No syslog message appear at Ciscoworks syslog report
Hi,
We just installed new Ciscoworks LMS 3.2, and sent all switches syslog message to this Ciscoworks LMS 3.2 and old Ciscoworks LMS 2.5 server.
Old Ciscowork LMS 2.5 server can receive syslog message and syslog appear at old LMS 2.5 syslog report, but no syslog appear at new LMS 3.2 syslog report for some devices. I checked syslog collector, it seems ok, I used WireShark to check the new Ciscoworks LMS 3.2 server have received syslog message sent from device, and only use default syslog filter at new Ciscoworks LMS 3.2 server.
Please help to advice me how to troubleshooting this problem.
Best Regards,
Jackson Ku
Is your collector subscribed? You could verify this under RME -> Tools -> Syslog -> Syslog Collector Status. Please post the screen shoot of this page.
Do you see the syslog messages in syslog.log/syslog_info file on the server?
Similar Messages
-
LMS 4.1 is not showing any valid syslog messages, only invalid messages.
Is there anything different in 4.1 that needs to be set?Hi,
No there is nothing different in 4.1.
checked or try to change the Filter settings from the below location :
Admin > Network > Notification and Action Settings > Syslog Message Filters
Thanks
Afroj -
RME (LMS 3.2) No detect Change Configuration automatically by Syslog Messages
Hi,
I have a problem with the "change audit" for Syslog messages trigger. I set all my devices to send Syslog messages to the CiscoWorks server. When I make any changes to syslog message is sent correctly for the CiscoWorks server, but it does not start automatically collects configuration (config fetch).
Only when I start manually "sync archive" the configuration is stored and detected the change in configuration.
Has not changed anything in config fetch "to" Automated actions Syslog ".
ThanksHi,
You an check RME > Tools > Syslog > Automated Actions to verify nothing was changed.
Then display 'Config Fetch'. There is contextual help available:
http://:1741/help/rme/fundamentals/index.html?syslog_Defining_Automatd_Actions.html#wp1211314
Nick -
ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server
Hi All ,
I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting ) , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379 -
BOMGR 0070 message in a Full Client report from webintelligence
Hi, I have a problem with a FullClient report from Webi. This report run very well in fullClient, but when I try to run it from webintelligence. It sends me the following error message:
"System error COM error during call to BusinessObjects server process. (Error: BOMGR 0070) The remote procedure call failed. no error message to display "
I'm working with BO 6.5 over windows, wiht IIS.
I have a condition in this report, it asks me for a date interval. If I have 4 years in this interval, I don´t have any problem, but if I have more than 4 year, like 8 year, the message appear and stop the report
I have to two queries in this report, only one of them have the condition, then in report I link the information by a key column
I've cheked the log files, but they haven't given additional information. BOMgr log for example say:
"2009/04/13 15:42:40.677|>>|E| | 4376|5868| |||||||||||||||CATCH :# BO Manager returns a COM error to the client!
2009/04/13 15:53:32.843|==| | | 4376|5868| |||||||||||||||### Create SessionManager smart proxy ...
2009/04/13 15:53:32.858|==| | | 4376|5868| |||||||||||||||LOG : DocContext file deleted [ dc#=1, docid='wi00000001', doc name='AD-HOCProd.rep', path name='D:Program FilesBusiness ObjectsBusinessObjects Enterprise 6
odesmxwin11002mycluster empsessions876_1039265889$es33B53903211A44FB385726F9QT6wi00000001xy_name.rep' ]
2009/04/13 15:53:32.858|==| | | 4376|5868| |||||||||||||||LOG : DocContext destroyed
2009/04/13 15:53:33.187|==| | | 4376|5868| |||||||||||||||LOG : DocContext file deleted [ dc#=2, docid='wi00000002', doc name='Líneas Personales.rep', path name='D:Program FilesBusiness ObjectsBusinessObjects Enterprise 6
odesmxwin11002mycluster empsessions876_1039265889$es33B53903211A44FB385726F9QT6wi00000002xy_name.rep' ]
2009/04/13 15:53:33.187|==| | | 4376|5868| |||||||||||||||LOG : DocContext destroyed
2009/04/13 15:53:33.187|==| | | 4376|5868| |||||||||||||||DeleteTempDirectory(D:Program FilesBusiness ObjectsBusinessObjects Enterprise 6
odesmxwin11002mycluster empsessions876_1039265889$es33B53903211A44FB385726F9QT6)"
Some one help me. Thanks in advanced.Thanks for your input, Laura. The only name that is longer than 8 characters in the URL is the server name, 9 letters. I tried mapping a drive to the location, to connect to X:\grpwise\po instead, but I am getting the same error. In case the servername is the problem, I am going to clear some space on another server, restore there, and see what happens.
-
Hi, I'm hoping someone can help me get my syslog messages to appear when I'm logged into the switch via SSH on a Cisco 4510R Switch. The ones that appear when I shutdown/no shutdown interfaces, leave global config mode, all the basic messages I'm used to seeing when logged in via console, telnet, or ssh.
The show run command displays logging console critical, which is the default of (2) I believe.
In global config, I set logging monitor 2, and also tried both console and monitor at level 5. Nothing is showing up.
Show logging displays all the latest messages, but I'm used to these showing up as things are configured.
This is the way the switch was set up prior to my working here.
Does anyone have any idea why this, and how I can get it working?
Thanks.According to your configuration guide the default is debugging ie. level 7 so I suspect this has been changed.
In regards to your question if you are logged in via a vty line then you need to change the monitor level but then you may also need to type -
"terminal monitor" or "term mon" for short.
if you want turn it off -
"terminal no monitor"
Jon -
Syslog Message Filter Device Selection
We have installed LMS 3.0.1 with RME 4.1.1. I have enabled the Syslog Link Up/Down Message Filter that comes preconfigured with CiscoWorks. When the message filter is configured for All Managed Devices it works perfectly and filters out all the Up/Down messages. But if if select the Choose Devices option and specify certain devices it does not seem to work at all. All the Up/Down messages appear for all devices for some reason. Any idea what I'm doing wrong?
Thanks
JamieThe way this is *supposed* to work is:
1) Create the filter and specify which devices you want to apply it to.
It should not be necessary to create multiple filters for the same message,
unless not all devices were included in your original filter.
2) Drop certain messages, for which you have defined filters, so we should
Enable the filter and choose Drop. Set "Include interfaces of selected
devices" to No.
3) RME > Admin > System Preferences > Loglevel Settings, verify
SyslogAnalyzer is set to DEBUG. The UI module should be INFO.
4) Stop the daemon manager (net stop crmdmgtd). Also, go to
Control Panel > Admin Tools > Services and stop the syslog service.
5) On Windows, please delete any huge *.log file. When the daemon
manager and syslog service are restarted, these files will be regenerated.
Be sure to delete these:
- AnalyzerDebug.log
- SyslogAnalyzer.log
- SyslogCollector.log
- syslog.log
6) Restart the syslog service, then restart the daemon manager
(net start crmdmgtd).
When a message that you feel should be filtered out occurs, send me
the following:
(a) Portion of syslog.log file showing the specific message.
(b) AnalyzerDebug.log showing the corresponding message.
(c) Send current screenshot of your Message Filter page.
(d) Click on the filter name and send screenshot of the resulting page.
(e) Also include a screenshot of the Syslog Collector Status page.
7) Remove the debug settings. -
I have an issue with a switch's syslog messages showing up in the failed authentication attempts report in the AAA.
If anyone has any thoughts, let me know!!
CHRISDo you perhaps have this switch console connected on a terminal server, and if so, does the terminal server have "no exec" configured on the lines used for reverse telnet?
I have seen symptoms similar to what you describe in a situation where I had a switch whose console port was connected to a terminal server and the terminal server lines did not have no exec. It looks like there was some activity on the switch which the terminal server presented a login prompt. The next text displayed on the switch was interpreted by the terminal server as the login id and was logged in the failed attempts log.
HTH
Rick -
Prime Infra 2.0 alert when syslog message received
Dear member,
May I know did prime infra 1.3, 2.0 can support alerted user when received a syslog message?
if yes, and configiuration guide for reference?
RegardsHi Russ,
PI does not actually keep a record of the raw syslog messages it receives, and there is no report for syslogs. When PI receives a syslog, it will immediately process the message and convert it to an event/alarm.
Also, note that PI only processes severity 1 and 2 syslogs. The closest thing you can get to a syslog report
would be to run anadvanced search for events
For other alarms and events you can go to Operate > Alarms
& Events > Email Notification page. Make sure that the alarm categories that you
want to have notifications for also has the Enable checkbox checked.
Thanks-
Afroz
[Do rate the useful post] -
Ciscoworks syslog collector issue
Hi All,
In a central location i have a ciscoworks syslog collector version 3.5. The issue is not all the logs generated in the device are collected by ciscoworks including the devices connected in LAN. The major issue is on Cisco6500 series switches where i see multiple interface flaps in log but only few are found in syslog.
Regards,
SathvikHi,
check here Admin > Collection Settings > Syslog > Syslog Collector Status , see if messages are falling under fitered or Invalid
then check the filter:
Admin > Network > Notification and Action Settings > Syslog Message Filters
I would suggest you to create a filter with all * and see if that helps.
you can look at this thread as well:
https://supportforums.cisco.com/thread/2244888?tstart=60
Thanks-
Afroz
[Do rate the useful post] -
How do I get syslog messages from an AP350 sent to my Ciscoworks2000?
I am running Ciscoworks2000 and trying to get my Access Point's to send messages to the RME. I have enabled SNMP and created user's with the correct SNMP strings? Any help in getting as much information from the AP's to Ciscoworks would be greatly appreciated.
Darcy,
The setup for syslog is different to setting up SNMP. Refer to the following URL re the 'Event Notifications Setup Page'. http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch7.htm#1037065
In particular, please make sure that you check the 'Yes' button for 'Should Syslog Messages use the Cisco EMBLEM Format', otherwise RME will not recognise the format of the syslog messages that it receives.
As mentioned by one of the other respondants, you must also check that the AP is recognised in the RME Inventory as a Managed Device.
A list of what devices are supported in the various versions of RME can be found on CCO at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/dev_sup/index.htm -
Hi all,
In my firewall ASA 5540,Every day I am getting the syslog message.
4
Jul 07 2014
08:57:39
[ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 28683
Please explain about above mentioned syslog.Hi Kabeer,
That is because of the threat detection value set on your ASA. This might be an attack.
Because of the scanning rate configured and the
threat-detection rate scanning-rate 3600
average-rate 15
command:
%ASA-4-733100: [144.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per
second, max configured rate is 8; Current average rate is 5 per second, max
configured rate is 4; Cumulative total count is 38086
Recommended Action
Perform the following steps
according to the specified
object type that appears
in the message:
1.
If the object in the message is one of the following:
Firewall
Bad pkts
Rate limit
DoS attck
ACL drop
Conn limit
ICMP attck
Scanning
SYN attck
Inspect
Interface
Check whether the drop rate is ac
ceptable for the running environment.
2.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate
xxx command, where
xxx
is one of the following:
acl-drop
bad-packet-drop
conn-limit-drop
dos-drop
fw-drop
icmp-drop
inspect-drop
interface-drop
scanning-threat
syn-attack
3.
If the object in the message is a TCP or UDP port
, an IP address, or a
host drop, check whether
or not the drop rate is accepta
ble for the running environment.
4.
Adjust the threshold rate of the particular drop to an appropriate value by using the
threat-detection rate bad-packet-drop
command.
Note
If you do not want the drop rate exceed warning to appear, you can disable it by using
the
no threat-detection basic-threat command.
You can refer the below mentioned cisco document for more information.
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.pdf
Regards
Karthik -
IPSLA/Perfromance/IPM: syslog message on collector down/failed
Dears,
Customer is upgrading from ciscoworks SNMS and they feel they loose a lot of valuable info.
They now have a few maps that give an at a glace state of the network. There is little I can do in LMS 4.1 to cover that.
The main problem for now is alerting on a host that runs a service like smtp, dns, etc and some hosts that should be pingable.
I'm trying to configure a collector on "IPM/ IPSLA/Performance" to run tests like echo, smtp and dns from a few central devices.
I think a IPSLA device it is capable to send syslog messages when the collector action 'fails' right?
Does anyone know what these messages look like?
I'd like to generate an alert using the syslog automated actions so I need to know what I can expect, provided my asumptions are correct.
Cheers,
MichelI am amazed.
When I use LMS to configure the devices to send IPSLA SYSLOG it configures ..... traps!
"IP SLA jobs for syslog configuration"
rtr logging traps
ip sla logging traps
ip sla monitor logging traps
I found this other thread https://supportforums.cisco.com/thread/176841
It seems what is being said in LMS help and on cisco.com is perhaps somewhat misleading.
It can send traps not syslogs.
Now looking at the helpfile I get the impression someone is confused about syslog and traps
"IPSLA Syslog Configuration
Syslog is a trap message that is sent from the device if any changes occur to the device. You can either enable or disable the IPSLA Syslog. However the IPSLA Syslog can be configured only by a Network Administrator or System Administrator.
The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any Target devices.
To enable or disable IPSLA Syslog: "
A SYSLOG message is not a trap message!.
Can someone shed some light on this?
Can I get LMS to act upon a failing collector? -
Crash report aplication what is that ? When shut the computer this Message appeared The application crash repórter Dont Let shut down the computer
Command-Option-Escape does the same as
Apple Menu > Force Quit...
It opens a floating box that lists current major Applications and their status (e.g., Not responding) and allows you to force quit any single Application or re-launch the Finder. -
macbook froze while online. hard shutdown. when it restarted, an error message appeared saying finder shut down unexpectedly containing a message box with a long list of technical jibberish. after clicking OK that it would send an error report to Apple, the same error message box appeared again and again every time OK was clicked. Now the macbook will not turn on at all
If you're able to boot, launch the Console application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Console in the page that opens.
Select the most recent panic log under System Diagnostic Reports. Post the contents — the text, please, not a screenshot. In the interest of privacy, I suggest you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header and body of the report, if it’s present (it may not be.) Please don't post "shutdownStall" or "hang" reports.
If you can't boot in the usual way, try a safe boot. The instructions provided by Apple are as follows:
Be sure your Mac is shut down.
Press the power button.
Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).
During startup, you’ll see a progress bar, and then the login screen, which appears even if you normally log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
Safe mode is slower than normal, and some things won’t work at all.
Note: If FileVault is enabled under Mac OS X 10.7 or later, you can’t boot in safe mode.
Maybe you are looking for
-
What is the best way to resize a JPEG and store it in the Filesystem
Hi All, I have developped a CMS System that renders JPEGs if it does not have the images available within the desired width already. Within my development setup (Dell Latitude D800 with ubuntu dapper drake) everything works fine and fast, as expected
-
Setting output file name in export transaction data package
Hi all, I am running an "export transaction data" package in the data manager. I wanted to set the output file name so that it will be a constant value. I wrote the following in the package editor: INFO(%FILE%,\ROOT\WEBFOLDERS\COLMOBIL\VEHICLES1\DATA
-
Deselecting radio button in Adobe Forms Central
When creating a form using Adobe Forms Centralsolution, I use, very often, the radio button selection option. But I notice that when this isn't a required field, and people try to undo their selection, they can't. They can only choose another option,
-
Must be something simple that I am missing but when I try to export a version, I do not get the next pop up screen. Simply nothing happens. I am able to export master files with no problem. Do I need to toggle a box in preferences somewhere or what a
-
Hard code spwr network card for 100-full
How can I hard code a spwr network card for 100-full duplex? thanks, Clark