Unfortunately the CiscoWorks 2000 doesnt handle properly the syslog message that contains the \n\t formatting characters.
Here is an example.
This message is an SNMP trap and I found the \n\t characters in it:
1057041230 7 Tue Jul 01 08:30:30 2003 <router name> - Log message generated : decaps: rec'd IPSEC packet has invalid spi for \n\t destaddr=<X.X.X.X>, prot=50, spi=0x388C93EE(948737006), srcaddr=<Y.Y.Y.Y>;3 .1.3.6.1.4.1.9.9.41.2.0.1 0
When the Solaris logs it, due to the \n\t the message is separated into two rows in the syslog:
Jul 1 08:30:30 <router name> 3397: Jul 1 08:34:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
Jul 1 08:30:30 <router name> 3398: destaddr=<X.X.X.X>, prot=50, spi=0x388C93EE(948737006), srcaddr=<Y.Y.Y.Y>
Thus CiscoWorks see only the first part of this message and when you create a syslog report or an automated action you lost the second part that is contains the source and destination addresses:
Jul 1 08:34:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
Does anybody have any idea how can I resolve this and get the entire message?