ACE Syslog Message

Similar Messages

• ACE Syslog message for State change

  Hi,
  Is there a syslog message for a state-change for rservers, if so how could we enable this?
  e.g. when probe fails state changes to 'probe-failed'
  when all probes are successful state is 'operational'
  Thank you
  Bilal

  Hi,
  There is a syslog message something like below:
  %ACE-3-251006: Health probe failed for server 10.80.10.10 on port 80 internal error: failed to setup a socket.
  First enable logging on ACE.
  ACE/Admin(config)# logging enable
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/config.html#wp1063750
  read the section:  Specifying Syslog Output Locations
  logging buffered 3 should generate syslog in event of probe failure.
  You can also set snmp to monitor it.
  cesRealServerStateChange
  CISCO-ENHANCED-
  SLB-MIB
  State of a real server configured in a server farm changed to a new  state as a result of something other than a user intervention. This  notification is sent for situations such as ARP failures, probe  failures, and so on.
  Hope that helps.
  regards,
  Ajay Kumar

• ACE : PROBE-FAILED and Syslog messages

  Hi,
  When a real server is in PROBE-FAILED status, I observe a syslog message at each trial of the proble. This fills our syslog server. Is there a mean to configure the ACE in such a way that a syslog message would be generated only when a transition occurs in the probe status ?
  Thank you for any hints,
  Yves

  Hello,
  You can utilize "logging trap " command and
  "logging message level " command
  in order to achive what you are seeking.
  The "logging trap " command limits the logging messages sent to a syslog server based on severity.
  If it is set to "5 - notification", all messages that have security level of 5 or lower number are sent to the syslog server.
  You can disable the display of a specific syslog
  message or change the severity level of a specific system log message using
  "logging message level " command.
  Not sure what kind of probe you are using but If it is ICMP probe and
  the reason of probe failure is arp, it generates a message for every try
  as below with severity level of 3, by default.
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE to INSERVICE
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442004: Health probe ICMP detected rserver r1 (interface vlan31) changed state to UP
  %ACE-4-442001: Health probe ICMP detected r1 (interface vlan31) in serverfarm SF changed state to UP
  If your "logging trap " is set to "5 - notification" and you do not want
  the message "%ACE-3-251009:xxx" to be sent to syslog server,
  you can change its security level like below.
  switch/Admin(config)# logging message 251009 level 6
  switch/Admin(config)# do show logging message 251009
  Message logging:
                  message 251009: current-level 6  default-level 3 (enabled)
  You can check the message id that is filling the syslog server
  and change its security level to higher number than "logging trap ".
  Regards,
  Kimihito.

• ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

  Hi All ,
           I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
  Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

  Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
  you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

• CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

  Hello.
  Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
  CUCMs have problem with syslog messages.
  I saw these messages in rtmt syslog
  - kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
  kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
  What's the problem with these messages ?
  And how can I solve this problem
  Thanks.

  I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

• Unterstanding syslog messages from our wlc

  Hello,
  we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
  On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
  1. ca. 10 times per hour we get the message
  apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
  Cisco system message guide:
  Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
  Explanation Not saving - no config changes.
  Recommended Action No action is required.
  Does anybody know why we get this messages and if it's possibly to suppress them?
  2. Intermittently (several times a day) we get the following message types:
  a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
  b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
  The MAC address is not every time the same but one of our accesspoints.
  On our network management system we get the following trap messages with nearly exactly the same timestamp:
  14.01.2008 04:21:56 CET
  AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
  When Airespace AP's interface operation status goes down this trap will be sent.
  bsnAPDot3MacAddress = 00.0b.85.56.63.40
  bsnAPIfSlotId = 0x1
  14.01.2008 04:21:56 CET
  AP disassociated from Switch.
  When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
  bsnAPMacAddrTrapVariable =
  14.01.2008 04:22:25 CET
  AP associated with Switch.
  When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
  bsnAPMacAddrTrapVariable =
  bsnAPPortNumberTrapVariable = 1
  Cisco system message guide:
  a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
  Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
  Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  Because we don't see any network problems I'm wondering why the connection is lost.
  Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
  Is there any possibility to remotely check if the accesspoint rebooted?
  If you need further information please give me a short feedback.
  Many thanks in advance,
  Thorsten Steffen

  Thanks for the help.
  I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
  Sincerely.

• LMS 4.2 not processing syslog messages

  I have a new install of LMS 4.2 on a virtual appliance.  No syslog messages are getting into LMS.  They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
  Here's the syslog.conf file:
       local6.info                                                                     /var/log/ade/ADE.log
       *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
       authpriv.*                                                                      /var/log/secure
       mail.*                                                                          -/var/log/maillog
       cron.*                                                                          /var/log/cron
       *.emerg                                                                         *
       uucp,news.crit                                                                  /var/log/spooler
       local7.*                                                                        /var/log/boot.log
       #Application LMS Generated config
       #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
       local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.log
       #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
       local7.info  /var/log/syslog_info
  My guess is that the incoming messages are getting written to the wrong file.  What do I need to change to correct this?

  I found that all of my syslog messages were being captured under /var/log/messages.  This was due to my Cisco devices being configured with "logging facility local5".  Instead of reconfiguring all of my devices to log to facility local7, I just changed the following line in syslog.conf and restarted (/etc/init.d/syslog restart)
  Before:
  local7.info  /var/log/syslog_info
  After:
  local5.*  /var/log/syslog_info
  Probably not the best way to do it, but it worked for me.
  -Rick

• Syslog messages in AAA

  I have an issue with a switch's syslog messages showing up in the failed authentication attempts report in the AAA.
  If anyone has any thoughts, let me know!!
  CHRIS

  Do you perhaps have this switch console connected on a terminal server, and if so, does the terminal server have "no exec" configured on the lines used for reverse telnet?
  I have seen symptoms similar to what you describe in a situation where I had a switch whose console port was connected to a terminal server and the terminal server lines did not have no exec. It looks like there was some activity on the switch which the terminal server presented a login prompt. The next text displayed on the switch was interpreted by the terminal server as the login id and was logged in the failed attempts log.
  HTH
  Rick

• Syslog messages not showing

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

• Receive syslog messages from remote system

  I want to replace my ancient and aging Slackware 12.0 server with an Arch server. One of the hurdles is to receive syslog messages (UDP/IP, port 514) over the network from a Cisco 678 DSL modem/router, and from a DD-WRT based wireless access point.
  How do I go about getting a systemd-based Arch server to receive syslog-formatted messages from the network on UDP port 514?
  I'm not looking to view the Arch system's journal over the network, but rather to receive non-local messages and log them.
  Last edited by bediger4000 (2013-08-01 15:44:48)

  WonderWoofy: I hope you mean "man systemd-journal-gatewayd", as I find that man page, but not "systemd-journal-gateway".  systemd-journal-gatewayd works the other way. According to the man page it "serves journal events over the network. Clients must connect using HTTP."
  sbmomeni: I agree that your reference says the systemd journal provides the same function - but how?  And does "this functionality" refer to the logging part of syslog-ng, or to the receiving messages from other machines part?

• Discriminate between syslog messages - targets

  Hi there,
       I might be trying to do the impossible here, but I am trying to get my ASA 8.2(1) to send certain syslog messages to one host and other messages to another host.
       By default we are using facility 23 as our logging facility.  Logging trap is set to informational and there are 2 hosts that I am logging to.  Both host are receiving all the informational messages that are being sent.  One of the hosts is being overwelmed by the amount of traffic.  This host only needs to receive the syslog message 111008, and no others. I have been trying to figure out how to send only this one message to the host, but syslog seems to be an all or nothing proposition.  Any ideas?  Regardless of what I come up with, it always seems that all hosts receive whatever I configure.  I can't seem to define syslog traffic on a per target basis. 

  You are right. You can't define 2 syslog servers to send 2 different list of syslog messages. However, you can define seperate list of syslog messages, and send 1 list to syslog server, and send another list to buffer for example.
  Here is the example for your reference:
  logging list 111008-list message 111008
  logging list the-rest-list message 101001-111007
  logging list the-rest-list message 111009-742010
  logging buffered 111008-list
  logging trap the-rest-list
  Hope that helps.

• Solaris 9 syslog messages are IP not hostname

  I am trying to setup Solaris 9 to forward its syslog messages to a central server, and its working fine except the logs being sent have the IP address and not the hostname. Is there a way to change this? Thanks

  no, i mean you will need to put entries for the remote hosts on your central server, or set up IN NS records in your nameserver for reverse mappings from IP -> host (not host -> IP).
  Shouldn't need any switches or config changes to syslogd for it to work.
  Also, check your /etc/nsswitch.conf file has at least "files dns" set for hosts.

• RME (LMS 3.2) No detect Change Configuration automatically by Syslog Messages

  Hi,
  I have a problem with the "change audit" for Syslog messages trigger. I set all my devices to send Syslog messages to the CiscoWorks server. When I make any changes to syslog message is sent correctly for the CiscoWorks server, but it does not start automatically collects configuration (config fetch).
  Only when I start manually "sync archive" the configuration is stored and detected the change in configuration.
  Has not changed anything in config fetch "to" Automated actions Syslog ".
  Thanks

  Hi,
  You an check RME  > Tools > Syslog > Automated Actions to verify nothing was changed.
  Then display 'Config Fetch'. There is contextual help available:
  http://:1741/help/rme/fundamentals/index.html?syslog_Defining_Automatd_Actions.html#wp1211314
  Nick

• ASR1000 CUBE SP syslog messages

  Hi,
  we're trying to integrate our SBC instances (CUBE SP on ASR1000) into our network management system (EMC SMARTS)
  Syslog messages from SBC instances are some kind of cumbersome with lot of line breaks resulting in multiple syslog messages the NMS must parse.
  Example:
  %SBC-3-MSG-6406-0006-ADD5A3-1575
  Message Editor received a message with an unknown editor in
  the edit sequence. The editor will be ignored.
  Editor name: default
  How do I configure it to just put it all into one line just as "normal" log messages?
  Example:
  %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed to up
  Thanks
  Sebastian

  Hi,
  thanks for replying.
  I went already through this, seems I have to write some kind of script to get SBC messages into one line.
  Do you have an idea for this very simple task?
  Still wondering I'm the first to stimble upon it
  Sebastian

• Syslog messages AP541

  Hi community,
  to find the reason for my connection problems to our network over a AP541N
  I have configured the AP541 to send its syslog messages to a syslog server.
  Now I am looking for a document where I can find informations about the received
  messages.
  For example, what means
  hostapd: wlan0: IEEE 802.11 STA 78:a3:e4:3e:f7:19 deauthed from BSSID 00:21:29:03:18:40 reason 3
  or
  hostapd: wlan0: IEEE 802.11 STA 58:1f:aa:2c:96:4b disassociated from BSSID 00:21:29:03:18:40 reason 8
  Are there documents where the messages are explained ?
  Regards
  Joachim

  Here is a document for cisco wireless access controller client reason codes:
  http://www.cisco.com/en/US/docs/wireless/controller/3.2/configuration/guide/c32err.html
  Client Reason Code…Description…Meaning
  0…noReasonCode…Normal operation.
  1…unspecifiedReason…Client associated but no longer authorized.
  2…previousAuthNotValid…Client associated but not authorized.
  3…deauthenticationLeaving…The access point went offline, deauthenticating the client.
  4…disassociationDueToInactivity…Client session timeout exceeded.
  5…disassociationAPBusy…The access point is busy, performing load balancing, for example.
  6…class2FrameFromNonAuthStation…Client attempted to transfer data before it was authenticated.
  7…class2FrameFromNonAssStation…Client attempted to transfer data before it was associated.
  8…disassociationStaHasLeft…Operating System moved the client to another access point using non-aggressive load balancing.
  9…staReqAssociationWithoutAuth…Client not authorized yet, still attempting to associate with an access point.
  99…missingReasonCode…Client momentarily in an unknown state.