Cisco MARS Syslog messages

Similar Messages

• Cisco IOS Syslog Messages

  Does anyone have a link that shows all the Cisco IOS syslog messages?
  Such as this one for the ASA?
  http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html
  Thanks in advance.

  This guide should give you what you want.
  http://www.cisco.com/en/US/docs/ios/system/messages/guide/consol_smg.html

• Syslog Messages Location

  Hello All
  Cans someone please show me where I can find the full list of cisco's syslog messages? At the moment I can only find the full list related to ASA's. However, I would like to see the full list of syslog messages for, say, OSPF.
  Cheers
  Carlton

  I believe events parsed by Sylsog analyzer are stored in the RME db. The default location on Solaris is at
  /opt/CSCOpx/databases/rme/rmeng.db
  Configurations are stored in the shadown directory (if enabled in the GUI). On Solaris the default location is at
      /var/adm/CSCOpx/files/rme/dcma/shadow
  Reference.
  Message was edited by: Marvin Rhoads - corrected RME db location - thanks Afroj.

• Cisco ASA Connection Denied syslog messages

  Hi,
  Could you please provide the connection denied syslog messages, I'm not able to differentiate the messages from syslog guide
  Regards,
  Shalendra

  Hi Shalendra,
  For TCP connection denied syslog , 106001 is the id.
  For protocol denied connection, 106002 is the id.
  For connection denies due to logging permit-hostdown policy, 414006 is the id.
  Refer to this link:
  http://www9.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html#13063
  Regards,
  Shrinkhala

• Cisco EEM script to detect a sequence of SYSLOG messages

  Hi,
  I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface. 
  Here is what I have already tried:
  ! <------- BEGIN ------->
  ip access-list extended INTERNET
  deny tcp any any eq 1234 log OPEN_SEQUENCE_A
  deny tcp any any eq 1235 log OPEN_SEQUENCE_B
  deny tcp any any eq 1236 log OPEN_SEQUENCE_C
  event manager environment 1ST_MATCH 0
  event manager environment 2ND_MATCH 0
  event manager applet ONE
  event syslog pattern "OPEN_SEQUENCE_A"
  action 1 set 1ST_MATCH "1"
  action 2 syslog msg "DETECTED SEQUENCE A!"
  event manager applet TWO
  event syslog pattern "OPEN_SEQUENCE_B"
  action 1 if $1ST_MATCH eq 1
  action 2 set 2ND_MATCH "1"
  action 3 syslog msg "DETECTED SEQUENCE B!"
  action 4 end
  event manager applet THREE
  event syslog pattern "OPEN_SEQUENCE_C"
  action 1 if $1ST_MATCH eq 1
  action 2 if $2ND_MATCH eq 1
  action 3 syslog msg "DETECTED SEQUENCE C!"
  action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
  action 5 end
  action 6 end
  ! <------- END ------->
  In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
  Any comments are highly appreciated.
  Cheers,
  David

  EEM cannot detect syslog messages that it generates.  If you want to chain together events across multiple applets, use application-specific events.  For example:
  action 2 publish-event sub-system 798 type 1
  event application sub-system 798 type 1
  action 3 publish-event sub-system 798 type 2
  You can also pass up to four arguments as well if you need additional context.

• Syslog messages not showing

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

• ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

  Hi All ,
           I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
  Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

  Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
  you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

• CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

  Hello.
  Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
  CUCMs have problem with syslog messages.
  I saw these messages in rtmt syslog
  - kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
  kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
  What's the problem with these messages ?
  And how can I solve this problem
  Thanks.

  I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

• Unterstanding syslog messages from our wlc

  Hello,
  we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
  On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
  1. ca. 10 times per hour we get the message
  apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
  Cisco system message guide:
  Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
  Explanation Not saving - no config changes.
  Recommended Action No action is required.
  Does anybody know why we get this messages and if it's possibly to suppress them?
  2. Intermittently (several times a day) we get the following message types:
  a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
  b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
  The MAC address is not every time the same but one of our accesspoints.
  On our network management system we get the following trap messages with nearly exactly the same timestamp:
  14.01.2008 04:21:56 CET
  AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
  When Airespace AP's interface operation status goes down this trap will be sent.
  bsnAPDot3MacAddress = 00.0b.85.56.63.40
  bsnAPIfSlotId = 0x1
  14.01.2008 04:21:56 CET
  AP disassociated from Switch.
  When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
  bsnAPMacAddrTrapVariable =
  14.01.2008 04:22:25 CET
  AP associated with Switch.
  When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
  bsnAPMacAddrTrapVariable =
  bsnAPPortNumberTrapVariable = 1
  Cisco system message guide:
  a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
  Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
  Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  Because we don't see any network problems I'm wondering why the connection is lost.
  Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
  Is there any possibility to remotely check if the accesspoint rebooted?
  If you need further information please give me a short feedback.
  Many thanks in advance,
  Thorsten Steffen

  Thanks for the help.
  I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
  Sincerely.

• LMS 4.2 not processing syslog messages

  I have a new install of LMS 4.2 on a virtual appliance.  No syslog messages are getting into LMS.  They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
  Here's the syslog.conf file:
       local6.info                                                                     /var/log/ade/ADE.log
       *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
       authpriv.*                                                                      /var/log/secure
       mail.*                                                                          -/var/log/maillog
       cron.*                                                                          /var/log/cron
       *.emerg                                                                         *
       uucp,news.crit                                                                  /var/log/spooler
       local7.*                                                                        /var/log/boot.log
       #Application LMS Generated config
       #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
       local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.log
       #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
       local7.info  /var/log/syslog_info
  My guess is that the incoming messages are getting written to the wrong file.  What do I need to change to correct this?

  I found that all of my syslog messages were being captured under /var/log/messages.  This was due to my Cisco devices being configured with "logging facility local5".  Instead of reconfiguring all of my devices to log to facility local7, I just changed the following line in syslog.conf and restarted (/etc/init.d/syslog restart)
  Before:
  local7.info  /var/log/syslog_info
  After:
  local5.*  /var/log/syslog_info
  Probably not the best way to do it, but it worked for me.
  -Rick

• Receive syslog messages from remote system

  I want to replace my ancient and aging Slackware 12.0 server with an Arch server. One of the hurdles is to receive syslog messages (UDP/IP, port 514) over the network from a Cisco 678 DSL modem/router, and from a DD-WRT based wireless access point.
  How do I go about getting a systemd-based Arch server to receive syslog-formatted messages from the network on UDP port 514?
  I'm not looking to view the Arch system's journal over the network, but rather to receive non-local messages and log them.
  Last edited by bediger4000 (2013-08-01 15:44:48)

  WonderWoofy: I hope you mean "man systemd-journal-gatewayd", as I find that man page, but not "systemd-journal-gateway".  systemd-journal-gatewayd works the other way. According to the man page it "serves journal events over the network. Clients must connect using HTTP."
  sbmomeni: I agree that your reference says the systemd journal provides the same function - but how?  And does "this functionality" refer to the logging part of syslog-ng, or to the receiving messages from other machines part?

• Cisco Prime syslog server

  Where are syslogs stored, if I point my devices to Cisco Prime acting as my syslog server? I am running 2.0
  thanks, Jerry

  Hi ,
  As of now , this feature is not available , I mean PI will not work as syslog server.
  Syslog messages received by  PI from managed devices are found under Monitor > Alarms and Events > Syslogs
  as you are using PI 2.2 , you will be able to see all device syslog messages (0-7 severity)
  That display will show you up to 200,000 messages at a time.
  Check the below link for other related details proved by Marvin :
  https://supportforums.cisco.com/discussion/12486126/cisco-prime-syslog-functionality#sthash.Wbj2a3lj.dpuf
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Syslog messages AP541

  Hi community,
  to find the reason for my connection problems to our network over a AP541N
  I have configured the AP541 to send its syslog messages to a syslog server.
  Now I am looking for a document where I can find informations about the received
  messages.
  For example, what means
  hostapd: wlan0: IEEE 802.11 STA 78:a3:e4:3e:f7:19 deauthed from BSSID 00:21:29:03:18:40 reason 3
  or
  hostapd: wlan0: IEEE 802.11 STA 58:1f:aa:2c:96:4b disassociated from BSSID 00:21:29:03:18:40 reason 8
  Are there documents where the messages are explained ?
  Regards
  Joachim

  Here is a document for cisco wireless access controller client reason codes:
  http://www.cisco.com/en/US/docs/wireless/controller/3.2/configuration/guide/c32err.html
  Client Reason Code…Description…Meaning
  0…noReasonCode…Normal operation.
  1…unspecifiedReason…Client associated but no longer authorized.
  2…previousAuthNotValid…Client associated but not authorized.
  3…deauthenticationLeaving…The access point went offline, deauthenticating the client.
  4…disassociationDueToInactivity…Client session timeout exceeded.
  5…disassociationAPBusy…The access point is busy, performing load balancing, for example.
  6…class2FrameFromNonAuthStation…Client attempted to transfer data before it was authenticated.
  7…class2FrameFromNonAssStation…Client attempted to transfer data before it was associated.
  8…disassociationStaHasLeft…Operating System moved the client to another access point using non-aggressive load balancing.
  9…staReqAssociationWithoutAuth…Client not authorized yet, still attempting to associate with an access point.
  99…missingReasonCode…Client momentarily in an unknown state.

• Recivining and analyzing syslog messages from facility local3 on LMS4.2 soft appliance.

                     HI,
  all of our enterprise switches are sert to send syslog messages from facility local3. this is partly because our linux syslog server loggs its boot syslog  messages from  facility local7 an we could't use the default  facility of local7 on our cisco switches. LMS4.2s syslog daemon is set to recieve syslog messages from facility local7. how can i change it so that it can listen for facility local3 and also make sure the syloganalyzer and automated action  work fine.
  thanks,
  Kerim

  Hi All,
  I thought it is a good idea to share the workaround my colleague came up with for this prolem. there is a file called syslog-entries.txt under /opt/CSCOpx/conf. he added all the entries we needed like :
  local3.*     /var/log/syslog_info
  local5.*   /var/log/syslog_info
  the change was automatically reflected on syslog.conf
  now we receve alerts from facilities 3 and 5 besides 7.  hope this helps anyone who run into the same issue.

• Cisco ISE syslog

  Hello,
  From what I understand Cisco ISE has LogCollector for SysLog.
  I have configured a switch to send syslog:
  logging monitor informational
  logging origin-id ip
  logging source-interface <interface_id >
  logging host <syslog_server_IP_address_x > transport udp port 20514
  ,but I am unable to find syslog messages generated by switch.
  Can I view syslog messages in ISE ? , or are there just for ISE to use in the background ?
  Regards,
  Bogdan

  You should post your question on the AAA forum
  https://supportforums.cisco.com/community/netpro/security/aaa
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"