\rme\WEB-INF\lib\log4j.jar DBSpaceReclaimer

Thanks

sorry, I am not sure if I understand you correctly; you say you have the follwoing folder?

    C:\progra~1\CSCOpx\database\rmeng\debugTools\syslog

If yes, the question is if DBSpaceReclaimer.class is in there;

If so, you do not need to copy it to the path I mentioned above, instead add your path to the classpath statement of the command:

C:\Progra~1\CSCOpx\lib\jre\bin\java -classpath C:\Progra~1\CSCOpx\databases\rmeng\debugTools\syslog;C:\Progra~1\CSCOpx\lib\classpath;C:\Progra~1\CSCOpx\www\classpath;C:\Progra~1\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\;C:\Progra~1\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\lib\log4j.jar DBSpaceReclaimer

no, these are not 2 commads,this is a ONE-LINER;

if you do not have the DBSpaceReclaimer.class shipped with your version, you have to contact TAC to get the correct version. You cannot mix and match this file from other versions of RME.

Hello Martin,

Thanks Martin this is what i want to know from you,

I dont have a TAC support any other source can u provide me except of clearing the database of RME.

Thanks

Estela,

no, I do not know of any other method to get the space back, only DBSpaceReclaimer or reinit of the rmeng database; and I don't have the file for your version of RME, - sorry

Hello Martin,

Ok I will clear the database can u tell me the proper command for the RME 4.2 ?????

Thanks

this is the command to reinitialize the RME database:

    NMSROOT\bin\perl.exe NMSROOT\bin\dbRestoreOrig.pl dsn=rmeng dmprefix=RME

and if you want to set the database password explicitely launch this one

    NMSROOT\bin\perl.exe NMSROOT\bin\dbRestoreOrig.pl dsn=rmeng dmprefix=RME npwd=your_new_PW

with NMSROOT being the installation path of CSM  (typically C:\Progra~1\CSCOpx)

before executing the above command you have to stop the processes with

    net stop crmdmgtd

also I recommend, that if you have to go the hard way and reinitialize the database try to find out what causes this behaviour and if you can prevent it be filtering certain syslog messages or reducing the number of days syslog messages are kept in the database

at the end start the processes with

     net start crmdmgtd