Excluding certain syslog messages from Call-Home

Similar Messages

• Recivining and analyzing syslog messages from facility local3 on LMS4.2 soft appliance.

                     HI,
  all of our enterprise switches are sert to send syslog messages from facility local3. this is partly because our linux syslog server loggs its boot syslog  messages from  facility local7 an we could't use the default  facility of local7 on our cisco switches. LMS4.2s syslog daemon is set to recieve syslog messages from facility local7. how can i change it so that it can listen for facility local3 and also make sure the syloganalyzer and automated action  work fine.
  thanks,
  Kerim

  Hi All,
  I thought it is a good idea to share the workaround my colleague came up with for this prolem. there is a file called syslog-entries.txt under /opt/CSCOpx/conf. he added all the entries we needed like :
  local3.*     /var/log/syslog_info
  local5.*   /var/log/syslog_info
  the change was automatically reflected on syslog.conf
  now we receve alerts from facilities 3 and 5 besides 7.  hope this helps anyone who run into the same issue.

• Unterstanding syslog messages from our wlc

  Hello,
  we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
  On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
  1. ca. 10 times per hour we get the message
  apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
  Cisco system message guide:
  Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
  Explanation Not saving - no config changes.
  Recommended Action No action is required.
  Does anybody know why we get this messages and if it's possibly to suppress them?
  2. Intermittently (several times a day) we get the following message types:
  a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
  b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
  The MAC address is not every time the same but one of our accesspoints.
  On our network management system we get the following trap messages with nearly exactly the same timestamp:
  14.01.2008 04:21:56 CET
  AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
  When Airespace AP's interface operation status goes down this trap will be sent.
  bsnAPDot3MacAddress = 00.0b.85.56.63.40
  bsnAPIfSlotId = 0x1
  14.01.2008 04:21:56 CET
  AP disassociated from Switch.
  When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
  bsnAPMacAddrTrapVariable =
  14.01.2008 04:22:25 CET
  AP associated with Switch.
  When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
  bsnAPMacAddrTrapVariable =
  bsnAPPortNumberTrapVariable = 1
  Cisco system message guide:
  a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
  Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
  Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
  Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
  Because we don't see any network problems I'm wondering why the connection is lost.
  Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
  Is there any possibility to remotely check if the accesspoint rebooted?
  If you need further information please give me a short feedback.
  Many thanks in advance,
  Thorsten Steffen

  Thanks for the help.
  I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
  Sincerely.

• Receive syslog messages from remote system

  I want to replace my ancient and aging Slackware 12.0 server with an Arch server. One of the hurdles is to receive syslog messages (UDP/IP, port 514) over the network from a Cisco 678 DSL modem/router, and from a DD-WRT based wireless access point.
  How do I go about getting a systemd-based Arch server to receive syslog-formatted messages from the network on UDP port 514?
  I'm not looking to view the Arch system's journal over the network, but rather to receive non-local messages and log them.
  Last edited by bediger4000 (2013-08-01 15:44:48)

  WonderWoofy: I hope you mean "man systemd-journal-gatewayd", as I find that man page, but not "systemd-journal-gateway".  systemd-journal-gatewayd works the other way. According to the man page it "serves journal events over the network. Clients must connect using HTTP."
  sbmomeni: I agree that your reference says the systemd journal provides the same function - but how?  And does "this functionality" refer to the logging part of syslog-ng, or to the receiving messages from other machines part?

• How do I get syslog messages from an AP350 sent to my Ciscoworks2000?

  I am running Ciscoworks2000 and trying to get my Access Point's to send messages to the RME. I have enabled SNMP and created user's with the correct SNMP strings? Any help in getting as much information from the AP's to Ciscoworks would be greatly appreciated.

  Darcy,
  The setup for syslog is different to setting up SNMP. Refer to the following URL re the 'Event Notifications Setup Page'. http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch7.htm#1037065
  In particular, please make sure that you check the 'Yes' button for 'Should Syslog Messages use the Cisco EMBLEM Format', otherwise RME will not recognise the format of the syslog messages that it receives.
  As mentioned by one of the other respondants, you must also check that the AP is recognised in the RME Inventory as a Managed Device.
  A list of what devices are supported in the various versions of RME can be found on CCO at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/dev_sup/index.htm

• Can't get syslog messages from Remote SA520 over VPN

  I'm trying to set up a central logging server on a debian system running rsyslog.
  The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
  I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
  (also tried to add a rule for UDP514 but that didn't help)
  The debian system is new & has no iptables set up
  I've entered the syslog server IP in remote logging.
  I've set up facilities in Send to syslog for both routers.
  I am logging messages from the local router but don't see anything from the remote.
  I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
  I rebooted the router to see if that mae a difference but no luck.
  Any ideas why I can't get the syslog traffic across the VPN?

  I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
  My setup is
  remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
  Firewall is set up to allow ANY IN & OUT to local lan on both routers.
  I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
  syslog server has -no- firewall at the moment.
  Syslog server is receiving messages from the local router with no issues.
  Log Severity is set to Information &  Log Facility is set up to send to Syslog.
  I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
  Both routers have the latest firmware applied.
  Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
  I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
  It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
  Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

• How to stop SubmitDiagInfo from "Calling Home"?

  I do not consent to "SubmitDiagInfo" collecting and sending information without my knowledge or consent. The OSX diagnostic reporting, called "SubmitDiagInfo" is now regularly "calling home" without my knowledge and i do not consent to this. Please tell me how to turn this off. I had consented a few times to submit one-off crash reports, thought i was being helpful to Apple, but now the tool is regular collecting information and sending in secret. I will never assist Apple in the future in bug reporting because of this breach of trust. Thank you.

  The application firewall i am using pops up an information windows that tell me what application is accessing the internet, the URL, ectera. Download an application firewall and see it for yourself. If you are security conscious you will find a number of security issues on your machine that you were not aware before, did not authorize, etctera.
  Since this post i have documented a number of Apple applications/services that try to "Phone Home". You have to be naive to believe that your Mac only contacts Apple when you tell it to do so. It is similar to what i have documented on Windows machines. Over the past 5 years i have noticed that this "Phone Home" phenomenon increases with every next version of the OS or update. I am new to Macs, but on Windows machines, even the NTKernal will now occasionally try to contact Microsoft servers. An OS kernal has no business doing this kind of stuff. I have even observed where arbitrary ports are being used, not the typical port 80, port 443, etcetera. I thought i had spyware on my machine. Nope. On Windows NT/2000/XP, it appears Windows even has a hidden service that periodically does a type of Win32 memory injection to hi-jack other applications and use them as proxy to "phone home", always to Microsoft servers. Sounds crazy, but i have witnessed it many times over the years. Even some open source software such as Firefox is guilty of doing this kind of thing. Firefox does the "phone home" during a webpage request. What it does is initiate webpage request, interrupt and "call home" to one of several Mozilla servers, then re-initiate page request and continue. Very sneaky.
  I have even observed where servers out on the internet such as Google will try to connect to my computer using a variety of ports other than standard internet ports. Sorry, you should not need anything but port 80 to use Google and surf the internet. Use a good application firewall and you can observe this yourself.
  I think everybody who takes privacy seriously should start looking into this. Where is the security community on this? It appears to be compromised, talks about everything else but this elephant in the room that i have witnessed the past 5 years. The prevailing propaganda is that this is all benign. I program software for a living and know you do not need to code software that makes regular connections with servers on the internet without user knowledge and explicit consent. This is unethical and possibly a common law crime.
  Anyways, it appears that this "Phone Home" phenomenon is "by design". Fortunately there are products out there that allow you to deal with it. Unfortunately it is only a quick fix, it does not resolve the underlying security issue.

• How to get a message from call transaction in RFC call

  Hello :
  I would like to ask one favor i make a 2 call transaction in a RFC funtion when i make the first CALL TRANSACTION using te next statement.
      CALL TRANSACTION 'F-43'
        USING bdcdata MESSAGES INTO messtab2 OPTIONS FROM l_fromopt.
  I recive the number of the document in the field  sy-msgv1 from the message table messtab2 , then i make the second  CALL TRANSACTION  and i am waiting to get the other number of the document from the table messtab3  using the next statatement.
       CALL TRANSACTION 'FIBLFFP'
          USING bdcdata MESSAGES INTO messtab3 OPTIONS FROM l_fromopt. but now the table messtab3 don't send the number of document , and i need to get the number of this document for making a REFERENCE.
  thanks a lot for you help

  FORM bdc_transaction USING tcode TYPE tcode.
    DATA: l_mstring(480).
    DATA: l_subrc  TYPE sy-subrc,
          lwa_t100 TYPE t100.
    DATA : gv_ctumode TYPE ctu_params-dismode VALUE 'A'.
  call transaction using
  BREAK-POINT.
    REFRESH gt_messtab.
    CLEAR gwa_messtab.
    gv_ctumode = gc_ctumode.
    CALL TRANSACTION tcode USING gi_bdcdata                "#EC CI_CALLTA
                     MODE   gv_ctumode
                     UPDATE gc_cupdate
                     MESSAGES INTO gt_messtab.
    l_subrc = sy-subrc.
    IF sy-subrc <> 0.
      WRITE: / 'CALL_TRANSACTION',
               tcode,
               'returncode:',
               l_subrc,
               'RECORD:',
               sy-index.
      LOOP AT gt_messtab INTO gwa_messtab.
        CLEAR lwa_t100.
        SELECT SINGLE * FROM t100 INTO lwa_t100  WHERE sprsl = gwa_messtab-msgspra
                                  AND            arbgb = gwa_messtab-msgid
                                  AND            msgnr = gwa_messtab-msgnr.
        IF sy-subrc = 0.
          l_mstring = lwa_t100-text.
          IF l_mstring CS '&1'.
            REPLACE '&1' WITH gwa_messtab-msgv1 INTO l_mstring.
            REPLACE '&2' WITH gwa_messtab-msgv2 INTO l_mstring.
            REPLACE '&3' WITH gwa_messtab-msgv3 INTO l_mstring.
            REPLACE '&4' WITH gwa_messtab-msgv4 INTO l_mstring.
          ELSE.
            REPLACE '&' WITH gwa_messtab-msgv1 INTO l_mstring.
            REPLACE '&' WITH gwa_messtab-msgv2 INTO l_mstring.
            REPLACE '&' WITH gwa_messtab-msgv3 INTO l_mstring.
            REPLACE '&' WITH gwa_messtab-msgv4 INTO l_mstring.
          ENDIF.
          CALL FUNCTION 'FORMAT_MESSAGE'
            EXPORTING
              id        = gwa_messtab-msgid
              lang      = sy-langu
              no        = gwa_messtab-msgnr
              v1        = gwa_messtab-msgv1
              v2        = gwa_messtab-msgv2
              v3        = gwa_messtab-msgv3
              v4        = gwa_messtab-msgv4
            IMPORTING
              msg       = l_mstring
            EXCEPTIONS
              not_found = 1
              OTHERS    = 2.
          IF sy-subrc <> 0.
            MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                    WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
          ENDIF.
          CONDENSE l_mstring.
          IF NOT l_mstring IS INITIAL.
            WRITE: / gwa_messtab-msgtyp, l_mstring(250).
            MESSAGE l_mstring TYPE 'I'.
          ENDIF.
        ELSE.
          WRITE: / gwa_messtab.
        ENDIF.
      ENDLOOP.
      SKIP.
    ENDIF.

• Permanently exclude certain files & folders from backup

  I see in the discussions where you can delete certain files or folders from TM backups. Does this exclude those files from future backups as well? Or do you have to go back into TM every time and delete them?
  Thanks.

  Barb2008 wrote:
  I see in the discussions where you can delete certain files or folders from TM backups. Does this exclude those files from future backups as well?
  No. But you can add files/folders to the TM exclusion list in system preferences->TM->options. that will stop future backups of those files/folders.

• Messages from call transaction don't appear

  Hello everyone,
  I'm having a problem that i never experienced.
  I have a call transaction for T-code 'FOB1', like this:
    CALL TRANSACTION f_tcode USING bdc_tab MODE f_mode UPDATE 'S'
                                         MESSAGES INTO messtab.
  I allready tried using 'A' mode and 'N' mode, but the problem persists. My table messtab, that should, at least, bring the message for successfull creation of document, is completely empty!! with one difference. If i choose "visible" mode, a warning appears that is not a concern for creating the document. That 'W' message appears in my table messtab, ONLY if i run the call transaction with 'visible' mode. It looks like if the messages are being deleted so fast that the system doesn't catch them.
  Any suggestions ??
        Thank you.

  Thank you for all your answers, but my problem persists.
  In response to all:
  - I tried eliminating the UPDATE statement or using option 'A', but the message table still appears empty.
  - When i create a document through transaction FOB1, it does send a S message with the number of the document created.
  - I tried creating a Batch Input and process it through SM35, and the log shows several S messages.
  I'm having trouble solving this one. Any more suggestions ?

• Results analysis: any way to exclude certain cost element from calculation?

  Hi everyone!
  We are implementing Results Analysis for projects. But the client is asking if there is a way to exclude some cost elements of the results analysis calculation. We are using method 07, POC based in the project milestones.
  This is why they need this. They say that very often they they have costs higher to what they should be according to the month's billing. So they need to send the corresponding part to a WIP account. But not all the costs. They have internal costs (like the hours of internal resources) and external costs (like materials procurement or external services contracts). They only want to send to WIP the exceeding external costs. But leave all the internal costs in a cost account. So to do this we need to exclude these kind of cost elements (secondary cost elements) from the results analysis calculation. Is there any way to do this? Any ideas?
  Thanks in advance!
  Regards,
  Thalos.

  Hi,
  In OKG4, next to Line ID there is a field where you can set "N" which means not to include. Make this settinng for required cost elements / Line ID's and then test the changes.
  Regards
  Sreekanth

• Send certain syslog messages to different syslog servers

  We have had a security event where we have had to apply certain ACL's to block some traffic.  Some of the blocked traffic is logged to syslog.  We would like to send that log information to different syslog servers, depending on certain pattern matches.
  syslog entries that match pattern xxx = export to syslog server A
  syslog entries that match pattern yyy = export to syslog server B
  Is this possible using something like tcl scripting and EEM?  If so, could someone share some guidance on how this might be accomplished?
  TIA

  Thanks, Joseph.  You answered the question asked...but unfortunately I think that I did not phrase the question correctly.
  Our match criteria will always be mutually exclusive, so it will never match both.  Always one or the other.
  So now that we have this working in it's basic form, now we want to take it a step further and do the following....
  (working) Match criteria A, set Stream 10
  (working) Match criteria B, set Stream 20
  (working) Send stream 10 to syslog Host A
  (working) Send stream 20 to syslog Host B
  (NEW) Send stream 10 AND 20 to syslog Host C
  Unless we have the syntax incorrect, it appears as though we can only send one stream to a given host.  We can configure 'logging host SyslogC filtered stream 10'.  But if we then configure 'logging host SyslogC filtered stream 20', it appears to overwrite the previous configuration, so that we only send Stream 20 to SyslogC, and not Stream 10.
  Is it possible to send multiple streams to a single syslog host?
  Thank you!

• How can I prevent Message  from showing home and other numbers?

  Message+ is offering ALL the phone numbers in the database!  It should only be offering mobile numbers.  How can I make it be more selective?  TIA

  I re-read my initial posting and I should have been more clear. When I use Messenger+ to send texts, it offers me all the phone numbers in the Contacts list. It should NOT offer me the Home, Work, Fax numbers that cannot be sent texts.
  Thanks.

• How to exclude certain playlists from being shuffled?

  I have Video IPOD and would like to know how to exclude certain play lists from being played when the "shuffle song" function is on?
  Appreciate your help.

  Going back to the beginning I think I misinterpretted your original question. I thought you wanted to be able to turn on the Shuffle Songs function of the iPod and when you played any playlist it would shuffle normally but you wanted to have some playlists that would play without shuffling without having to turn off that function.
  Now I think what you wanted to say was you want to shuffle song when playing your library on the iPod but if certain songs exist in your "do not shuffle" playlist, they would be skipped, right?
  If that is the case, you can do it with some Smart playlist manipulation. First create the "Do Not Shuffle" playlist and put everything in there that you do not want to show up when you are shuffle playing your library. Now create a new Smart Playlist where the rules are "Playlist IS NOT [do not shuffle]". Make that the only rule, check live updating and only checked songs. What will happen is that playlist will contain your entire library EXCEPT the ones you don't want shuffle played.
  Now when you listen to your iPod, you can use the Shuffle Songs option turned ON and play that smart playlist which will basically let you hear anything and everything in your library shuffled EXCEPT for those songs you designated to not include.
  Patrick

• Syslog messages coming from Standyby ASA ?

  I have a pair of ASA's in Active/Standby configuration.  I noticed this morning that the secondary ASA is generating syslog messages when I dont think it should.  Here is the logging configuration -
  logging enable
  logging timestamp
  logging buffer-size 1048576
  logging console informational
  logging buffered informational
  logging trap informational
  logging history critical
  logging asdm critical
  logging mail critical
  logging host inside 10.1.4.12
  This is the interface that syslog should be coming out of on the primary ASA -
  interface GigabitEthernet0/1
  description 10.1.85.0/24 Internal Interface
  nameif inside
  security-level 100
  ip address 10.1.85.31 255.255.255.0 standby 10.1.85.32
  ospf retransmit-interval 1
  ospf hello-interval 1
  ospf dead-interval 3
  Cisco Adaptive Security Appliance Software Version 8.2(3)
  Device Manager Version 6.3(4)
  I ran the packet capture wizard on the secondary ASA and saw no syslog traffic coming from it.
  Anybody else seen this ?
  Ron

  Ron
  The message that you show us is part of what the ASA is doing to maintain state for all the VPN connections from the primary ASA. I see similar syslog messages from the standby unit in an ASA active/standby pair.
  You say:"I wouldnt expect any messages to be coming from it since it isnt really doing anything." But the standby unit is really doing things. As a new session is established on the primary the secondary must process and retain that information. And when a session is discontinued on the primary then the standby must process that also and remove the session from the state table. If the standby were not busy doing these things then it would not be able to take over and process sessions correctly if the primary were to fail.
  HTH
  Rick