cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

How To Forward Syslog Messages From RME

5421
Views
5
Helpful
6
Comments

CiscoWorks Resource Manager Essentials (RME) has a feature called SyslogAnalyzer which can run automated actions based on certain syslog messages it receives.  One of the action types is to execute a script.  That action type can be used to have RME forward the contents of a syslog message to another syslog server (or even multiple remote syslog servers).  This will work with any version of RME 4.0 and higher including LMS 4.0.

To do this, first copy the following Perl code into a text file on the RME server.  Name the file syslog_forward.pl.

#!/opt/CSCOpx/bin/perl

use strict;

use Sys::Syslog qw(:DEFAULT setlogsock);

my $msg = $ARGV[0];

setlogsock('inet');

$Sys::Syslog::host = 'X.X.X.X';

syslog('info|local7', $msg);

closelog;

In this script, the string X.X.X.X needs to be replaced with the IP address of the remote syslog server.

Copy this file to the following location.

Solaris:

/var/adm/CSCOpx/files/scripts/syslog

Windows:

NMSROOT\files\scripts\syslog

(NOTE: NMSROOT is the path into which CiscoWorks was installed.  By default, this is C:\PROGRA~1\CSCOpx.)

Next, create another file in the same directory into which you copied syslog_forward.pl.  On Windows, this file should be named syslog_forward.bat.  On Solaris, the file should be named syslog_forward.sh.  The file must contain the following.

Solaris:

#!/bin/sh

/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/syslog_forward.pl "$2"

Windows:

@ECHO OFF

NMSROOT\bin\perl.exe NMSROOT\files\scripts\syslog\forward1.pl "%~2"

(NOTE: Be sure to substitute NMSROOT with the actual path into which CiscoWorks was installed.)

On Solaris, use the chmod command to make the syslog_forward.sh script executable.

chmod 0755 /var/adm/CSCOpx/files/scripts/syslog_forward.sh

On Windows, make sure casuser has permissions to Read & Execute C:\WINDOWS\system32\cmd.exe.

Now the automated action needs to be defined in the GUI.  Go to RME > Tools > Syslog > Automated Actions (LMS 3.x) or Monitor > Fault Settings > Syslog > Automated Actions (LMS 4.0), and create a new Automated Action.  Select the device or devices to which the action will apply, or leave the default radio button for all devices selected.  Next, add a syslog message pattern.  Since RME will be forwarding syslogs, a pattern of all asterisks (i.e. forward all syslog messages) is probably desirable.

Screen shot 2010-06-05 at 7.38.16 PM.png

Click Next then select "Script" as the type of action, and choose the syslog_forward.bat (Windows) or syslog_forward.sh (Solaris) script.

Screen shot 2010-06-05 at 7.47.51 PM.png

Finally, click Finish, and now any message RME receives that matches your filter pattern (any message in this example) will be forwarded to your remote syslog server.

Comments
Beginner

Dear Joseph,

Can we add a script for example to shut and no shut an interface?! or execute specific commands?!

BR,

Ziad

Hall of Fame Cisco Employee

Sure.  You could script the cwcli command, for example, to create a Netconfig job to perform some device-level commands like bouncing and interface.  You can execute a script to do whatever you would typically do using a script you write on the LMS server.

Hi Joseph,

I am working with Ciscoworks LMS 3.2.

I need to forward syslog messages to another syslog server from RME 4.3. But the script provided by you, "syslog_forward.pl". was developed for solaris. I have a windows server 2008.


Please I need the script "syslog_forward.pl". for windows ...

greetings from Colombia!

Beginner

Hello,

I use the above script and everything works ok.

The only issue is that LMS is forwarding the message using its IP address as the source.

This way, the remote syslog server sees the IP address of LMS as the source.

Is there a way to configure LMS to forward the syslog message using the original IP address (that is, the IP address of the device that sent the message) as the source?

Thanks.

Beginner

Hello,

i have the same problem i was open case in cisco and the answer i recievd few days ago was :

"Today Prime infra does not have the capability to forward SYSLOG.

........ , our recommendation is to use a commercial "trap explorer" to distribute copies of SYSLOG."

Does any one have an idea how to make a distribution of SYSLOG from the oprerating system (I'm using WINDOWS) ?

thanks.

Hall of Fame Cisco Employee

I think they mean trap exploder.  For syslog forwarding, have a look at syslog-ng

http://www.balabit.com/network-security/syslog-ng/central-syslog-server/features/windows-eventlog

It is free to compile from source, but the Windows edition is a commercial product.  I couldn't find free binaries for Windows for the Open Source edition, though.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards