cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1103
Views
0
Helpful
2
Replies

ACS missing log messages

rcullum
Level 1
Level 1

Ok

I occassionally get the ACS - System Errors message which is usually reporting about 'Missing log messages'. This seems to repeat ad infinitum unless you acknowledge the alarm. If I run the ACS System Diagnostics report linked to the alert, it shows me a value of the missing log message. MissingLogMessages=<some value>. What is <some value>? A reference or actual number of missing log messages? What can be done about it? It's a distributed environment where the source of the log messages being reported is the Primary AAA server and the actual Log Collector for running Reports/Monitoring.is the Secondary AAA server..

2 Replies 2

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi,

Please go through below for a better understanding of Missing Log messages and Log Recovery Feature.

Missing Log Messages
Let us first try to understand why this alert comes across. Every ACS running in the Deployment has a local log store, log forwarder running. The logging categories on every ACS should be configured on store logs locally. By default it will not store all logs. This is configure by going in to System Administration in ACS GUI- Logging Categories-Global-Select the conditions-Log to local target. This setting assures that ACS will be storing all the logs in the local store file which is responsible to send logs to the ACS acting as Log Collector.
Now what happens to these logs which are there in the Local Log Store in the ACS if the ACS acting as Log Collector has a view-db compress running or has services down or stuck in boot. How does the ACS Server acting as Log Server keeps a track of all the logs it is receiving.
ACS server sends syslog messages to the Monitoring and Report Viewer for the activities such as passed authentication, failed attempts, authorization, accounting, and so on. The syslog messages have a sequence number attached. If the Monitoring and Report Viewer goes down or if it is not able to receive messages from ACS, then the Monitoring and Report Viewer retries those missed logs from ACS, using the logging recovery mechanism. The Monitoring and Report Viewer processes the syslog messages, and identifies any discrepancies in the sequence. In this way, it finds the messages that have been missed. The Monitoring and Report Viewer then notifies the ACS server to resend the missing log messages. ACS server processes the messages stored in its local store and resends them to the Monitoring and Report Viewer.
Now if the Log Recovery Option is not enabled then the log entries which were missed will stay missed and an Alert on the Dashboard will appear on the Dashboard or in normal cases administrator will get an email with the alert.
If we have the Alert Enabled, then the missed logs would be recovered and no alerts will be seen of that sort.
Make sure the log recovery setting is enabled on the ACS acting as log collector.

If you are getting this alert many times in a day then there could be many reasons for the cause starting with all ACS not logging to local target, ACS recovery option not enabled, Service/Thread struck which usually is resolved by restarting the Services and could be more as well.

ACS Log Recovery option is enabled as below:
Login to ACS GUI-Monitoring and Reports-System Operations-Log Message Recovery.

Regards

Gagan

rate if it helps!!!

Hi Gagan

Thankyou for confirming the  log value is a sequence number. However, I already have my logging setup correctly as indicated by yourself and the user guides. I log locally and I log to a remote LogCollector. I also have log message recovery enabled. It still does not answer what can be done about the problem when seen or how you can determine what is the cause of the problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: