Syslog messages not shown on CW2K

simonthompson · ‎09-04-2003

I have set up all my switches and routers to log to the CW2K syslog, but I am only getting firewall messages and the occasional message from a switch. Each device that gets a syslog message into CW2K is shown as the CW2K server originating the message - it does not show the IP address or DNS name of the switch.

I have set up an alternative syslog server in the place of the CW2K one and it gets all the messages with IP addresses as I would expect.

Does anybody have any ideas of what is going wrong?

Thanks

kawng · ‎09-04-2003

Hi simonthompson,

Please verify that syslogs are being sent out to the specified ip address of the CiscoWorks Server.

Best test is have term mon configured on your router

and type,

config t

end

this should generate a SYS-5-CONFIG-I message for

configuration attempt

once you see the outgoing packet, then log on to

the server itself.

If CiscoWorks is installed on

Windows platform, check:

the syslog.log file, default location would be,

C:\Program Files\CSCOpx\log

Unix platform, check:

the syslog_info file, default location would be,

var/log

Now we can compare the message as CiscoWorks receives

it. CiscoWorks receives the syslog into a flat file before storing them into the syslog database.

If the syslog message matches, now we know it's not getting altered at this point.

Verify if all the Cisco devices are managed in RME inventory, RME treats syslogs for unknown devices differently.

amitdash · ‎09-04-2003

Hi even i am facing the same problem of syslog messages not appearing in the syslog reports.

I have configured the routers and switches normally:

1.logging on

2.logging 192.168.10.1(ciscoworks server)

3.logging trap informational.

On the RME ,i jave configured the syslog analyzer normallly.

When i check the syslog reports it says meeages with invalid format.

I even tried having the service timestamp debug msec localtime show timezone

service timestamp log msec localtime show timezone

but still no luck.routers are looging the messages to RME , ic an confirm that.

Anybody has any other ideas????

Regards,

AMit.

netnut · ‎09-17-2003

Make sure the management name you use in ciscoworks matches DNS. When the syslog message arives as a ip address ciscoworks does a reverse lookup and tries to match the dns name to the management name. If no match is found it lists it in the unexpected device report. Also on a router with more than one interface you can use the command logging source-interface . The interface should be the ip address of the management name

JOSH GANT · ‎10-08-2003

Make sure you use NTP on your network as well. If the timestamp in the Syslog message is after the current time on the CW2K server, CW2K will put the message in the unexpected device report.

wsitu · ‎10-10-2003

make sure cw2k can hit your routers and switches with dns reverse lookup. if you already have "logging " on routers and switches, there are couple of places to verify messages are getting to cw2k server.

for example cw2k installed on c:\

c:\cscopx\log\syslog.log

this is a text file which will give you an idea whether syslog messages are being log. if you see ip addresses rather than hostnames, good indication dns reverse lookup isn't working.

Or

open ciscoworks, goto RME, Syslog Analysis, Unexpected Device Report. if you see syslogs here but Device Names are IPs, then you definately have a dns reverse lookup problem.

also it would be good to have correct timestamp.

service timestamps log datetime localtime

good luck