Syslog issue

I have syslog schedule job that runs every morning at 7am. every Monday
it runs empty until I restart the daemon, it's been doing it for several week. Today I have't restarted the daemon and started poking around, I went in and ran log roation since the syslog_info was large but that didn't help. Any other suggestion ?

What version of LMS are you running? Go to Common Services ---> Software Center --> Software Update and post the screenshot of version.
How large is the syslog.log file?
Post the SyslogCollector.log and SyslogAnalyzerUI.log file.
And if you don't care for the syslog.log file, you can stop the CiscoWorks Daemon and delete the syslog.log and restart the daemon manager so it can automatically create a new one.

Similar Messages

LMS 4.2.4 intermittent Syslog issue

Hi All,
syslogs services on the LMS stops all of a sudden and doesn't reflect the current logs from the devices till we restart services.
Performed below steps
-> Found the device logs are making its way to syslog.log file(CSCOpx>logs)
-> SyslogCollector and SyslogAnalyzer are in healthy state.
-> Even the collector subscription status is fine.
After the restart of the SyslogCollector and SyslogAnalyzer the logs reflects back on lms. Issue is intermittent and reappeared couple of times. any suggestions to find root of the problem ??
Regards,
Channa

Hi Channa,
looks like , you are getting huge no. of syslogs from your devices..
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,389, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,391, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,392, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,395, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,397, Anonymous Dropping the syslog as queue is full 100000
and which is why they are getting dropped.
2 suggestions:
check the filters > configure the filters for only those messages that you want
second :
plan to upgrade the LMS from 4.2.4 to 4.2.5 . LMS 4.2.5 have a fix of the syslogs issue . in 4.2.5 syslogs are well managed.
BUG:CSCul38962 : Syslog dropping issue
above BUG is fixed in 4.2.5
Thanks-
Afroz
***Ratings Encourages Contributors ****

Syslog issue in LMS 4.2

Hi I am facing weired issue with devcies syslogs. I can see syslog from only few devices though we have 160 devices.
can any one help me to get it running.
Thanks

First thing to look at is if the devices are configured properly to send syslogs to ciscoworks.
If yes, check Syslog.log (win) or syslog_info (sol/lin) to see if the missing devices syslog appears in that file. If the syslog is present in file, check filters if the filters are configured properly to forward the syslog to syslog DB else they might be dropped.
Attached image explains the Ciscoworks Syslog Architechture properly.
-Thanks
Vinod

EEM syslog issue

I have an issue with the syslog output of my eem script. The syslog command below does work. It sends an individual syslog message to my mgmt station for EACH line of cli output. I confirmed this with wireshark. The "show log" output looks fine (see below). I would like to get all the cli output or at least most of it in ONE large syslog message Anyone know how to fix this?
<script>
event manager applet SH_IP_NAT_STATS
event timer cron name nat_stats cron-entry "0-59/5 * * * *"
action 1.1 cli command "sh ip nat statistics"
action 1.2 syslog msg "cli: $_cli_result"
Log Buffer (52000 bytes):
000080: *Nov 15 04:30:00.052: %HA_EM-6-LOG: SH_IP_NAT_STATS: cli:
Total active translations: 38 (1 static, 37 dynamic; 38 extended)
Peak translations: 135, occurred 00:25:23 ago
Outside interfaces:
FastEthernet0/0, FastEthernet0/1
Inside interfaces:
Vlan10
Hits: 6270 Misses: 0
CEF Translated packets: 1078, CEF Punted packets: 5192
Expired translations: 622
Dynamic mappings:
-- Inside Source
[Id: 1] route-map nonat interface FastEthernet0/1 refcount 37
Appl doors: 5
Normal doors: 0
Queued Packets: 0

Ah, I misunderstood. There are a number of ways you could do this. One thing that might be easiest is to configure two applets:
event manager applet MARVEL
event syslog pattern "%MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 1.0 cli command "enable"
action 2.0 syslog msg "MWR2900MRVL: Marvell Chip Bug detected"
action 3.0 cli command "clear mac-address-table secure"
action 4.0 cli command "config t"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event none"
action 7.0 cli command "exit"
action 8.0 cli command "event manager applet MARVEL-countdown"
action 9.0 cli command "event timer countdown time 3600"
action 9.1 cli command "end"
event manager applet MARVEL-countdown
event none
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "event manager applet MARVEL-countdown"
action 4.0 cli command "event none"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event syslog pattern %MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 7.0 cli command "end"

Syslog issue in ACE

I worked the ace on last night
I configured two context, 128 and 130
There are no problem in load-balancing server farm
but there are some issue in logging-server
I configured the logging buffer 6 to send the system message to syslog server
I didn't configured the resource-class related syslog buffer in admin context it's default unlimit
In the this morning.
I logged in the syslog server and saw the log to check syslog message from ace.
but there are no syslog message in my syslog server. In my think, the ace doesn't send syslog to syslog server. so I cleared log message in system buffer, and I received the log message from ace.
What happen in ACE? It it a possible bug? or Am I missed configured ?
Anyone who tell me why this situation happen?
Why I could receive the log after clear the log in ace?
I have to clear the log buffer to receive the syslog from ace?
the configuration like below
logging enable
logging standby
logging console 3
logging timestamp
logging trap 6
logging buffered 6
logging host 192.168.100.1 udp/514
the system image is "c6ace-t1k9-mz.3.0.0_A1_6_2a.bin"

that's weird, but it might be because the syslog resource being all used already, it couldn't be allocated to your new context and the syslog process failed to start.
Once you cleared the buffer in Admin, you freed the syslog resources and the context could activate the syslog process.
We do recommend to set a max-limit to the syslog buffer to avoid consuming all the resources to allow creation of new contexts.
Gilles.

Syslog Issue in RME

Hi ,
I am able to see sylog messeges if I enable snmp syslog traps in my device. but not able to generate syslog messages report in RME , I have already enabled logging commands with LMS IP and default port 514 in my devices, all other syslog services are also running fine., I have also enabled syslog backup policy with default path.
Pls find the attached logs and kindly check where may be the isuue.
Rgds,
Kamal Singh
9910213708

I do not see any Cisco syslog messages in this syslog.log file. If you have logging enabled on the devices, make sure that udp/514 is open between the device and the LMS server. To verify that the messages are making it to the server, start a sniffer trace on the LMS server filtering on udp/514 traffic. Generate some messages from a test device, and confirm that you see those messages in the sniffer trace. If not, check with your firewall or network administrators to make sure there are no filters or ACLs which could be blocking this traffic.

RME 4.3.1 on new server - 2 issues with Inventory and syslog

Hi,
I recently installed new server 2003 with LMS3.2 and after the problems with DevicePackages i resubmitted all device and the device center tasks that was missing now reappeared.
So I went on and added my two VPN3030 VPN Concentrators.
This device is supported for RME inventory and syslog
I got the config-archive running (!) so thats fine (Runs via HTTPS login)
I have two issues:
1. I can not get inventory to work .
I have communication going, and a packet trace/sniff show I have syslog going into RME and i see SNMP GET and respones to/from device
I see some java error logs in ic_server.log fil
I have tried with two different LMS32-servers
I have increased SNMP timeout etc
I tried deleted the device and rediscover
log are like this:
[ Thu Aug 19 10:12:30 CEST 2010 ],ERROR,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,761, Collection failed for the device : 3748
com.cisco.nm.xms.xdi.ags.system.CollectionFailed: com.cisco.nm.lib.snmp.lib.SnmpException: SnmpResponseNoSuchName on 10.3.6.2 while performing SnmpWalk(*) at index = 10
    at com.cisco.nm.xms.xdi.pkgs.LibInventory.PortInterfaceAGI_RFC1213_HelperMethods.getIfTableEntriesFromDevice(PortInterfaceAGI_RFC1213_HelperMethods.java:639)
    at com.cisco.nm.xms.xdi.pkgs.SharedInventoryVPN3000.PortInterfaceAGI_RFC1213_Mib.g$eval(PortInterfaceAGI_RFC1213_Mib.java:77)
    at com.cisco.nm.xms.xdi.ags.PortInterfaceAGI.g$eval(PortInterfaceAGI.java:21)
    at com.cisco.nm.xms.xdi.SdiEngine.initAndEvalAGIs(SdiEngine.java:383)
    at com.cisco.nm.xms.xdi.SdiEngine.request(SdiEngine.java:309)
    at com.cisco.nm.xms.xdi.SdiEngine.getDevRepr(SdiEngine.java:302)
    at com.cisco.nm.rmeng.inventory.ics.core.CollectionController.run(CollectionController.java:539)
    at java.lang.Thread.run(Thread.java:595)
[ Thu Aug 19 10:12:30 CEST 2010 ],INFO ,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,841,Device collection failed for 10.3.6.2
2.:I can not get syslog into the devices syslog reports
This is wierder than issue 1: I have two VPN3030, one actually does syslog fine, but one VPN 3030 does not
I havent done any thing different for the two device ...
one simply works, one doesnt ...
I get no syslog msg in device center for one of the device.
The syslogs ARE infact in the syslog.log
The syslog msg DO show up, but in Unexpected device report ...
The same VPN device does work with my second server so I think this is related to RME database on one specific server.
But i have tried delete device and rediscover etc ...
please help ...

ok - looks like i need TAC again ...
As for the syslog issue - this happens only for one device on one of my servers ...
That is what is strange ... So IP is coorect and ok - (they do get syslogs into DevCenter on one server and on other device)
Thank you for your reply - really nice that you take your time into this forum !

Configuration issue of syslog.conf

Dear All,
My client is facing a configuration issue of syslog.conf.
They have set a cacti on a Linux server for monitoring of all servers snmp & syslog.
The part of snmp has set up successfully but cannot send the syslog to the cacti.
My client want the syslog can keep on the localhost and send to cacti for monitoring
we have tried to do the following things for make it work:
Insert the information (*.* @10.251.99.74) in /etc/syslog.conf
Restart service of system-log
Deleted all word of loghost in the /etc/hosts file
But still not work. Anyone can give me suggestion or idea about this?

Thank you for your reply.
It is tab. But I think the problem is solaris cannot use *.* to represent all logs.
I have used the following is work
*.err;ker.debug;daemon.notice;mail.crit @10.251.99.74
If that is not the mail reason, please put me right.

LMS 4.2.5 Syslog/Automated Action/Config mgmt issue

LMS 4.2.5 on Windows
We use the server as it's own Syslog server. The Syslog collector status is fine. I see syslogs coming into the server. However, I just made some changes on a router so ran a syslog report on it, but nothing was returned. I Tested the Collector Subscription and everything was fine.
We also have Automated Actions configured on certain syslog messages (duplex mismatch for example). There is an AA configured to send my team e-mails when this event occurs. There was a device that had two days worth of syslog messages complaining about this issue. Yet, we only received about 10 e-mails from the LMS system on it.
Another issue is with Configuration Mgmt. I fixed the duplex mismatch listed above and went to check the config tree to see if or when something changed. The last config archive was pretty old and I know changes were made on the device since then. This tells me that the LMS server didn't get notified of the config change or it would have gone out and checked it.
The one thing in common on all of the above is Syslog messages. LMS will take actions based on receiving these messages and those actions don't seem to be firing.
Any ideas would be greatly appreciated.
Thanks,
Mike S.

To confirm if the device is sending the syslogs and they are being received by LMS server properly, check the $NMSROOT/log/syslog.log and see it has the syslog from the device.
Unless syslog is there on syslog.log, we don't expect LMS to react on any AA.
For configuration backup, try to sync the device config by initiating a manual job to update the latest configuration from device. Even if there is no Automated Action working, you should still have a reoccurring/scheduled job configured to archive configuration backup periodically.
Following is a document I created for Syslog troubleshooting :
Ciscoworks LMS : Syslog in a Nutshell!
-Thanks
Vinod
**Encourage Contributors. RATE Them.**

Issue: admin activity is not fully logged to syslog

Hello!
cisco 7606, IOS 12.2(33r)SRC3
For exalmple, while activating ipv6 bgp session, when entering command:
#neighbour 2001:7F8:S:FF::109 password PASSWD
Syslog gets such an entry:
Wed Oct 10 14:20:00 2011 router1 admin syslogserv stop cmd=neighbor password *****
I wonder, why neighbor's IPV6 address is not present in the entry. It makes some difficulties in account activity monitoring.
#sh run
<cut>
logging buffered 2000000
logging console errors
logging monitor errors
aaa authentication username-prompt "login: "
aaa authentication login default group tacacs+ line enable
aaa authentication login CONSOLE line none
aaa authorization exec default local group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
logging event link-status default
<cut>
WBR, Alex.

Hi Lawrence ,
Yes, I have the answers for your questions, please find the same below.
1 ) No , I haven't got any 'weblogic.application.ModuleException' at the server or stdout log.
2 ) While trying to telnet from my window maching, It is not connected to my server.
C:\Documents and Settings\Administrator>telnet 20.10.5.2 7001
Connecting To 20.10.5.2...Could not open connection to the host, on port 7001: Connect failed
C:\Documents and Settings\Administrator>
3 ) Yes, I have flushed the cache , tmp folder by taken backup of the domain folder and then restarted the weblogic - but no luck , Still not able to accessible.
Hope , Second question & answer will be the cause for the issue ( But not sure Why it was accessing from the same windows machine earlier ? ).
Please suggest... Thanks!

Cisco 4710 ACE syslogs generating issue

I have 4710 ACE load balancer with three virtual contexts, i have configured the three contexts with the syslog configuration to send the logs to a syslog server as below:
logging enable
logging trap 5
logging buffered 7
logging host 10.x.x.x udp/514
the issue is that i can see logs in the syslog server from Admin context only and there are no any logs buffered or sent to the syslog server from the other two context.
Note that the ACE software version is A3(2.0).
is there any bug for this software version or any thing missing fron the configuration?

Mohammed,
Please repost to the correct forum. This forum is for Wireless/Mobility Security (and Management).
You will probably find better help here: https://supportforums.cisco.com/community/netpro/security/others
Justin

Ciscoworks syslog collector issue

Hi All,
In a central location i have a ciscoworks syslog collector version 3.5. The issue is not all the logs generated in the device are collected by ciscoworks including the devices connected in LAN. The major issue is on Cisco6500 series switches where i see multiple interface flaps in log but only few are found in syslog.
Regards,
Sathvik

Hi,
check here Admin > Collection Settings > Syslog > Syslog Collector Status , see if messages are falling under fitered or Invalid
then check the filter:
Admin > Network > Notification and Action Settings > Syslog Message Filters
I would suggest you to create a filter with all * and see if that helps.
you can look at this thread as well:
https://supportforums.cisco.com/thread/2244888?tstart=60
Thanks-
Afroz
[Do rate the useful post]

Ciscoworks Syslog time issues

Dear all,
I'm having some issues with the syslog application on Ciscoworks
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
the records on CiscoWorks are whit a different hour compared to the cisco devices, for example below you will find the record on Ciscoworks, and the record for the same event on the router, you could see that we have 4 hours diference between the records.
CISCOWORKS
May 23 2011 03:29:21
DUAL
5
NBRCHANGE
EIGRP-IPv4 1: Neighbor 172.20.127.14 (Serial0/3/0:0) is up: new adjacency
May 23 2011 03:29:16
CONTROLLER
5
UPDOWN
Controller E1 0/3/0, changed state to up
May 23 2011 03:29:13
CONTROLLER
5
UPDOWN
Controller E1 0/3/0, changed state to down (AIS detected)
ROUTER VOICE GW
May 23 07:29:21.344 Bolivia: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.20.127.14 (Serial0/3/0:0) is up: new adjacency
May 23 07:29:16.396 Bolivia: %CONTROLLER-5-UPDOWN: Controller E1 0/3/0, changed state to up
May 23 07:29:13.396 Bolivia: %CONTROLLER-5-UPDOWN: Controller E1 0/3/0, changed state to down (AIS detected)
I look at the windows server where CW it's installed and it's on the same timezone that the router, searching on internet i found that on CW syslog had a properties files where I should put the rigth country code, but I don't know where to find this file o maybe I just to point my windows server to he same ntp server as I did with my switches and routers.
Any help?
Regards,
Luis Martinez

Hi, On the file syslog.properties I configure to use the following time zone PRT GMT-4 that it's the same tha we use in Bolivia, before was PST GMT-8. It seems to work fine now
It's necesary to edit the timezone list file and put on it Bolivia -4?
Thansk for your help.
Regards,
Luis Martinez

CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

Hello.
Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
CUCMs have problem with syslog messages.
I saw these messages in rtmt syslog
- kernel: Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
kernel: Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
What's the problem with these messages ?
And how can I solve this problem
Thanks.

I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

Syslog Collector w/ File Connector Parsing Issue

Dear all,
Recently, I had a requirement from a customer.
They have various Linux systems. They want to pass all syslog to
sentinel, but not by syslog connector for some reasons.
Therefore, they throw us those syslog in text file, and ftp it for
sentinel reading.
The problem is that this.RXBufferstring could not be 100% parsed in all
kinds of messages. Sometimes there would be error.
But when they use Syslog connector. Every event fields seem to be parsed
correctly.
So is there any methods to use syslog collector w/file connector
correctly?
Or how do people handle this kind of problem?
Please assist. Thanks a lot.
andy_ho
andy_ho's Profile: https://forums.netiq.com/member.php?userid=4568
View this thread: https://forums.netiq.com/showthread.php?t=51453

On 08/01/2014 04:26 AM, andy ho wrote:
>
> Dear all,
>
> Recently, I had a requirement from a customer.
>
> They have various Linux systems. They want to pass all syslog to
> sentinel, but not by syslog connector for some reasons.
> Therefore, they throw us those syslog in text file, and ftp it for
> sentinel reading.
>
> The problem is that this.RXBufferstring could not be 100% parsed in all
> kinds of messages. Sometimes there would be error.
> But when they use Syslog connector. Every event fields seem to be parsed
> correctly.
>
> So is there any methods to use syslog collector w/file connector
> correctly?
> Or how do people handle this kind of problem?
No supported way, no. The testing between collector and connector is done
so that certain methods are easy, reliable, and supported. Just because
data are grabbed from one media (network, syslog specifically) and written
to another (file) does not mean that nothing else is changed, and the
syslog collectors may be assuming other properties (such as the event
source IP address) are there when they are not.
You can probably make this work, but you'll likely need to customize the
collector in order to do it. The alternative is to use the debugging
feature of the collector to find out what is wrong with certain events and
possibly modify them on the event source side. Either way, you're going
to have a scenario that is not supported so it may be worth revisiting the
requirement to use a file vs. syslog just in case support matters more
than the "for some reasons" that they want to go with a file.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Syslog issue

Similar Messages

Maybe you are looking for