Unterstanding syslog messages from our wlc

Similar Messages

• Recivining and analyzing syslog messages from facility local3 on LMS4.2 soft appliance.

                     HI,
  all of our enterprise switches are sert to send syslog messages from facility local3. this is partly because our linux syslog server loggs its boot syslog  messages from  facility local7 an we could't use the default  facility of local7 on our cisco switches. LMS4.2s syslog daemon is set to recieve syslog messages from facility local7. how can i change it so that it can listen for facility local3 and also make sure the syloganalyzer and automated action  work fine.
  thanks,
  Kerim

  Hi All,
  I thought it is a good idea to share the workaround my colleague came up with for this prolem. there is a file called syslog-entries.txt under /opt/CSCOpx/conf. he added all the entries we needed like :
  local3.*     /var/log/syslog_info
  local5.*   /var/log/syslog_info
  the change was automatically reflected on syslog.conf
  now we receve alerts from facilities 3 and 5 besides 7.  hope this helps anyone who run into the same issue.

• ISE 1.2 rejects RADIUS messages from 5508 WLC

  The setup in ref is:
  WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
  Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
  When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
  "The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
  Why would ISE drop a RADIUS message from a WLC which is a wireless device?  Surely this is a mistake?

  Hi Nicholas,
  This is a known defect.
  CSCug34679    ISE drop keep alive coming from WLC. 
  <B>Symptom:</B>
  ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
  <B>Conditions:</B>
  When only a wireless license is install on the ISE and using active keep alive on the WLC.
  <B>Workaround:</B>
  Use passive keep alive on the WLC and not active.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Receive syslog messages from remote system

  I want to replace my ancient and aging Slackware 12.0 server with an Arch server. One of the hurdles is to receive syslog messages (UDP/IP, port 514) over the network from a Cisco 678 DSL modem/router, and from a DD-WRT based wireless access point.
  How do I go about getting a systemd-based Arch server to receive syslog-formatted messages from the network on UDP port 514?
  I'm not looking to view the Arch system's journal over the network, but rather to receive non-local messages and log them.
  Last edited by bediger4000 (2013-08-01 15:44:48)

  WonderWoofy: I hope you mean "man systemd-journal-gatewayd", as I find that man page, but not "systemd-journal-gateway".  systemd-journal-gatewayd works the other way. According to the man page it "serves journal events over the network. Clients must connect using HTTP."
  sbmomeni: I agree that your reference says the systemd journal provides the same function - but how?  And does "this functionality" refer to the logging part of syslog-ng, or to the receiving messages from other machines part?

• How do I get syslog messages from an AP350 sent to my Ciscoworks2000?

  I am running Ciscoworks2000 and trying to get my Access Point's to send messages to the RME. I have enabled SNMP and created user's with the correct SNMP strings? Any help in getting as much information from the AP's to Ciscoworks would be greatly appreciated.

  Darcy,
  The setup for syslog is different to setting up SNMP. Refer to the following URL re the 'Event Notifications Setup Page'. http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch7.htm#1037065
  In particular, please make sure that you check the 'Yes' button for 'Should Syslog Messages use the Cisco EMBLEM Format', otherwise RME will not recognise the format of the syslog messages that it receives.
  As mentioned by one of the other respondants, you must also check that the AP is recognised in the RME Inventory as a Managed Device.
  A list of what devices are supported in the various versions of RME can be found on CCO at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/dev_sup/index.htm

• Can't get syslog messages from Remote SA520 over VPN

  I'm trying to set up a central logging server on a debian system running rsyslog.
  The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
  I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
  (also tried to add a rule for UDP514 but that didn't help)
  The debian system is new & has no iptables set up
  I've entered the syslog server IP in remote logging.
  I've set up facilities in Send to syslog for both routers.
  I am logging messages from the local router but don't see anything from the remote.
  I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
  I rebooted the router to see if that mae a difference but no luck.
  Any ideas why I can't get the syslog traffic across the VPN?

  I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
  My setup is
  remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
  Firewall is set up to allow ANY IN & OUT to local lan on both routers.
  I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
  syslog server has -no- firewall at the moment.
  Syslog server is receiving messages from the local router with no issues.
  Log Severity is set to Information &  Log Facility is set up to send to Syslog.
  I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
  Both routers have the latest firmware applied.
  Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
  I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
  It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
  Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

• Syslog Message Guide for WLC 440x 4.0x

  Can anyone help me with a pointer to doco to explain the messages from these devices ?

  Hey guys,
  Maybe this is what you are looking for??
  http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a00806b0633.html
  Hope this helps!
  Rob

• Excluding certain syslog messages from Call-Home

  I recently enabled call-home for all switches, including some 3750 top of rack acting as access layer. 
  call-home
   profile "Network"
    destination preferred-msg-format short-text
    destination address email [email protected]
    subscribe-to-alert-group environment severity warning
    subscribe-to-alert-group inventory
    subscribe-to-alert-group syslog severity warning pattern ".*"
  Problem is the servers are routinely taken down for maintenance, so I get call-homes for the LINK-3-UPDOWN messages.  How do I exclude these from notifications, but still get other messages that are warning or more severe (0-4)?
  Note that I do want syslog to log the UPDOWN messages in case they're needed for troubleshooting, I just don't want call-home alerts.

  From what I've seen, the challenge with getting tracebacks as syslogs is network connectivity is often not established sufficiently (after a crash) to send the syslogs out. The situation seems to be begging for a "delayed-fuse" mechanism to collect the early syslogs after a crash in a buffer somewhere, until after successful network convergence is realized. I'm not sure services such as EEM or tclsh are themselves initialized early enough during the IOS bootup sequences to try to perform that task.

• How do I record a voice mail message from our iphone onto my MacBook Pro?

  My wife has a few voice mail messages on her iphone from her brother(who passed away). She would like to save these in a safe place where she can listen in the future. Recording these messages on an MP3 player as other have suggested, doesn't give us that permanence, security, easy accessability we are looking for.

  I had exported an address book backup: abbu
  so since i wrote, i have found my way into the cloud: selected all entries - deleted them all from the cloud.
  This wiped out contacts on my iphone and i pad, and MBP, as well as on the cloud.  I then imported the abbu back into my now empty address book. 
  To repopulate the crowd, i selected all in my address book and created a single card vCard for export to my desktop.  I then dragged that vcard into my empty cloud.  Now my cloud has the same clean contacts as my MBP addressbook.  The cloud then pushed the clean contacts into my empty ipad and iphone contacts. 
  I had to go back to Address Book>preferences>Accounts and Add an I cloud account - but if you accidentally create a second i cloud account - all of a sudden your address book will duplicate itself.  I quickly reversed it by deleting one of the icloud accounts in my Address Book>preferences>Accounts. 
  I created a new entry on my MBP and it is now on all devices and in cloud
  I also created a new entry on my iPhone and it is now in the address book on my MBP.
  I feel empowered!!
  Have i missed anything??

• Cisco MARS Syslog messages

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hi,
  I've recently noticed that ALL the syslog messages that are sent to our Cisco MARS device are then being sent to our syslog server. Besides the messages from our MARS device, the syslog server also gets the original syslog messages from our ASA and PIX firewalls (which, of course, also send to our MARS device). I would like to have MARS send syslog messages to the syslog server that pertain only to changes/events happening directly to the MARS device. Can anyone help me with this?
  Thanks in advance!

  Kerry;
    To have CS-MARS specific incidents forward to your syslog server, you will most likely want to add an action to generate a syslog for the CS-MARS-specific inspection rules.  These rules can be found by navigatng to:
  RULES>Inspection Rules
  from the Group: drop-down choose "System: CS-MARS Issues"
    You can then edit the Action: section for the specific rules (one at a time) to add a syslog action.  Specifics are outlined here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/alerts.html
  Scott

• Syslog messages coming from Standyby ASA ?

  I have a pair of ASA's in Active/Standby configuration.  I noticed this morning that the secondary ASA is generating syslog messages when I dont think it should.  Here is the logging configuration -
  logging enable
  logging timestamp
  logging buffer-size 1048576
  logging console informational
  logging buffered informational
  logging trap informational
  logging history critical
  logging asdm critical
  logging mail critical
  logging host inside 10.1.4.12
  This is the interface that syslog should be coming out of on the primary ASA -
  interface GigabitEthernet0/1
  description 10.1.85.0/24 Internal Interface
  nameif inside
  security-level 100
  ip address 10.1.85.31 255.255.255.0 standby 10.1.85.32
  ospf retransmit-interval 1
  ospf hello-interval 1
  ospf dead-interval 3
  Cisco Adaptive Security Appliance Software Version 8.2(3)
  Device Manager Version 6.3(4)
  I ran the packet capture wizard on the secondary ASA and saw no syslog traffic coming from it.
  Anybody else seen this ?
  Ron

  Ron
  The message that you show us is part of what the ASA is doing to maintain state for all the VPN connections from the primary ASA. I see similar syslog messages from the standby unit in an ASA active/standby pair.
  You say:"I wouldnt expect any messages to be coming from it since it isnt really doing anything." But the standby unit is really doing things. As a new session is established on the primary the secondary must process and retain that information. And when a session is discontinued on the primary then the standby must process that also and remove the session from the state table. If the standby were not busy doing these things then it would not be able to take over and process sessions correctly if the primary were to fail.
  HTH
  Rick

• ASR1000 CUBE SP syslog messages

  Hi,
  we're trying to integrate our SBC instances (CUBE SP on ASR1000) into our network management system (EMC SMARTS)
  Syslog messages from SBC instances are some kind of cumbersome with lot of line breaks resulting in multiple syslog messages the NMS must parse.
  Example:
  %SBC-3-MSG-6406-0006-ADD5A3-1575
  Message Editor received a message with an unknown editor in
  the edit sequence. The editor will be ignored.
  Editor name: default
  How do I configure it to just put it all into one line just as "normal" log messages?
  Example:
  %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed to up
  Thanks
  Sebastian

  Hi,
  thanks for replying.
  I went already through this, seems I have to write some kind of script to get SBC messages into one line.
  Do you have an idea for this very simple task?
  Still wondering I'm the first to stimble upon it
  Sebastian

• Unable to stop syslog messages

  I keep getting the following syslog messages to my syslog server from our CUPS:-
  "133161: Jul 10 2013 09:32:21.387 UTC : %UC_RTMT-2-RTMT_ALERT: %[Name=CriticalServiceDown][Detail= Service operational status is DOWN.<010>Cisco UP XCP Message Archiver,Cisco UP XCP XMPP Federation Connection Manager.<010>The alert is generated on Wed Jul 10 10:32:21 BST 2013 on node 10.210.1.30.][App ID=Cisco AMC Service][Cluster ID=][Node ID=VOIP-TDC-CUPS-PUB-030]: RTMT Alert"
  The Cisco UP XCP Message Archiver service and the Cisco UP XCP XMPP Federation Connection Manager service are both activated, but both stopped. I have tried turning off any kind of alarm and trace config for both services but nothing seems to make any difference!!
  Any ideas?
  thanks

  By disabled Ryan is referring to Service Activation. As long as the service is activated, it will attempt to start periodically. Both of these services require specific configuration before they will run.
  Please remember to rate helpful responses and identify helpful or correct answers.

• ASA error syslog messages

  We started getting the below syslog messages from one of our ASA5520 which was recently upgraded to 8.4(2).Anyone familiar with bugs on 8.4(2) that cause this or its simply the RAM failure?
  %ASA-3-105010: (Primary) Failover message block alloc failed
  %ASA-3-321007: System is low on free memory blocks of size 1550 (0 CNT out of 18709 MAX)

  It could be any one of these CSCto74092 and CSCts48937, but still it needs to be properly investigated. I would suggest you open a TAC case for further investigation.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Creating Support Messages from Satellite System without SolMan user account

  Hi
  We are having some problems with users "creating support message" from our ECC system  to SolMan, if the user does not have a user account in Solution Manager.
  It is not correct, that users from Satellite systems can create support messages from these systems, without the user having an account in Solution Manager? And that the user is identified by the business partner for the user, that must exist in the Solution Manager system ?
  We have set up the RFC for the supportmessages between SolMan and the ECC system as trusted RFC, with the "Current user" as the user, but how should this be set up, if the user does not have an account in the Solution Manager system. If we enter a user with the right authorizations in the RFC, will the messages that come through not just appear as created by that user, instead of the ECC user and corresponding business partner ?
  Regards
  Lars

  Hi,
  you can use the use the user for the RFC-Connection in that case. I have customizied a similar scenario. In my scenario the System from which the message was created, is the business partner (SOLD-TO-PARTY). For that you have to create a communication user (i.e SOLMAN<SYSID>). In TA SM59 in the satellite-system you assign this user for the connection. (Don't forget to assign the user to the role "SAP_SV_FDB_NOTIF_BC_ADMIN"). Now, it schould be possible to create messages from the satellite system to the solution manager. Additionally you should create business-partner for each user of the satellite system, by using TA DSWP>EDIT>CREATE BUSINESS PARTNER.
  With this TA, it is easy to create BP for each satellite system.
  Best regards
  Marc