LMS syslog?

Similar Messages

• LMS 4.2.5 Syslog/Automated Action/Config mgmt issue

  LMS 4.2.5 on Windows
  We use the server as it's own Syslog server. The Syslog collector status is fine. I see syslogs coming into the server. However, I just made some changes on a router so ran a syslog report on it, but nothing was returned. I Tested the Collector Subscription and everything was fine.
  We also have Automated Actions configured on certain syslog messages (duplex mismatch for example). There is an AA configured to send my team e-mails when this event occurs. There was a device that had two days worth of syslog messages complaining about this issue. Yet, we only received about 10 e-mails from the LMS system on it.
  Another issue is with Configuration Mgmt. I fixed the duplex mismatch listed above and went to check the config tree to see if or when something changed. The last config archive was pretty old and I know changes were made on the device since then. This tells me that the LMS server didn't get notified of the config change or it would have gone out and checked it.
  The one thing in common on all of the above is Syslog messages. LMS will take actions based on receiving these messages and those actions don't seem to be firing.
  Any ideas would be greatly appreciated.
  Thanks,
  Mike S.

  To confirm if the device is sending the syslogs and they are being received by LMS server properly, check the $NMSROOT/log/syslog.log and see it has the syslog from the device.
  Unless syslog is there on syslog.log, we don't expect LMS to react on any AA. 
  For configuration backup, try to sync the device config by initiating a manual job to update the latest configuration from device. Even if there is no Automated Action working, you should still have a reoccurring/scheduled job configured to archive configuration backup periodically.
  Following is a document I created for Syslog troubleshooting :
  Ciscoworks LMS : Syslog in a Nutshell!
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• How to view router/switch logs using LMS 3.2?

  Of course I can log into each of my 100 routers and switches and peforms "sh loggin" to look for problems, but how do I use LMS 3.2 to consolidate all those logs into one location?  Can I set up something so I can see those logs in more or less real time?
  Thanks in advance.

  >> Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?
  The latter.
  If for some reason, the devices cannot log directly to LMS, there're a few options: 1) Devices log to a central syslog server, which in turn exposes the syslogs to LMS' Syslog Analyzer, either via the Cisco-supplied Remote Syslog Collector or some unsupported methods such as NFS mount, or 2) Install Syslog-ng on the central syslog server, relay the logs to LMS, as described in this whitepaper: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-571038.html
  >> What's the benefit of scheduling a report to run automatically?  Is it saved somewhere that is easier/quicker to get to?
  It's the usual benefits of automation. Scheduled syslog reports apparently write outputs to /var/adm/CSCOpx/files/rme/cri/archives/syslog/reports/output/[jobID_runID], on Solaris, for example. The structure inside is rather muddy. So it might be easier to have something like a VBscript to screen-scrape the LMS web GUI for the report outputs instead.
  >> Can new syslog messages from devices be posted to an RSS feed?
  That's a novel idea. Though obviously not from the devices directly, it most likely coud be done through some "syslog2rss" relay residing on the syslog server. I think the potential volumes of logs could be too much for RSS, unless careful filtering/deduplication takes place on the relay before posting to a feed.

• Ciscoworks LMS 4.0 DFM Custom Traps

  Hello,
  We want to use Ciscoworks LMS 4.0 for Access Control List Monitoring. i.e. if we end the ACLs with "log" entry, we may send  the ACL deny logs to the Ciscoworks as Syslog or Snmp Trap format.
  With "debug snmp packets" command we may observe the packets are sent to the LMS, but the traps don't show up as alarms. Is it possible to observe any trap entry with LMS DFM Fault Manager by customizing the module, because we think the engine of the DFM analyzes the traps and shows some of the traps, not all of the traps are observable.
  The command output is as below:
  Thanks in Advance,
  Best Regards,
  Mar  2 10:28:30.028: SNMP: Queuing packet to 10.10.10.1
  .Mar  2 10:28:30.028: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 10.10.20.1, gen  trap 6, spectrap 1
  clogHistoryEntry.2.742 = SEC
  clogHistoryEntry.3.742 = 7
  clogHistoryEntry.4.742 = IPACCESSLOGDP
  clogHistoryEntry.5.742 = list 191 denied icmp   10.10.10.1 -> 10.10.20.1 (0/0),   10 packets
  clogHistoryEntry.6.742 = 69082382

  DFM consumes the traps and decides based on its built-in code-book what to do - rise one of the predefined Events or just silently ignore it. The best DFM can do is forward the trap as-is to another trap receiver.
  Perhaps the LMS Syslog-Server can do what you want and lauch automated actions (like scripts or e-mail) based on certain criteria.
  But you should take care of the underlying syslog file and keep its size under control with logrot.pl utility.
  The online help of LMS should give you more details on the syslog capabilities or this link to the LMS 4.0 Administration Guide:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/useNotif.html#wp1075603

• CiscoWorks RME 4.3 syslog forwarding

  Hello,
  We are running CiscoWorks RME 4.3 and forwarding syslog messages to another syslog server. To forward messages we use script from https://supportforums.cisco.com/docs/DOC-11592
  All is working great at the begining of month. With growing of syslog.log file, forwarded messages are delayed more and more. Because of Syslog Analyzer monthly reports we have log rotate at every 1st day of month.
  So question:
  Is it possible to write syslogs to two different files? One which will rotate as described above, and other which will be used by syslog_forward.pl and rotated every day?
  Thanks in advance!
  Regards!
  Marko

  You cannot do this on Windows with the LMS syslog server.  All messages will be written to one file.  Logrot in LMS can archive the log files instead of just rotating them.  This way, you can keep messages as long as you want.  Just specify a non-zero number of backups when configuring Log Rotation.  The archived files will be created with a numeric extension (e.g. syslog.log.1, syslog.log.2, etc.).  Those files can be further archived manually to long-term storage.

• CiscoWorks Server Syslog file is growing

  Hi ,
  I have a Ciscoworks server in which syslog.log file are continueously growing everyday in size.When i checked the syslog file i have observed that most of the logs related to DOT1X-5-SUCCESS or AUTHMGR.Because of this syslog file size is increasing like anything.Is there any way where i can filter this log file and drop in ciscoworks server itself. By achieving this i can reduce the size of the syslog file and also block non required logs.
  If there is any way then please let me know how do i achieve.
  Thanks in advance.
  Thanks & Regds,
  Lalit

  The best way to control the syslog.log is to control the device sending syslog messages. If that is a specific one which is sending a lot of messages configure the device not to send any syslog to control the size.
  For details on how LMS Syslog works, please check my document :
  http://docwiki.cisco.com/wiki/Network_Management_Configuration_Example_for_Ciscoworks_LMS_Syslog_Configuration_via_GUI
  If this is not viable, the best way to control the syslog.log or any log file is to configure Logrot Utility within Ciscoworks.
  Log files rotation helps you manage the log files more efficiently. See Maintaining Log Files for an overview of maintaining the log files in CiscoWorks Server.
  Logrot is a log rotation program that enables you to control the log files size growth. It helps you to:
              > Rotate log files while CiscoWorks is running.
              > Optionally archive and compress rotated logs.
              > Rotate log files only when they have reached a particular size.
  Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI. 
  For more details, please check :
  Using Logrot
  Managing Log Files
  Logrot from GUI
  -Thanks

• LMS 4.2 download broken

  Hello, is anyone able to download the LMS 4.2 Linux OVA images (for Vmware installation)?
  They are located in this section:
  Downloads Home > Products > Network Management and Automation > Routing and Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN Management Solution 4.2 > LMS Software > Linux-4.2
  When I try to download the files:
  LMS 4.2 Virtual Appliance OVA - Medium (Part 1 of 2) 
  Cisco_Prime_LMS_4_2_1500_OVA.part1
  LMS 4.2 Virtual Appliance OVA - Medium (Part 2 of 2) 
  Cisco_Prime_LMS_4_2_1500_OVA.part2
  I get the message "This file is no longer available to be downloaded."
  I wonder if its just me or everyone that get this message?
  BR /Crille

  To confirm if the device is sending the syslogs and they are being received by LMS server properly, check the $NMSROOT/log/syslog.log and see it has the syslog from the device.
  Unless syslog is there on syslog.log, we don't expect LMS to react on any AA. 
  For configuration backup, try to sync the device config by initiating a manual job to update the latest configuration from device. Even if there is no Automated Action working, you should still have a reoccurring/scheduled job configured to archive configuration backup periodically.
  Following is a document I created for Syslog troubleshooting :
  Ciscoworks LMS : Syslog in a Nutshell!
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• Cisco lms - config collection

  Hi, i'm looking for a way to collect config's from specific devices periodically, is this possible?
  for example, collect configs from firewalls everyday at midnight , and collect routers config once a week.
  firewalls: (about 3 devices, config changes every day)
  routers: (about 800 devices, rarely change the config)
  the only config collection schedule i have found so far is too simple:
  admin > collection settings > config > config collecion settings > periodic collection
  second question, is it possible for cisco lms to send via e-mail the diff of the config pulled from devices? i mean the specific commands that have appeared in the new configuration file.
  regards, ignacio

  Unfortunately, LMS syslog mechanism is very minimalistic and doesn't have a lot of options to it.
  However, the feature you're requesting is not very much LMS dependent. As, Ciscoworks depends on the kind of syslog message it receives from device, based on it, it captures some characters to send a notification as automated actions.
  So usually it is the device which won't send a lot of information on what changes was done by which user in normal IOS syslog messages.
  But, to certain extent, you can try to configure you device for Configuration-Change logger to receive details on what changes were made by users and check it on the syslog report, or configure AA on it for all or important devices.
  You can enable a configuration logger to keep track of configuration changes made with the command-line interface (CLI). When you enter the logging enable configuration-change logger configuration command, the log records the session, the user, and the command that was entered to change the configuration. You can configure the size of the configuration log from 1 to 1000 entries (the default is 100). You can clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and reenable logging.
  Use the:
  show archive log config {all | number [end-number] | user username [session number] number [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters.
  This example shows how to enable the configuration-change logger and to set the number of entries in the log to 500:
   Switch(config)# archive 
   Switch(config-archive)# log config
   Switch(config-archive-log-cfg)# logging enable
   Switch(config-archive-log-cfg)# logging size 500
   Switch(config-archive-log-cfg)# end
  So, in all, it depends on the device and the kind of syslogs it send for LMS to react on it.
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• CiscoWorks log export

  So my organization got a logging solution called Logrhythm a while back. the operator of this server is asking if the Ciscoworks LMS syslogs can be exported to it. I'm not much of a Ciscoworks guy yet but can they be exported to another logging solution?
  Also...has anyone ever heard of Logrhythm? So far I haven't met anyone. If so what's you're take on it?
  Thanks

  Hello Applesmash,
  I would suggest you  to post this question under network management forum, where you can find better answers
  Hope to help
  Giuseppe

• Cisco LMS 3.2 SYSLOG not storing after 10 days

  Hi ,
  Im facing one issue with Cisco LMS 3.2
  Issue : The logs is generating only for 10 days and post that im not able to see the logs. I have not done any config changes. The only change i have done is i have completely reinstalled the LMS. i did multiple troubleshoot but not able to resolve this isse. It would be great If any some one is  able to help me in this isse.  Thanks.
  Regards,
  Juliet

  Dear Vinod
  Thanks for ur response and the problem has been resolved.
  The purge policy was set to 60 days only .The problem in reports viewing setting.
  Syslog folder under LMS would store syslog reports of both the device as well as applications for defined folder size , which in your case was 1 MB ( same can be viewed under log generator option).  The  older reports would get deleted from the folder upon reaching the limit.
  The only way to view device syslog is under following option :  Reports -> Reports Generator  in LMS  GUI where we will have to choose syslog with desired attribute.
  Regards,
  Juliet

• LMS 3.2 Syslog is not showing Report

  Hello,
  I have LMS 3.2 that is having Syslog reporting problem. The syslog messages are being sent to LMS and i can see them in the CSCOpx->log->syslog.log but when i try to generate a 24-hour report,the report is generated without any records.
  1- i tried to solved the problem by stopping the cisco works Daemon manger and CWCS syslog services then delete the syslog.log file.
      So after restarting these services the report worked for 4-5  mins and then stopped. Therfore the 24-hour report started displaying only the syslog
      messages are were pulled within the 4-5 mins that LMS worked.
  2- I repeated the process again but this time with no luck at all.
  3- I checked the Syslog Collector Status and it showed the following :
  SSL certificate status 
  SSL certificates are valid and properly imported
  Collector status 
  Collector 10.0.1.132 is up and reachable
  i have posted the SyslogAnalyzer and SyslogCollector.log
  Please if anyone can help i would be appreciated .
  Regards,
  George

  Hi,
  Its still possible that some services on server might be using the ports. Another possibility is to have improper SSL certificates. Try to re-generate SSL certificates with the host name of the server and not the FQDN even though server is now part of AD.
  Here is the procedure to re-generate SSL Certificates from CLI :-
  a.Stop Daemons
  C:\net stop crmdmgtd
  b. Remove server.* under NMSROOT\MDC\Apache\conf\ssl
  c. Run the following commands:
  CSCOpxMDC\Apache\perl ConfigSSL.pl -disable
  CSCOpx\MDC\Apache\perl ConfigSSL.pl -enable (fill up  the certificate info) when you will be prompt to enter server host name. kindly enter the server name and not FQDN.
  If you are not using SSL connectivity to CiscoWorks
  CSCOpx\MDC\Apache\bin\ConfigSSL.pl -disable
  d.Restart Daemons
  c:\net start crmdmgtd.
  Since the server is now part of the domain, kindly make sure you have server FQDN entry into the server host file at location :- WINDOWS\system32\drivers\etc\host
  If it still dont work then we need to enable the debugging for Syslog Collector. This can achieved by changing the INFO to DEBUG in Collector.propert
  ies file. Here is the procedure.
  1> Stop syslog collector process on the server (you can do this from the command line prompt):
  > pdterm SyslogCollector
  2. Open and edit the
  CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/csco/nm/rmeng/csc/data/Collector.propert
  ies file, and change the line from
  DEBUG_LEVEL=INFO
  to
  DEBUG_LEVEL=DEBUG
  Then, save the file.
  3. Restart syslog collector process.
  > pdexec SyslogCollector
  Try to reproduce the issue and send debug log from location :- CSCOpx/log/SyslogCollector.log
  Thanks,
  Gaganjeet

• LMS 4.2 Syslog File Size and Management

  Hello All
  i have LMS 4.2 in Network with 100 devices, all of my devices have ACL so, there are too many logs in syslog
  after a while the size of the log files in /var/log files (boot.log, messages.log) going to have huge size, something about 20G for each one
  I'm looking for a way to reduce the size, is it possible to use Log Rotation or not??
  Best Regards
  John Mayer

  Ideall Logs are supposed to fill the syslog file sooner or later. Though logrot is amongst a best way to keep the Syslog file size in check.
  You can check the procedure for Logrot here :
  Configuring Log Files Rotation
  Additionally, there are some more Syslog Administrative Tasks which can keep your syslog in control. You can perform the following Administrative tasks:
  •Back up Syslog messages (see Setting the Syslog Backup Policy).
  •Purge Syslog messages (see Setting the Syslog Purge Policy).
  •Perform a Forced Purge (see Performing a Syslog Forced Purge).
  -Thanks

• Accessing Syslog on LMS 3.0.1

  Hello
  Hopefully quite a straight forward question
  Is there a way of viewing the syslog through the LMS portal as opposed to viewing the syslog directly from within \NMSroot\CSCOpx\log ?
  Many Thanks

  Hi,
  So far all logs look good except from the stdout.log, i found the exception :-
  Local Server URL :https://ctrsyscem01:443
  [Thu Apr 21 09:55:45 GMT 2011]CsAuthServlet.getRole(): User 'sirad' not found, returning role 'HD
  HD means = help desk role
  Is the LMS server is integrated with ACS and if yes what is the status of LMS- ACS integration. Kindly share the screenshot of Common Services > Home to see if the ACS is showing up in Green colour or Red. Red means LMS - ACS integration is broken.
  The best thing I will suggest you to upgrade to LMS 3.2 which is free for all the customer running LMS 3.0 \ LMS 3.0.l \ LMS 3.1. You can direcly upgarde to LMS 3.2 by downloading the evaluation version from www.cisco.com\go\lms Under the featured contents tab.
  However, if you still want to troubeshoot this issue at LMS 3.0.1, then kindly enable the debugging for License Server from Common Services > Server > Admin > CS Log Configuration > select Licensing > Enable.
  Reproduce the issue again and send the following logs from the location  CSCOpx\log :-
  License.log.
  Its higly recommended that you should upgrade to LMS 3.2.
  Thanks,
  Gaganjeet

• LMS 3-2 / RME 4.3.1 and syslog forwarding sends extra blank syslog

  Customer is telling me they setup syslog forwarding (I didn't ask where they did this), but they state that each syslog message being forwarded that another blank syslog is sent to that device along with the forwarded message.
  Any ideas why the blank syslog gets sent with the forwarded syslog?
  LMS Bundle 3.2
  Campus Manager 5.2.1
  RME 4.3.1

  I think the customer is shooting the messenger.
  Find out where the syslog is forwarded. Probably something wrong there
  LMS doesn't do syslog forwarding normally
  I guess you could create a script that could do that.
  Cheers,
  Michel.

• LMS 3.2 SP1 - Syslog Report times out / CW14: NO HTTP response

  Hi,
  in Device Center I can´t start the Syslog Report, it opens a new Browser window and times out.
  If I start the "Device Troubleshooting" from the Device Center, all checks are successful. Just the check "Syslog Message" show the error: CW14: NO HTTP response from Servername
  I have LMS 3.2 SP 1 installed
  I already re set the System Identity User and restarted the daemon, no success.
  What should I check? Is it a known problem ?
  Best regards,
  Patrick
  UP

  Hey,
  i maybe found the failure.
  In the dir "CSCOpx\databases\rmeng" the following files are very big.
  So I started a immediate syslog purge job, but it failed.
   [ Thu Jul 28  09:00:33 CEST 2011 ],INFO ,[main],Starting purge job 5349
   [ Thu Jul 28  09:00:33 CEST 2011 ],INFO ,[main], Its a force Purge job
   [ Thu Jul 28  09:02:21 CEST 2011 ],ERROR,[main],Drop table failed:SQL Anywhere Error -210: User 'DBA' has the row in 'SYSLOG_20110627' locked 8405 42W18
   [ Thu Jul 28  09:02:21 CEST 2011 ],ERROR,[main],Failed to purge syslogs
   [ Thu Jul 28  09:02:22 CEST 2011 ],ERROR,[main],Purge not successful
  Can anyone say me, how to fix it?
  Best regards
  Patrick