User Guide for Resource Manager Essentials 4.1 (With LMS 3.0) - Chapter 14 : Enabling and Tracking Syslogs Using Syslog Analyzer and Collector [CiscoWorks Resource Manager Essentials]

Table Of Contents

Enabling and Tracking Syslogs Using Syslog Analyzer and Collector

Overview: Common Syslog Collector

Viewing Status and Subscribing to a Common Syslog Collector

Viewing Common Syslog Collector Status

Subscribing to a Common Syslog Collector

Understanding the Syslog Collector Properties File

Timezone List Used By Syslog Collector

Using Syslog Analyzer

Using Syslog Service on Windows

Checking the Syslog Configuration File on UNIX

Stopping and Restarting Syslog Analyzer

Viewing Syslog Analyzer Status

Configuring Devices to Send Syslogs

Configuring the Device Using Telnet

Configuring the Device Using NetConfig Syslog Task

Syslog Administrative Tasks

Setting the Backup Policy

Setting the Purge Policy

Performing a Forced Purge

Defining Custom Report Templates

Creating a Custom Report Template

Adding a Message Type

Deleting a Message Type

Editing a Message Type

Selecting a Message Type

Editing a Custom Template

Deleting a Custom Template

Running a Custom Report

Defining Automated Actions

Creating an Automated Action

`Editing an Automated Action

Guidelines for Writing Automated Script

Enabling or Disabling an Automated Action

Exporting or Importing an Automated Action

Deleting an Automated Action

Automated Action: An Example

Verifying the Automated Action

Defining Message Filters

Creating a Filter

Editing a Filter

Enabling or Disabling a Filter

Exporting or Importing a Filter

Deleting a Filter

Overview: Syslog Analyzer Reports

Understanding Message Reports

Generating a 24-Hour Report

Generating a Syslog Custom Summary Report

Generating a Severity Level Summary Report

Generating a Standard Report

Generating an Unexpected Device Report

Using Device Center

Creating a Custom Report: Example

Prerequisites

Procedures

Verification

Enabling and Tracking Syslogs Using Syslog Analyzer and Collector

The Syslog Analyzer application along with the syslog collector lets you centrally log and track syslog messages (error, exception, information etc) sent by devices in the network. The logged message data can be used to analyze network device performance. Syslog Analyzer application can also be customized to store and produce the information important to you.

The Syslog Analyzer application, or the Syslog Analyzer, works together with the Common Syslog Collector (CSC) (see Overview: Common Syslog Collector).

The Syslog Analyzer receives syslogs from the Common Syslog Collector, invokes automated actions that have been configured for RME, and stores the syslogs in the database. You can use the Syslog Analyzer to generate many useful reports on the syslogs stored in the database. You can also define templates for custom reports.

Network devices can be configured to send Syslog messages directly to the Common Syslog Collector installed on the CiscoWorks Server or a remote network host on which a Syslog Collector is installed. The Common Syslog Collector is configured to filter and forward messages to the CiscoWorks Server.

In addition, Syslog Analyzer application also notifies:

Inventory application, when a network device sends a inventory change syslog messages like SYS-5-RELOAD, SNMP-5-COLDSTART etc. For a complete list of messages that trigger Inventory collection see Table 14-1

.

Table 14-1 Messages that Trigger Inventory Collection

Facility

Sub-facility

Severity

Mnemonic

Description

*

*

*

RESTART

*

RESTART

*

*

*

*

OIR

*

6

INSCARD

*

SYS

*

5

ONLINE

*

SNMP

*

5

COLDSTART

*

SYS

*

5

RELOAD

*

CPU_REDUN

*

6

BOOTED_AS_ACTIVE

*

CPU_REDUN

*

5

SWITCHOVER

*

Nodemgr

*

5

CE

*REBOOT*

Config Management application, when a network device sends configuration change messages like SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc. For a complete list of messages that trigger a Configuration fetch see Table 14-2.

Table 14-2 Messages that Trigger a Configuration Fetch Operation

Facility

Subfacility

Severity

Mnemonic

Description

*

*

*

RESTART

*

RESTART

*

*

*

*

SYS

*

5

ONLINE

*

*

*

*

CONFIG_I

*

SYS

*

5

RELOAD

*

CONFIG

*

*

*

*

*

*

*

CONFIG

*

OIR

*

6

INSCARD

*

Nodemgr

*

5

CE

*REBOOT*

CPU_REDUN

*

6

BOOTED_AS_ACTIVE

*

CPU_REDUN

*

5

SWITCHOVER

*

CPU_REDUN

*

6

RUNNING_CONFIG_CHG

*

CPU_REDUN

*

5

RCSF_SYNCED

*

CPU_REDUN

*

6

STARTUP_CONFIG_CHG

*

CPU_REDUN

*

5

STARTUP_CONFIG_SYNCED

*

SNMP

*

5

COLDSTART

*

SYS

*

6

CFG_CHG

*telnet*

SYS

*

6

CFG_CHG

*Console*

*

*

*

OIR

*

PIX

*

5

111005

*

SYS

*

6

CFG_CHG

*SNMP*

SYS

*

6

CFG_CHG

*SSH*

Devices send Syslog messages that contain a time stamp reflecting the local time zone of the device. Syslog reports are always displayed in server time zone.

If a device time zone is an unsupported format, the server time zone is used. If a device is not configured to send time zone information with its messages, Syslog assumes that the device resides in the server time zone and uses that time zone in the message time stamp.

For example, assume that a managed device in India (set to the local time zone) sends a Syslog message to an RME server in California. When this message is viewed on a client browser in New York, the message will reflect California time.

Caution Any change that you make to the system time or time zone affects the Syslog processes and other RME processes. You will then have to restart the Daemon Manager for the proper functioning.

Using the Syslog Analyzer application is easy.

After,

•Configuring the network devices,

•Installing a Syslog Collector,

•Registering it with Syslog Analyzer,

you can use Syslog Analyzer to do these tasks:

•View Syslog Collector status for message statistics (see Viewing Common Syslog Collector Status).

•Set the purge policy, to specify the age of a message up to which it should be stored (see Setting the Purge Policy).
You can also perform a forced purge (see Performing a Forced Purge).

•Set the backup policy (see Setting the Backup Policy).

•Define custom message report templates (see Creating a Custom Report Template).

•Generate standard and custom reports, including 24-hour reports (see Understanding Message Reports).

•Define message filters to exclude or include certain messages from Syslog Analyzer (see Defining Message Filters).

•Define automated actions with which you can add and edit instructions (e-mail, URL or script) to be executed automatically whenever a specific message type is reported (see Defining Automated Actions).

You can generate the following reports and summaries using the Report Generator (RME > Reports > Report Generator):

•24-Hour Report— Generate a report to show data for the past 24 hours. See Generating a Standard Report.

•Syslog Custom Summary Report—Shows a summary of all custom reports. This is created and added by the system administrator.
See Generating a Syslog Custom Summary Report.

•Severity Level Summary Report—Summarizes messages in order of severity level (emergencies, alerts, critical, etc.). You can select a group of devices and a range of dates for your report. From this summary, you can display detailed reports of each type of message.
See Generating a Severity Level Summary Report.

•Standard Report—Shows logged messages for a group of devices within a selected range of dates.
See Generating a Standard Report.

•Unexpected Device Report—Provides syslog information from all the devices on your network, that have not been added to RME, if they have been configured to send messages to the server.
See Generating an Unexpected Device Report.

You can also define custom reports templates using the Custom Reports Templates option (RME > Reports > Custom Reports Templates). The reports templates that you create are displayed in the Report Generator.

Note You can select the log level settings for the Syslog application using the feature Application Log Level Settings (Resource Manager Essentials > Admin > System Preferences > Loglevel Settings).

For the new features in this release, see What's New in this Release.

Overview: Common Syslog Collector

Common Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog Servers, thus reducing traffic on the network as well as processing load on the server.

The Common Syslog Collector can be installed on the CiscoWorks Server, or on a remote UNIX or Windows machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want to run it on a remote UNIX or Windows server.

Common Syslog Collector (CSC) is a service that runs independently, listens for syslogs and forwards them to the registered applications after necessary filtering. This way, the parsing/filtering is taken away from the applications and each device sends only one copy of the processed, valid syslogs to the Common Syslog Collector. Even though CSC runs independently, it can run either remotely or locally on the machine where an application is running.

The RME server and the Syslog Collector exchange updates such as status, and filters.

You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at:

On Solaris:

NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/
Collector.properties

On Windows:

NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties

See the Installation and Setup Guide for Resource Manager Essentials, for the complete details.

In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the format is not correct.

The device considers day-light-saving settings appropriately while putting the timestamps. CSC supports all the time zones that Common Services 3.0 supports, and alternatively you can provide the time zone information. See the Installation and Setup Guide for Resource Manager Essentials, for the complete details.

After the Syslog Analyzer has been registered with the Collector, it:

•Receives the filters it needs from the RME server to filter Syslog messages.

•Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from the Analyzer, including the number of messages read, number of messages filtered, and number of messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.

If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the Analyzer without filtering.

If the RME server is restarted, Syslog Collector will lose communication to the RME server. Based on the current filters, it continues to filter the syslogs and stores them in a local file:

NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server name_port\DowntimeSyslogs.log

The Syslog Analyzer will automatically restore the connection after RME server restart.

For the complete instructions on installing the Common Syslog Collector, see the Installation and Setup Guide for Resource Manager Essentials.

Viewing Status and Subscribing to a Common Syslog Collector

Using the Syslog Collector Status dialog box you can:

•View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status).

•Subscribe to a Common Syslog Collector (see Subscribing to a Common Syslog Collector).

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Viewing Common Syslog Collector Status

To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to, follow this procedure:

Select Resource Manager Essentials > Tools > Syslog > Syslog Collector Status.

The Collector Status dialog box appears, with this information:

Column

Description

Name

Hostname or the IP address of the host on which the Collector is installed.

Forwarded

Number of forwarded Syslog messages

Invalid

Number of invalid Syslog messages.

Filtered

Number of filtered messages. Filters are defined with the option Message Filters option (see Defining Message Filters.)

Dropped

Number of Syslog messages dropped.

Received

Number of Syslog messages received.

Up Time

Time duration for which the Syslog Collector has been up.

Update Time

Date and time of the last update.

Time and time zone are those of the CiscoWorks Server.

If you want to refresh the information in this dialog box, click Update.

If you have restarted the RME daemon manager, the Syslog Collector Status processes (under Resource Manager Essentials > Tools > Syslog) may take 6-10 minutes to come up, after the Syslog Analyze processes come up. In this interval you may see the following message:
Collector Status is currently not available. 
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.

To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common Syslog Collector.

Subscribing to a Common Syslog Collector

Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met:

Check whether:

1. The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on both the servers.

2. The Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa.

To do this, go to Common Service Administration > Server Configuration > Security. Use the Peer certificate dialog box. See the User Guide for Common Services for more details.

3. The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server, are restarted after Step 2.

4. Both hosts are reachable by host name.

To subscribe to a Common Syslog Collector:

Step 1 Select Resource Manager Essentials > Tools > Syslog.

The Collector Status dialog box appears. For the information in the columns in the dialog box, see Viewing Common Syslog Collector Status:

Step 2 Click Subscribe.

The following message appears:

Check if:

Self-signed Certificates from this server are copied to the Syslog Collector server and vice-versa. You can perform this operation from Common Service Administration > Server Configuration > Security > Peer certificate screen.

2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this server is restarted after step 1.

3. Both hosts are reachable by host name.

4. Certificates are valid.

The Subscribe Collector dialog box appears.

Step 3 Click OK.

Step 4 Enter the address of the Common Syslog Collector to which you want to subscribe to.

Step 5 Click OK.

The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.

If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and click the Unsubscribe button.

Understanding the Syslog Collector Properties File

After installing the Syslog Collector on a remote system, you need to check the Syslog Collector Properties file to ensure that the Collector is configured properly.

The Syslog Collector Properties file is available at this location:

On Solaris:

$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.properties

On Windows:

%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties

The following table describes the Syslog Collector Properties file:

Timezone-Related Properties

Description

TIMEZONE

The timezone of the system where the Syslog Collector is running. Enter the correct abbreviation for the timezone. For example, the time zone for India is IST.

For the correct Timezone abbreviation, see the Timezone file in the following location:

On Solaris,

/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.lst

On Windows,

%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\fcss\data\TimeZone.lst

See Timezone List Used By Syslog Collector.

COUNTRY_CODE

Country code for the Syslog Collector.

We recommend that you set the country code variable with the appropriate country code, to make sure that the Syslog timestamp conversion works correctly.

For example, if you are in Singapore, you must set the country code variable as COUNTRY=SGP.

TIMEZONE_FILE

The path of the Timezone file. This file contains the offsets for the time zones.

After installing the Syslog Collector, ensure that the offset specified in this file is as expected. If it is not present or is incorrect, you can add the Timezone offset as per the convention.

The default path is:

On Solaris,

opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/TimeZone.lst

On Windows,

%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\fcss\data\TimeZone.lst

General Properties

SYSLOG_FILES

Filename and location of the file from which syslog messages are read.

The default location is:

On Solaris:

/var/log/syslog_info

On Windows:

%NMSROOT%\log\syslog.log

DEBUG_CATEGORY_NAME

Name Syslog Collector uses for printed ERROR or DEBUG messages.

The default category name is SyslogCollector.

We recommend that you do not change the default value.

DEBUG_FILE

Filename and location of the Syslog Collector log file containing debug information:

The default location is:

On Solaris,

/var/adm/CSCOpx/log/CollectorDebug.log

On Windows,

%NMSROOT%\log\CollectorDebug.log

DEBUG_LEVEL

Debug levels in which you run the Syslog Collector.

We recommend that you retain the default INFO, which reports informational messages. Setting it to any other value might result in a large number of debug messages being reported.

If you change the debug level, you must restart the Syslog Collector.

The values for the Debug levels are:

•Warning

•Debug

•Error

•Info

DEBUG_MAX_FILE_SIZE

The maximum size of the log file containing the debug information.

The default is set to 5 MB.

If the file size exceeds the limit that you have set, Syslog Collector writes to another file, based on the number of backup files that you have specified for the DEBUG_MAX_BACKUPS property.

For example, if you have specified the number of backups as 2, besides the current log file, there will be two backup files, each 5MB in size. When the current file exceeds the 5 MBlimit, Syslog Collector overwrites the oldest of the two backup files.

DEBUG_MAX_BACKUPS

The number of backup files that you require. The size of these will be the value that you have specified for the DEBUG_MAX_FILE_SIZE property.

Miscellaneous Properties

READ_INTERVAL_IN_SECS

The interval at which the Collector polls the syslog file.

The default is set to 1 second.

QUEUE_CAPACITY

The size of the internal buffer, for queuing syslog messages.

The default is set to 100000

PARSER_FILE

The file that contains the list of parsers used while parsing syslog messages.

The default path of the parser file:

On Solaris,

opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/FormatParsers.lst

On Windows,

%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\fcss\data\FormatParsers.lst

SUBSCRIPTION_DATA_FILE

The Syslog Collector data file that contains the information about the Syslog Analyzers that are subscribed to the Collector.

The default path of the data file:

On Solaris,

opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/csc/data/Subscribers.dat

On Windows,

%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Subscribers.dat

FILTER_THREADS

The number of threads that operate at a time for filtering syslog messages. The default is set to 1.

COLLECTOR_PORT

The default port of the Syslog Collector. The default is set to 4444.

The port where the collector listens for registration requests from Syslog Analyzers.

Timezone List Used By Syslog Collector

The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector Properties File.

For the correct Timezone abbreviation, see the Timezone file in the following location:

$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.lst

Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and the corresponding entry here is 55.

You must use the same method while modifying it.

The following is the timezone list used by SyslogCollector:

Time Zone List Used by Syslog Collector

ACT=95

ADT=30

AET=100

AEST=100

AGT=-30

AHST=-100

ART=20

AST=-90

AT=-20

BET=-30

BST=10

BT=30

CAT=10

CCT=80

CDT=-50

CEST=20

CET=10

CNT=-35

CST=-60

CTT=80

EADT=-110

EAST=100

EAT=30

ECT=10

EDT=-40

EET=20

EST=-50

FST=-20

FWT=10

GMT=0

GST=100

HDT=90

HST=-100

IDLE=120

IDLW=-120

IET=-50

IST=55

JST=90

MDT=-60

MEST=-20

MESZ=-20

MET=10

MEWT=10

MIT=-110

MST=-70

MYT=80

NET=40

NST=120

NT=-110

NZDT=130

NZST=120

NZT=120

PDT=-70

PLT=50

PNT=-70

PRT=-40

PST=-80

SST=110

SWT=10

UTC=0

VST=70

WADT=-80

WAST=70

WAT=-10

YDT=-80

YST=-90

ZP4=40

ZP5=50

ZP6=50

Using Syslog Analyzer

The following is the workflow for Syslog Analyzer:

Step 1 Configure devices (see Configuring Devices to Send Syslogs).

Step 2 Configure the Common Syslog Collector which is installed during the RME installation, or install another Remote Syslog Collector on another machine (see the Installation and Setup Guide for Resource Manager Essentials).

Step 3 Perform various tasks such as defining and managing filters, automated actions, setting back-up policy, setting the purge policy, performing a forced purge, defining custom reports templates, specifying the path for the Syslog message file, etc.

See:

•Setting the Backup Policy

•Setting the Purge Policy

•Performing a Forced Purge

•Defining Custom Report Templates

•Defining Custom Report Templates

•Defining Automated Actions

•Defining Message Filters

Step 4 Generate various reports such as Custom Summary report, Severity Level Summary report, Standard Report, Unexpected Device report and Workflow report. See:

•Overview: Syslog Analyzer Reports

•Generating a Syslog Custom Summary Report

•Generating a Severity Level Summary Report

•Generating a Standard Report

•Generating an Unexpected Device Report

Using Syslog Service on Windows

System message logging is not part of the Windows operating system. Therefore, the CiscoWorks Server provides logging service to Windows users.

The logging service saves each system message to NMSROOT\log\syslog.log (where NMSROOT is the RME installation directory).

Syslog Analyzer reads and processes the messages in this file, and writes them to the RME database. The Syslog processes use the database information to generate Syslog reports.

When the syslog.log file gets too big, you can stop the Syslog Analyzer (Start > Settings > Control Panel > Services) and delete the log file.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Step 1 Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

Step 2 Select SyslogCollector and click Stop.

Step 3 Open the Windows Control Panel and select Administrative tools > Services.

Step 4 Select CWCS syslog service, and click Stop.

Step 5 Delete the NMSROOT\log\syslog.log file.

•To restart the syslog service in the Control Panel, click Start next to the CWCS syslog service.

•To restart the SyslogAnalyzer process in RME, select Common Services > Server > Admin > Processes and click Start.

Checking the Syslog Configuration File on UNIX

Check the path and permissions of the file pointed to by local7.info in the syslog configuration file /etc/syslog.conf on the RME server.

Note The first occurrence of local7 in the syslog.conf file, must contain the path for the Syslog message source.

Step 1 Make sure that the facility.level definition is set to local7.info, and that the following line is present (there must be a tab between local7.info and the path/filename):
local7. info path/filename
Step 2 Make sure that the syslog process (syslogd) can both read and write to the file.

•If you modify the /etc/syslog.conf file, you must restart the syslog process (syslogd). Enter the following command to stop and restart syslogd:
/etc/init.d/syslog stop 
/etc/init.d/syslog start
•If the start and stop command do not work, enter:
kill -HUP 'cat /etc/syslog.pid'
Step 3 Make sure the path for Syslog message file in the CiscoWorks Server is the same as the filename you specified in the syslog.conf file.

Stopping and Restarting Syslog Analyzer

To stop Syslog Analyzer:

Step 1 Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

Step 2 Select SyslogAnalyzer.

Step 3 Click Stop.

To restart Syslog Analyzer:

Step 1 Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

Step 2 Select SyslogAnalyzer.

Step 3 Click Start.

Viewing Syslog Analyzer Status

You can check Syslog status using this option.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Step 1 Click Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

Step 2 Click SyslogAnalyzer (hyperlink) to view process details.

The Process Details window appears.

Field

Data

Process

Process name

Path

Fully qualified path name for the Java Runtime Environment (JRE)

Flags

Java package name and class file of the Syslog Analyzer program

Startup

When the process was started

Dependencies

Prerequisite processes

Configuring Devices to Send Syslogs

Syslog Analyzer lets you centrally log and track system error messages, exceptions, and other information (such as device configuration changes) that you can use to analyze device and network performance.

Configure devices to forward messages to the RME server or to a system on which you have installed the Common Syslog Collector. For details about the Syslog Collector, see the Installation Guide for RME 4.0.

For more information about setting up devices for message logging, see the Cisco IOS Software Documentation on Cisco.com.

On UNIX systems, make sure that the Syslog facility for the device is set to local7. Messages from devices are continuously added to the file pointed to by the logging facility local7.info in the /etc/syslog.conf (syslog configuration) file.

The first occurrence of local7 in the syslog.conf file, must contain the path for the Syslog message source.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

You can configure the devices for sending Syslog messages to RME server in the following ways:

•Configuring the Device Using Telnet

–IOS Devices

–Catalyst Devices

–Content Service Switches Devices

–Content Engine Devices

•Configuring the Device Using NetConfig Syslog Task

Configuring the Device Using Telnet

This section details how to configure devices using Telnet.

IOS Devices

To configure IOS devices using Telnet:

Step 1 Connect to the device using Telnet and log in.

The prompt changes to host>.

Step 2 Enter enable and the enable password.

The prompt changes to host#.

Step 3 Enter configure terminal.

You are now in configuration mode, and the prompt changes to host(config)#.

•To make sure logging is enabled, enter logging on.

•To specify the RME server to receive the router Syslog messages, enter logging IP address, where IP address is the server IP address.

•To limit the types of messages that can be logged to the RME server, enter logging trap informational to set the appropriate logging trap level by, where informational signifies severity level 6. This means all messages from level 0-5 (from emergencies to notifications) will be logged to the RME server.

Step 4 Verify that the syslog filter settings are correct and that syslog is running.

Catalyst Devices

To configure Catalyst devices using Telnet:

Step 1 Connect to the device using Telnet and log in.

The prompt changes to host.

Step 2 Enter enable and the enable password.

The prompt changes to host#.

•To make sure logging is enabled, enter set logging server enable.

•To specify the RME server that is to receive the Catalyst devices Syslog messages, enter set logging server IP address, where IP address is the server IP address.

•To limit the types of messages that can be logged to the RME server, enter set logging level all 6 default. This means that all messages from level 0-5 (from emergencies to notifications) will be logged to the RME server.

Step 3 See the appropriate Catalyst reference manual for more information.

Step 4 Verify that the syslog filter settings (see Defining Message Filters) are correct and that syslog is running.

Content Service Switches Devices

To configure Content Service Switches (CSS) devices using Telnet:

Step 1 Connect to the device using Telnet and enter into the Global Configuration mode.

Step 2 Run the following commands:

logging commands enable

logging host CiscoWorks IP address

logging facility local7

Content Engine Devices

To configure Content Engine (CE) devices using Telnet:

Step 1 Connect to the device using Telnet and enter into the Global Configuration mode.

Step 2 Run the following commands:

logging host CiscoWorks IP address

logging facility local7

NAM Devices

To configure NAM devices using Telnet:

Step 1 Connect to the device using Telnet and enter into the Global Configuration mode.

Step 2 Run the following commands:

remote-host CiscoWorks IP address

logging facility local7

PIX Devices

To configure PIX devices using Telnet:

Step 1 Connect to the device using Telnet and enter into the Global Configuration mode.

Step 2 Run the following commands:

logging host CiscoWorks IP address [in_if_name] CiscoWorks IP address [protocol /port] [format emblem], where:

in_if_name is the interface on which the syslog server resides.

CiscoWorks IP address is the address of the CiscoWorks server.

protocol is the protocol over which the syslog message is sent; either tcp or udp. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server.

You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17.

port is the port from which the PIX Firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server listens.

For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535.

For the TCP port, the default is 1470, and the allowable range is 1025 through 65535. TCP ports only work with the PIX Firewall Syslog Server.

format emblem is the option that enables EMBLEM format logging on a per-syslog-server basis. EMBLEM format logging is available for UDP syslog messages only and is disabled by default.

Configuring the Device Using NetConfig Syslog Task

This section details how to configure devices using the NetConfig Syslog task.

Use the job definition wizard in NetConfig to create and schedule a NetConfig job. For more details see the Making and Deploying Configuration Changes Using NetConfig topics.

See the following procedure to launch the NetConfig application and use the NetConfig Syslog task in a job:

Step 1 Select Resource Manager Essentials > Config Mgmt > NetConfig.

The NetConfig Job Browser appears.

Ensure that you have set the transport protocol order and password policy for your job using Resource Manager Essentials > Admin > Config Mgmt > Archive Mgmt. See the topics Configuring Transport Protocols and Configuring Default Job Policies in the section, Archiving Configurations and Managing Them Using Archive Management.

For the fields in the NetConfig Job Browser, see Starting a New NetConfig Job in the section Making and Deploying Configuration Changes Using NetConfig.

Step 2 Click Create.

The Devices and Tasks dialog box appears, with these panes:

Table 14-3 Panes in the Devices and Tasks Dialog Box

Pane

Description

Device Selector

Allows you to select the devices on which the NetConfig job has to run. Make sure that for the devices on which the job will run, the configurations are archived in the Configuration Archive.

NetConfig will not configure devices whose configurations are not archived. (See Archiving Configurations and Managing Them Using Archive Managementon how to update the configuration archive.)

Task Selector

Allows you to select the system-defined tasks or user-defined tasks that you want to run on the selected devices. For descriptions of system-defined tasks and the device categories they support, seeCreating and Editing User-defined Tasks in the section Making and Deploying Configuration Changes Using NetConfig.

Step 3 Select the devices from the Device Selector pane.

For details about the Device Selector, see the topic Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management.

Step 4 Select the required task from the All tab, Using the Task Selector.

Your selection appears in the Selection pane. You can select one or more task at a time.

Step 5 Click Next.

The Add Tasks dialog box appears with these panes:

Table 14-4 Panes in the Add Tasks Dialog Box

Pane

Description

Applicable Tasks

Allows you to add a task. The task that you selected using the Task Selector, appears here.

From your selection, only the tasks that are applicable to at least one device that you have selected, appear here. If the task that you have selected does not apply to the categories of any of the devices that you have selected, it will not be displayed in the Applicable Tasks pane.

Select a task and click Add to create an instance for the task (see Step 6).

Added Instances

Allows you to edit the task instance you have added, view its CLI, or delete it. Select the instance of the task, and click the required button (see Table 9-1).

Table 14-5 Tasks Performed by Buttons in the Added Instances Pane

Button

Description

Edit

Task pop-up opens with previously assigned values. You can edit these values and click Save.

View CLI

Device Commands pop-up opens with the list of applicable devices and their corresponding CLI commands. Devices in your selection for which the commands are not applicable, are also displayed as Non-Applicable Devices.

Click Close. You can edit an instance of a configuration task (and its configuration commands) at any time before the job is scheduled.

Delete

Deletes the selected task instance. You can delete an instance of a configuration task (and its configuration commands) at any time before the job is scheduled.

Step 6 Select the Syslog configuration task from the Applicable Tasks pane and click Add.

The Syslog Configuration Task (system-defined or user-defined) pop-up appears for the selected task (seeCreating and Editing User-defined Tasks in the section Making and Deploying Configuration Changes Using NetConfig).

This is a dynamic user interface. The Syslog Configuration task dialog box displays parameters based on your device selection in the Device Selector. For example, if you have selected Content Engine devices, you will be able to specify Content Engine parameters in this dialog box. If not, this section will not be available to you.

Step 7 Set the parameters in the task dialog box and click Save.

(To reset the values that you have selected click Reset. Click Cancel to return to the previous dialog box, without saving your changes.)

You will see the instance of the task in the Added Tasks pane of the Add Tasks dialog box. The instance appears in this format:

Taskname_n, where Taskname is the name of the task you have added, and n is the number of the instance. For example, the first instance of a Banner task is Banner_1.

You can add as many instances as required, for a task.

Step 8 Click Next.

The Job Schedule and Options dialog box appears.

Step 9 Set the schedule for the job, in the Scheduling pane.

Step 10 Set the job options, in the Job Options pane.

To view the device order, click Device Order. The Set Device Order pop-up appears.

You can reset the order in which the job should be executed on the devices using the up and down arrows. When you are done, click Done. The pop-up closes.

Step 11 Click Next.

The Job Work Order dialog box appears with the general information about the job, the job policies, the Job Approval details (if you have enabled job approval), the device details, the task, and the CLI commands that will be executed on the selected devices as part of this job.

Step 12 Click Finish after you review the details of your job in the Job Work Order dialog box.

A job confirmation message appears along with the Job ID. The newly created job appears in the NetConfig Job Browser.

For the complete procedure on how to schedule the NetConfig job see Starting a New NetConfig Job in the section Making and Deploying Configuration Changes Using NetConfig.

Also see Syslog Task in the section Making and Deploying Configuration Changes Using NetConfig.

Syslog Administrative Tasks

You can perform the following Administrative tasks:

•Back up syslog messages (see Setting the Backup Policy).

•Purge syslog messages (see Setting the Purge Policy).

•Perform a forced purge (see Performing a Forced Purge).

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform these tasks.

Setting the Backup Policy

The Backup Configuration feature allows you to save the Syslog messages to a flat file. The syslog data that is trimmed from the database will be moved to the flat file.

Note In Solaris, the backup file is created with -rw-r----- casuser casusers irrespective of the permissions given to the directory for backup on purge. In Windows, the backup file inherits the permission and ownership of the directory it is created in, which is the directory selected as the backup location (on purge).

View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

To set up the backup policy:

Step 1 Select Resource Manager Essentials > Admin > Syslog > Set Backup Policy.

The Backup Policy dialog box appears.

By default, the backup policy is set to disabled.

Step 2 Select Enable to enable the backup process for Syslog messages, after configuring backup.

Step 3 Click Browse to select the backup file location.

The Server Side File Browser dialog box appears.

In the Server Side File Browser dialog box:

a. Specify the external directory.

The external directory must be under the syslog directory, or a sub-directory within the syslog directory. For example, $NMSROOT/files/rme/syslog/sysbackup.

The external directory cannot be outside the syslog directory. If you attempt to navigate outside the syslog directory, an error message appears.

b. Select Directory Content,

c. Click OK.

Step 4 Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB.

Step 5 Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter multiple e-mail addresses separated with commas. This is a mandatory field.

Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.)

If you also want a notification to be sent when the backup is a success, select Also Notify on Success.

Step 6 Either click Save to save the backup configuration details that you have specified or click Reset to clear the values that you specified and reset to the previously saved values in the dialog box.

If you have clicked Save, the backup will continue to save the data even after the data has exceeded the specified size of the backup file. However, the system will send an e-mail asking you to cleanup the backup file.

Setting the Purge Policy

You can specify a default policy for the periodic purging of Syslog messages.

If you access a table either through immediate reports, report jobs or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during the successive purge operations such a table will be purged.

A purge job is enabled by default, and is scheduled to run at 1:00 AM daily.

To specify your default purge policy:

Step 1 Select Resource Manager Essentials > Admin > Syslog > Set Purge Policy.

The Purge Policy dialog box appears.

Step 2 Specify the number of days in the Purge records older than field.

Only the records older than the number of days that you specify here, will be purged. The default value is 7 days. This is a mandatory field.

Caution You might delete data by changing these values. If you change the number of days to values lower than the current values, messages over the new limits will be deleted.

If the data of a particular day is being accessed either through immediate reports, report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.

Step 3 Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly.

Step 4 Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For example, 02-Dec-2004). This is a mandatory field.

Step 5 Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field.

The Job Description field has a default description—Syslog Records - default purge job.

Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address

Step 6 Either click Save to save the purge policy that you have specified or Click Reset. to clear the values that you specified and reset the defaults in the dialog box.

You can view the scheduled purge job in the Common Services JRM Job Browse (Common Services > Server > Admin > Job Browser).

Performing a Forced Purge

You can perform a forced purge of Syslog messages, as required.

If you access a table either through immediate reports, report jobs or by any other means, the database locks the table and therefore the table will not be successfully purged. However, during the successive purge operations such a table will be purged.

To perform a forced purge:

Step 1 Select Resource Manager Essentials > Admin > Syslog > Force Purge.

The Force Purge dialog box appears.

Step 2 Enter the information required to perform a Forced Purge:

Field

Description

Purge records older than

Enter the number of days. Only the records older than the number of days that you specify here, will be purged. This is a mandatory field.

If the data of a particular day is being accessed either through immediate reports, report jobs, or by any other means, it will not be purged. However, during the successive purge operations this data will be purged.

Scheduling

Run Type

Specify whether the purge is to be immediate or once.

•If you select Immediate, all the other options will be disabled for you.

•If you select Once, you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the scheduled purge is complete.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.

Date

Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field.

The Date field is enabled only if you have selected Once as the Run Type.

at

Enter the start time, in the hh:mm:ss format (23:00:00).

The at field is enabled only if you have selected Once as the Run Type.

Job Info

Job Description

Enter a description for the forced purge job.

The Job Description field is enabled only if you have selected Once as the Run Type. This is a mandatory field. Accepts alphanumeric values.

E-mail

Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You can enter more than one e-mail ID separated by commas.

The e-mail field is enabled only if you have selected Once as the Run Type.

Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View/Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address

Step 3 Click Submit for the Forced Purge to become effective.

To clear the values that you specified and reset the defaults in the dialog box, Click Reset.

You can view the scheduled force purge job in the Common Services JRM Job Browse (Common Services > Server > Admin > Job Browser).

Defining Custom Report Templates

When you create a custom report template, you select the syslog message types you want reported. The Custom Templates option lets you create a custom template, and edit or delete existing custom templates.

When you select Resource Manager Essentials > Reports > Custom Templates, a list of all Custom Templates is displayed in the dialog box on the Custom Templates page.

The columns in the Custom Templates dialog box are:

Column

Description

Template Name

Name of the template.

Report Type

Syslog report, or inventory report.

Owner

The user who created the template.

Last Modified Time

The date (yyyy-mm-dd) and the time (hh:mm:ss).

Using the custom templates dialog box, you can do the following tasks:

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Task

Button

Create a custom template (see Creating a Custom Report Template).

Create

Editing a custom template (see Editing a Custom Template).

Edit

Delete a custom template (see Deleting a Custom Template).

Delete

Creating a Custom Report Template

To create a custom report template:

Step 1 Select Resource Manager Essentials > Reports > Custom Report Templates.

The custom templates dialog box appears.

Step 2 Click Create.

The Application Selection dialog box appears.

Step 3 Select Syslog.

Step 4 Click Next.

The Syslog custom report template dialog box appears. The messages that have previously been defined are displayed here.

The columns in the Syslog custom reports templates dialog box are:

Column

Description

Facility

Facility is a hardware device, a protocol, or a module of the system software; for example, SYS. See the Cisco IOS reference manual System Error Messages for a predefined list of facility codes.

Sub-Facility

Sub-Facility is the subfacility in the device that generated the Syslog message. In most cases, this is blank. An example of an entry in this field is
CCM_CDR_INSERT-GENERIC-0-OutOfMemory.

Severity

The severity level for the messages. The following are the severity codes:

0—Emergencies

1—Alerts

2—Critical

3—Errors

4—Warnings

5—Notifications

6—Informational

Mnemonic

Code that uniquely identifies the error message. For example, UPLOAD, RELOAD,CONFIG.

Description

Description of the Syslog message.

Step 5 Enter a unique name for the custom report template, in the Custom Report Name field.

Step 6 Specify whether you want the custom report template to be Public or Private.

Public templates can be seen and used by other users who have the permissions to do these tasks. Private templates can be seen and used by only owner (creator) of the templates.

Using the Syslog custom report template dialog box, you can do the following tasks:

Task

Button

Add a message type (see Adding a Message Type.)

Use the Add button.

Edit a message type (see Editing a Message Type.)

Use the Edit button.

Delete a message type (see Deleting a Message Type.)

Use the Delete button.

Select a message type from a set of standard messages (see Selecting a Message Type.)

Use the Select button.

Step 7 Click Finish.

A confirmation message appears that the report has been successfully created.

Your custom report template is displayed in the dialog box on the Custom Templates page (Resource Manager Essentials > Reports > Custom Templates).

To run the report, see Running a Custom Report.

Adding a Message Type

To add a message type:

Step 1 Click Add in the Define New Message Type section of your dialog box.

The Define New Message Type dialog box appears.

Step 2 Enter the required information:

Column

Description

Facility

Enter the codes for the facilities you want reported. A facility is a hardware device, a protocol, or a module of the system software. See the Cisco IOS reference manual, System Error Messages, for a predefined list of system facility codes.

Each code can consist of two or more uppercase letters. You can enter several facility codes, separated by commas, for example, SYS,ENV,LINK.

If you do not enter any facility but use the asterisk, all the facilities will be reported.

Sub-Facility

Enter the codes for the sub-facilities you want reported. Sub-Facility is the subfacility in the device that generated the Syslog message.

An example of an entry in this field is CCM_CDR_INSERT-GENERIC-0-OutOfMemory. This is an optional field.

If you do not enter any sub-facility but use the asterisk, all the sub- facilities will be reported.

Severity

Enter codes for the message severity levels you want reported.

The following codes are supported:

0—Emergencies

1—Alerts

2—Critical

3—Errors

4—Warnings

5—Notifications

6—Informational

If you do not enter any severity level but use the asterisk, all severity levels will be considered.

Mnemonic

Enter a code that uniquely identifies the error message.

To match for Catalyst 5000 family devices, enter a hyphen (-) to indicate an empty mnemonic field. You can enter several mnemonics, separated by commas. An example is UPLOAD, RELOAD,CONFIG.

Description

Enter the Syslog message description. For example, *REBOOT*, *SNMP*, *telnet*, etc. If you do not want to specify a description, leave in the default asterisk.

Step 3 Click Save.

The new message type is added, and appears in the Define New Message Type section of your dialog box.

If you want to save the information and add another message type, click Save and Add.

Deleting a Message Type

To delete a message type:

Step 1 Select the required message type from the Define New Message Type section of your dialog box.

Step 2 Click Delete.

You will be asked to confirm the deletion. If you confirm the deletion, the message type is deleted.

Editing a Message Type

To edit a message type:

Step 1 Select the required message type from the Define New Message Type section of your dialog box

Step 2 Click Edit.

The Define New Message Type dialog box appears with the previously entered information in the fields (for the field descriptions, see Adding a Message Type).

Step 3 Edit the information and click Save.

The message type is edited.

Selecting a Message Type

To select a system defined message type:

Step 1 Click Select in the Define New Message Type section of your dialog box.

The Select System Defined Message Types dialog box appears.

Step 2 Select the required system defined message type.

Step 3 Click OK.

The selected message appears in the Define New Message Type section of your dialog box.

Editing a Custom Template

To edit a custom template:

Step 1 Select Resource Manager Essentials > Reports > Custom Report Templates.

The custom templates dialog box appears with a list of custom templates.

Step 2 Select the required custom template and click Edit.

Step 3 The Syslog custom report template dialog box appears. The messages that have previously been defined, appear here.

For the description of the columns in the Syslog custom reports templates dialog box, see Creating a Custom Report Template.

If required, you can:

•Change the Custom Report accessibility—Private to Public or vice-versa.

•Add a message type (see Adding a Message Type.)

•Edit a message type (see Editing a Message Type.)

•Delete a message type (see Deleting a Message Type.)

•Select a message type from system-defined message types (see Selecting a Message Type.)

Step 4 Click Finish.

The edited custom template appears in the custom templates dialog box.

Deleting a Custom Template

To delete a custom report template:

Step 1 Select Resource Manager Essentials > Reports > Custom Report Templates.

The custom templates dialog box appears with a list of custom templates.

Step 2 Select the required custom template.

Step 3 Click Delete.

You will be asked to confirm the deletion. If you confirm the deletion, the template will be deleted.

The Syslog custom report template is deleted and no longer appears in the Syslog custom report template dialog box.

Running a Custom Report

You can run any custom report that you previously created. Custom report templates that you created, appear in the Report Generator drop-down list box for Syslog, with a separator.

To create a custom report template, see Defining Custom Report Templates.

To run a Syslog custom report:

Step 1 Select Resource Manager Essentials > Reports > Report Generator.

The RME Reports dialog box appears, in the Report Generator page.

Step 2 Go to the first drop-down list box, select Syslog.

Step 3 Go to the second drop-down list box, select the required custom report. (Custom reports that you created appear in the drop-down list box with a separator).

The Device Selector appears, along with the fields that allow you to enter information in the Scheduling and Job Info fields.

Step 4 Select the required devices using the Device Selector. (See the topic, Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management, for more details.)

Step 5 Enter the information required to generate the required custom report, in the Date Range, Scheduling, and Job Info groups:

Field

Description

Date Range

24 Hours

Select this option, only if you want to generate a 24 hour report. This report will contain all the syslog data gathered during the last 24 hours. For example, if you select this option and schedule the report to be generated at 6.p.m. the report will have the data of the past 24 hours, from 6 p.m.

From

Click on the calendar icon and select the date. The date appears in the dd-mmm-yyyy format in the From field. For example, 02-Dec-2004.

The From field is enabled only if you have de-selected the 24 Hours check box.

To

Click on the calendar icon and select the date. The date appears in the dd-mmm-yyyy format in the To field. For example, 03-Dec-2004.

The To field is enabled only if you have de-selected the 24 Hours check box.

Scheduling

Run Type

Specifies the type of schedule for the job:

•Immediate—Runs the report immediately.

•6 - hourly—Runs the report every 6 hours, starting from the specified time.

•12 - hourly—Runs the report every 12 hours, starting from the specified time.

•Once—Runs the report once at the specified date and time.

•Daily—Runs daily at the specified time.

•Weekly—Runs weekly on the day of the week and at the specified time.

•Monthly— Runs monthly on the day of the month and at the specified time.

In the case of periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete.

For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3.

If you select Immediate, the Date, Job Description, and E-mail option will be disabled for you.

If you select any other run type, then you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the report is generated.

Date

Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

at

Select the time in hours and minutes from the respective drop-down lists.

Job Info

Job Description

Enter a description for the report that you are creating.

The Job Description field is enabled only if you have selected an option other than Immediate in the Run Type field. This is a mandatory field. Accepts alpahnumeric characters.

E-mail

Enter the e-mail ID of the user who should be notified when the report is generated. You can enter more than one e-mail ID, separated by commas.

The E-mail field is enabled only if you have selected an option other than Immediate, in the Run Type field.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address

Step 6 Click Finish.

If you had selected the Run Type as Immediate, the report appears immediately in a separate browser window. If you had selected a Run Type other than Immediate, this confirmation message appears:
Job <Job ID> created successfully.
Go to Reports->Report Jobs to view the job status.
Where Job ID is the unique ID of the job.

To view Report Jobs, go to Resource Manager Essentials > Reports->Report Jobs. For details see the topic Using the Reports Job Browserin the section Generating Reports.

Defining Automated Actions

You can create automated actions to be executed automatically whenever Syslog Analyzer receives a specific message type.

When you select Resource Manager Essentials > Tools > Syslog > Automated Actions, a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are two system-defined automated actions (the rest are user-defined). The system-defined automated actions are:

•Inventory Fetch—To fetch inventory from the device.

•Config Fetch—To fetch configuration from the device.

You can edit these system-defined automated actions, but you cannot delete them. These actions are enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable.

Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating system device. You can then edit Config Fetch automated action and you can delete SYS-6-CFG_CHG-*SNMP* message type. For more details, see Deleting a Message Type.

In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices or not.

The columns in the Automated Actions dialog box are:

Column

Description

Name

Name of the automated action.

Status

Status of the automated action at creation time—Enabled, or disabled

Type

Type of automated action—E-mail, script or URL.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Using the automated actions dialog box, you can do the following tasks:

Task

Button

Create an automated action (see Creating an Automated Action).

Create

Edit an automated action (see `Editing an Automated Action).

Edit

Enable or Disable an automated action (see Enabling or Disabling an Automated Action)

Enable/Disable

Import or Export an automated action (see Exporting or Importing an Automated Action)

Import/Export

Delete an automated action (see Deleting an Automated Action).

Delete

If you are creating an automated action, see the example (Automated Action: An Example) of how to set up an automated action that sends an e-mail when a specific Syslog message is received.

On Windows, you cannot set up an automated action to execute an.exe file that interacts with the Windows desktop. For example, you cannot make a window pop up on the desktop.

Creating an Automated Action

To create an automated action:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can choose whether to include interfaces of selected devices or not. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Click Create.

A dialog box appears for device selection.

Step 3 Select All Managed Devices or Choose Devices.

If you select the All Managed Devices option:

•You cannot select the individual devices or device categories from the device selector.

•All managed devices are considered.

•The syslog messages from the various device interfaces are considered for creating automated actions.

If you select Choose Devices option, you must select the required devices (for details about the Device Selector, see the topic Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management).

Step 4 Click Next.

A dialog box appears in the Define Message Type page.

Step 5 Enter a unique name for the automated action that you are creating.

Step 6 Select either Enabled or Disabled as the status for the action at creation time.

Step 7 Select the Syslog message types for which you want to trigger the automated action from the Define New Message Type section of the dialog box. (For explanations of the column titles Facility, Sub-facility, Severity etc., see Adding a Message Type.)

If you want to add, delete, edit, or selected system-defined Syslog message types, see:

•Adding a Message Type,

•Selecting a Message Type

•Editing a Message Type

•Deleting a Message Type

Step 8 Click Next.

The Automated Action Type dialog box appears.

Step 9 Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.

•If you select E-mail, enter the following information in the Automated Action Type dialog box:

Field

Description

Send to

List of comma separated e-mail addresses. Mandatory field.

Subject

Subject of the e-mail.

Content

Content that you want the e-mail to contain.

•If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:

–$D (for the device)

–$M (for the complete syslog message).

When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message.

For example, if the URL is

http://hostname/script.pl?device=$D&mesg=$M

When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.

•If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box.

Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows.

The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account.

The script files must be available at this location:

On Windows:

NMSROOT/files/scripts/syslog

On UNIX:

/var/adm/CSCOpx/files/scripts/syslog

To select the script file:

–Click Browse.

The Server Side File Browser dialog box appears.

–Select the file (*.sh on Unix and *.bat on Windows).

Step 10 Click OK.

Step 11 Click Finish.

If the executable program produces any errors or writes to the console, the errors will be logged as Info messages in the SyslogAnalyzer.log.

This file is available at:

On UNIX,

/opt/CSCOpx/log directory

On Windows,

NMSROOT\log directory (where NMSROOT is the root directory of the CiscoWorks Server).

`Editing an Automated Action

To edit an automated action:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, displaying the list of automated actions, appears in the Automated Actions page.

For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Select an automated action from the drop-down list and click Edit.

The Select Devices dialog box appears.

Step 3 Select the required devices and click Next.

A dialog box appears in the Define Message Type page.

This dialog box allows you to:

•Change the Message Filter Type—From Enabled to Disabled, or vice, versa.

•Add a message type (see Adding a Message Type.)

•Edit a message type (see Editing a Message Type.)

•Delete a message type (see Deleting a Message Type.)

•Select a message type from system-defined message types (see Selecting a Message Type.)

Step 4 Click Next.

Step 5 The Automated Action Type dialog box appears.

This dialog box allows you to change the type of action. For example, you can change from E-mail to URL or Script.

•For E-mail, enter or change the following information in the Automated Action type dialog box:

Field

Description

Send to

The list of comma separated e-mail addresses.

Subject

The subject of the e-mail (optional).

Content

The content that you want the e-mail to contain.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address

•For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:

–$D (for the device)

–$M (for the complete syslog message).

When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message.

For example, if the URL is

http://hostname/script.pl?device=$D&mesg=$M

When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog message.

•If you select Script, enter the script to be used, in the Script to execute field of the Automated Action type dialog box.

Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have only write/execute permissions for casuser:casusers in UNIX and casuser/Administrator in Windows.

The other users should have only read permission. You must ensure that the scripts contained in the file have permissions to execute from within the casuser account.

The script files must be available at this location:

On Windows:

NMSROOT/files/scripts/syslog

On UNIX:

/var/adm/CSCOpx/files/scripts/syslog

–To select the script file, click Browse.

The External Config Selector dialog box appears.

–Select the file (*.sh on Unix and *.bat on Windows).

Step 6 Click Finish.

The edited automated action appears in the dialog box on the Automated Action page.

Guidelines for Writing Automated Script

To write an automated script:

Step 1 Copy the sampleEmailScript.pl from RME 3.5 or older to the new RME 4.1 server and put this file in:

For Solaris:

/var/adm/CSCOpx/files/scripts/syslog directory

For Windows:

NSMROOT/files/scripts/syslog

Step 2 Write a shell script for Solaris or .bat file for Windows in the same directory.

Here is an example shell script (called syslog-email.sh) for UNIX:

#!/bin/sh

/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl -text_message "MEssage:

$2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from nobody@nowhere.com -smtp mail-server-name.nowhere.com

For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.

Enabling or Disabling an Automated Action

To enable or disable an automated action:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, displaying the list of automated actions, appears in the Automated Action page.

For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Select the required automated action from the list in the dialog box.

Step 3 Click Enable/Disable to toggle its status.

The dialog box in the Automated Action page is refreshed and it displays the changed state for the specified automated action.

Exporting or Importing an Automated Action

You can export an automated action to a flat file and use this file on any Syslog Analyzer, using the import option.

To export or import an automated action:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, displaying the list of automated actions, appears in the Automated Action page.

For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Select an automated action. You can select more than one automated action.

If you do not select an automated action before clicking the Export/Import button, then only the Import option will be available. The Export option will be disabled

Step 3 Click Export/Import.

The Export/Import Automated Actions dialog box appears with the Export or Import options.

Step 4 Select either Export or Import.

Step 5 Either:

•Enter the location of the file to be exported or imported.

Or

•Click Browse.

The Server Side File Browser appears. You can select a valid file, and click OK.

The file location appears in the Export/Import dialog box.

Step 6 Click OK.

Deleting an Automated Action

To delete an automated action:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, displaying the list of automated actions, appears in the Automated Action page.

For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Select the required automated action from the list in the dialog box.

Step 3 Click Delete.

You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.

Automated Action: An Example

This is an example of how to set up an automated action that sends an e-mail when a specific Syslog message is received. This example assumes that devices have been imported and are sending Syslog messages to the CiscoWorks server.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

Step 1 Select Resource Manager Essentials > Tools > Syslog > Automated Actions.

A dialog box, with a list of automated actions, appears in the Automated Action page. For the description of the columns in the Automated Actions dialog box, see Defining Automated Actions.

Step 2 Click Create.

The Devices Selection dialog box appears.

Step 3 Select the required devices and click Next.

The Define Message Type dialog box appears.

Step 4 Enter a unique name for the automated action that you are creating.

Step 5 Select either Enabled, or Disabled as the status for the action at creation time.

Step 6 Click Select.

The Select System Defined Message Types dialog box appears.

Step 7 Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined Message Types list, and click OK.

The dialog box on the Define Message Type page appears.

Step 8 Click Next.

The Automated Action Type dialog box appears.

Step 9 Select the type of action—E-mail, Script, or URL.

If you had selected Email in Step 9: Enter the following information:

Field

Description

Send to

List of comma-separated e-mail addresses.

Subject

Subject of the e-mail (optional).

Content

Content that you want the e-mail to contain.

Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). If a syslog is found with the matching type for managed (normal) devices, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address. Then go to Step 10.

If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action. Then go to Step 10.

If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can use the following parameters:

–$D (for the device)

–$M (for the complete syslog message).

When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device hostname or IP address and $M is substituted with the syslog message.

For example, if the URL is

http://hostname/script.pl?device=$D&mesg=$M

When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and $M is replaced with the URL-encoded syslog message.

Step 10 Click Finish.

Also see Verifying the Automated Action.

Verifying the Automated Action

To verify the automated action:

Step 1 Select a managed router that is already sending Syslog messages to the RME server and generate a SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:

a. Connect to the managed router using Telnet and log in.

b. In enable mode enter enable, then enter a password.

c. At the config prompt enter configure terminal.

d. Change the banner by entering:

banner motd z
This is a test banner z
end

e. Exit the Telnet session.

Step 2 Make sure that the SYS-5_CONFIG_I message is sent to the CiscoWorks Server as follows:

•On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has been configured to receive Syslog messages.

•On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory.

Where NMSROOT is the RME installation directory.

Step 3 Verify that there is a message from the managed router whose banner-of-the-day was changed.

This message appears at the bottom of the log.

•If the message is in the file, an e-mail is mailed to the e-mail ID specified.

•If the message is not in the file, the router has not been configured properly to send Syslog messages to the CiscoWorks Server.

Defining Message Filters

You can exclude messages from Syslog Analyzer by creating filters.

Note View the Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.

To launch the message filters dialog box:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box appears in the Message Filters page.

A list of all message filters is displayed in this dialog box, along with the names, and the status of each filter—Enabled, or Disabled.

Step 2 Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either Drop or Keep.

•If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop filters from further processing.

•If you select Keep, Collector allows only the syslogs that match any of the "Keep" filters, for further processing.

Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.

Step 3 Specify whether interfaces of selected devices should be included.

In the dialog box that displays the message filters, you can do the following tasks:

Task

Button

Create a filter (see Creating a Filter).

Create

Edit a filter (see Editing a Filter).

Edit

Enable or disable a filter (see Enabling or Disabling a Filter).

Enable/Disable

Export or import a filter. (see Exporting or Importing a Filter).

Export/Import

Delete a filter (see Deleting a Filter).

Delete

Creating a Filter

You can create a filter for Syslog messages by:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box with a list of filters, appears in the Message Filter page.

Step 2 Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.

•If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the "Drop" filters from further processing.

•If you select Keep, Collector allows only the Syslogs that match any of the "Keep" filters, for further processing.

Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.

Step 3 Click Create.

The dialog box appears for device selection. Select All Managed Devices or Choose Devices.

If you select All Managed Devices option:

•You cannot select the individual devices or device categories from the device selector.

•All managed devices are considered.

•The syslog messages from the various device interfaces are considered for creating message filters.

If you select the Choose Devices option, you must select the required devices (for details about the Device Selector, see the topic Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management).

Step 4 Click Next.

.A dialog box appears in the Define Message Type page.

Step 5 Enter a unique name for the filter.

Step 6 Select either the Enabled, or the Disabled status for the filter at creation time.

Step 7 Select the Syslog message types for which you want to apply the filter.

If you want to add, delete, edit, or select system-defined Syslog message types, see:

•Adding a Message Type

•Selecting a Message Type

•Editing a Message Type

•Deleting a Message Type

Step 8 Click Finish.

The list of filters in the message filter dialog box on the Message Filters page is refreshed.

Editing a Filter

To edit a filter:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box, displaying the list of filters, appears in the Message Filter page.

Step 2 Select a filter by clicking on its check box, and click Edit.

The Select Devices dialog box appears.

Step 3 Select the required devices and click Next.

A dialog box appears in the Define Message Type page.

This dialog box allows you to:

•Change the filter Status—From Enabled to Disabled, or vice versa.

•Add a message type (see Adding a Message Type.)

•Edit a message type (see Editing a Message Type.)

•Delete a message type (see Deleting a Message Type.)

•Select a message type from system-defined message types (see Selecting a Message Type.)

Step 4 Click Finish after you make all your changes.

The edited filter appears in the dialog box on the Message Filter page.

Enabling or Disabling a Filter

To enable or disable a filter:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box, with the list of filters, appears in the Message Filter page.

Step 2 Select the required filter from the list in the dialog box.

Step 3 Click Enable/Disable to toggle its status.

The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified filter.

Exporting or Importing a Filter

You can export a filter to a flat file and use this file on any Syslog Analyzer, using the import option.

To export or import a filter:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box, with the list of filters, appears in the Message Filter page.

Step 2 Select a filter. You can select more than one filter.

Step 3 Click Export/Import.

The Export/Import dialog box appears with the Export or Import options.

Step 4 Select either Export or Import.

Step 5 Either:

•Enter the location of the file to be exported or imported.

Or

•Click Browse.

The Server Side File Browser appears.

You can select a valid file location, and click OK.

The file location appears in the Export/Import dialog box.

Step 6 Click OK.

Deleting a Filter

To delete a filter:

Step 1 Select Resource Manager Essentials > Tools > Syslog > Message Filters.

A dialog box, displaying the list of filters, appears in the Message Filter page.

Step 2 Select the required filter from the list in the dialog box.

Step 3 Click Delete.

When you confirm the deletion, the filter is deleted.

Overview: Syslog Analyzer Reports

You can use the Syslog Analyze reports to examine your default and custom reports, or to determine the cause of device error messages.

Using the Report Generator of RME, you can generate various Syslog reports:

•Generating a Syslog Custom Summary Report

•Generating a Severity Level Summary Report

•Generating a Standard Report

•Generating an Unexpected Device Report

You can generate 24-hour reports that will show data for the past 24 hours, from the schedule time of the report.

Successfully generated reports are stored in the Archives. You can access the reports archives by selecting Resource Manager Essentials >Reports > Report Archives (see the topic Viewing Archived Reports in the section Viewing Archived Reports).

In the Reports Archive/Report jobs, you cannot see the Immediate reports.

If you have selected the Run Type as Immediate, then the report appears in a separate browser window.

If you have selected an option other than Immediate, in the Run Type field, then a message is displayed,
Job ID created successfully. 
Go to Reports > Report Jobs to view the job status.
Here, Job ID is a unique Job number.

An Immediate job displays the first 10,000 lines of a report. For the full report, schedule a job.

Note When you are generating a syslog report, you may get an outofmemory exception. This may occur if the number of syslog messages that were generated in the Date Range that you specified in the syslog report job, exceeded six hundred thousand. Specify a shorter Date Range in the Report Generator, and run the report job again.

To use the Report Generator:

Step 1 Select Resource Manager Essentials > Reports > Report Generator.

The RME Report Generator dialog box appears, in the Report Generator page.

Step 2 Go to the first drop-down list box, select Syslog.

Step 3 Go to the second drop-down list box, select the required report, for example, Custom Summary Report.

Step 4 Select the required devices using the Device Selector.

For details about the Device Selector, see the topic Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management.

Step 5 Enter the information required to generate the required report:

Field

Description

Date Range

24 Hours

Select this option, only if you want to generate a 24 hour report. This report will contain all the syslog data gathered during the last 24 hours. For example, if you select this option and schedule the report to be generated at 6.p.m. the report will have the data of the past 24 hours, from 6 p.m.

From

Click on the calendar icon and select the date. The date appears in the dd-mmm-yyyy format in the From field. For example, 02-Dec-2004.

The From field is enabled only if you have de-selected the 24 Hours check box.

To

Click on the calendar icon and select the date. The date appears in the dd-mmm-yyyy format in the To field. For example, 03-Dec-2004.

The To field is enabled only if you have de-selected the 24 Hours check box.

Scheduling

Run Type

Specifies the type of schedule for the job:

•Immediate—Runs the report immediately.

•6 - hourly—Runs the report every 6 hours, starting from the specified time.

•12 - hourly—Runs the report every 12 hours, starting from the specified time.

•Once—Runs the report once at the specified date and time.

•Daily—Runs daily at the specified time.

•Weekly—Runs weekly on the day of the week and at the specified time.

•Monthly— Runs monthly on the day of the month and at the specified time.

In the case of periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is complete.

For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start only at 10:00 a.m. on November 3.

If you select Immediate, the Date, Job Description, and E-mail option will be disabled for you.

If you select any other run type, then you can specify the start date and time and also provide the job description (mandatory) and the e-mail ID for the notification after the report is generated.

Date

Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy format, for example, 02-Dec-2004. This is a mandatory field.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

at

Select the hours and minutes from the drop-down lists.

Job Info

Job Description

Enter a description for the report that you are creating.

The Job Description field is enabled only if you have selected an option other than Immediate in the Run Type field. This is a mandatory field. Accepts alpahnumeric characters.

E-mail

Enter the e-mail ID of the user who should be notified when the report is generated. You can enter more than one e-mail ID, separated by commas.

The E-mail field is enabled only if you have selected an option other than Immediate, in the Run Type field.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).

We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address

Step 6 Click Finish.

The specified report appears in a separate browser window.

You can generate the following reports:

•24-Hour Report. See Generating a 24-Hour Report

•Syslog Custom Report. See Generating a Syslog Custom Summary Report.

•Severity Level Summary Report. See Generating a Severity Level Summary Report.

•Standard Report. See Generating a Standard Report.

•Unexpected Device Report. See Generating an Unexpected Device Report.

If you want to revert to the default values in the RME Reports dialog box, click Reset

Understanding Message Reports

All message reports display:

•Timestamp: The date and time the message was logged. This is the timestamp provided by the device. Syslog Analyzer will provide a timestamp if the device does not send one.

•Device name: The name of the router or switch for which the message was logged.

•Facility-Severity-Mnemonic:

–Facility is a hardware device, a protocol, or a module of the system software, for example, SYS. See the Cisco IOS reference manual, System Error Messages, for a predefined list of system facility codes.

–Severity is the message severity level, from informational (6) to emergency (0).

–Mnemonic is a code that uniquely identifies the error message. Note that Catalyst 5000 messages do not display a mnemonic. An example of a mnemonic for an IOS message is CONFIG I.

–Subfacility is the subfacility in the device that generated the Syslog message. In most cases this is blank.

An example of an entry in the Facility-Severity-Mnemonic field is SYS-5-CONFIG I.

–Description is a description of the message.

Each message report also lets you access additional information.

Generating a 24-Hour Report

To generate the report, see Overview: Syslog Analyzer Reports.

Fields in the 24-Hour Report are the same as in the Standard Report. See Generating a Standard Report.

Generating a Syslog Custom Summary Report

The Custom Report Summary Reports option lets you display a list of all custom syslog reports. All syslog reports display message log information.

To generate the report, see Overview: Syslog Analyzer Reports.

Fields in the Custom Summary Report:

Field

Description

Custom Report Name

Name of the Custom Reports.

Total number of records

Number of records that have been generated for each report.

Generating a Severity Level Summary Report

The Severity Level Summary report shows how many emergencies, alerts, critical, errors, warnings, notifications, and informational messages each device has logged.

To generate the report, see Overview: Syslog Analyzer Reports. The fields in the Severity Level Summary Report are given below:

Field

Description

Device Name

Name of the device from which syslog messages are received.

Emergencies

Number of emergency messages received from the device.

Alerts

Number of alert messages received from the device.

Critical

Number of critical messages received from the device.

Errors

Number of error messages received from the device.

Warnings

Number of warning messages received from the device.

Notifications

Number of notification messages received from the device.

Informational

Number of informational messages received from the device.

Debugging

Number of debug messages received from the device.

You can click on any of the field titles to sort the report based on that field.

Generating a Standard Report

You can generate a system message report for a device or set of devices. You can run a report for a date or range of dates and base the report on the message severity or alert types. All Syslog reports display message log information.

Note When you are generating a Standard Report, you may get an outofmemory exception. This may occur if the number of syslog messages that were generated in the date range that you specified in the report job, exceeded six hundred thousand. Decrease the period, that is, specify a shorter date range, and run the report job again.

To generate the report, see Overview: Syslog Analyzer Reports.

Fields in the Standard Report:

Field

Description

Link

Device Name

Name of a device (switch or router) that caused the Syslog message.

None.

Interface

The IP address of the interface through which the syslog was sent out.

None.

Timestamp

Date and time the message was logged. This is the timestamp provided by the device. Syslog Analyzer provides a timestamp if the device does not send one.

None.

Facility-SubFacility

•Facility is a hardware device, a protocol, or a module of the system software; for example, SYS. Refer to the Cisco IOS reference manual System Error Messages for a predefined list of facility codes.

•SubFacility is the subfacility in the device that generated the Syslog message. In most cases, this is blank. An example of an entry in this field is
SYS-5-CONFIG I.

None.

Severity

Message severity level, from informational (6) to emergency (0).

None.

Mnemonic

Code that uniquely identifies the error message. Note that older Catalyst messages do not display a mnemonic. An example of a mnemonic for an IOS message is CONFIG I.

None.

Description

Syslog Message description.

None.

Details

Name of the Syslog message.

Displays a new window containing the Syslog message description. When you click on the User_URL icon, you link to a customized web page, if you have defined one; otherwise, it defaults to a sample Perl script for creating a user URL.

This column contains a hyperlinked asterix ('*'). When you click the '*', the description of the Syslog message is displayed.

Generating an Unexpected Device Report

You can generate a report of syslog information for all unmanaged devices on your network. All syslog reports display message log information.

Before you can manage a device, you must add a device to RME (see the topic Adding Devices to RME in the section Adding and Troubleshooting Devices Using Device Management. After the device is added, however, Syslog messages received before adding the device, remain in this report because the Syslog Analyzer does not modify message status.

To generate the report, see Overview: Syslog Analyzer Reports.

The fields in the Unexpected Device Report are:

Field

Description

Link

Device Name

Name/IP of a device (switch or router) that caused the Syslog message.

None.

Time

Date and time the message was logged. This is the timestamp provided by the device. Syslog Analyzer provides a timestamp if the device does not send one.

None.

Facility-SubFacility

•Facility is a hardware device, a protocol, or a module of the system software; for example, SYS. Refer to the Cisco IOS reference manual System Error Messages for a predefined list of facility codes.

•SubFacility is the subfacility in the device that generated the Syslog message. In most cases, this is blank.

An example of an entry in this field is
SYS-5-CONFIG I.

None.

Severity

Message severity level, from informational (6) to emergency (0).

None.

Mnemonic

Code that uniquely identifies the error message. Note that older Catalyst messages do not display a mnemonic. An example of a mnemonic for an IOS message is CONFIG I.

None.

Description

Syslog Message description.

None.

Details

Name of the Syslog message.

Displays a new window containing the Syslog message description. When you click on the User_URL icon, you link to a customized web page, if you have defined one; otherwise, it defaults to a sample Perl script for creating a user URL.

This column contains a hyperlinked asterix ('*'). When you click the '*', the description of the Syslog message is displayed.

Using Device Center

The CiscoWorks Common Services Device Center provides a "device-centric" view for CiscoWorks applications and offers you device-centric features and information from one single location.

From the CiscoWorks LMS Portal home page, select Device Troubleshooting > Device Center. The Device Center window appears with the device selector on the right and Device Center overview information on the left section of the screen.

Enter the IP address or device name of the device you want to select and click Go in the Device Selector field or select a device from the list-tree. The Device Summary and Functions Available panes appear in the right section of the screen.

Click any of the links under the Functions Available pane to launch the corresponding application function. The links are launched in a separate window.

Note If you enter the device name or IP address of a device not managed by any of the applications installed on the Common Services server, the Functions Available pane will display only the default connectivity tools from Common Services.

For Syslog application, you can generate the Syslog Analyzer Standard Report.

In the Functions Available pane, select Reports > Syslog Messages. The Syslog Analyzer Standard Report appears. For details of this report, see Generating a Standard Report.

Creating a Custom Report: Example

As the network administrator of a network with OSPF (open shortest path first), you know an OSPF-2-NOMEMORY syslog message could potentially result in routing problems. You want to create a custom syslog report that lists OSPF NOMEMORY errors, so that you can run the report and check for problems.

Prerequisites

In this scenario, you will use only the Syslog Analyzer application.

No prerequisites are required.

For a complete description of the required tasks, see the Online Help.

Procedures

The purpose of this scenario is to show you how you can use specific RME applications to perform these tasks. This will help you understand how to use the applications to perform similar tasks in your network.

When you create a custom report template, you select the syslog message types you want reported. The Custom Templates option lets you create a custom template, and edit or delete existing custom templates.

To create a custom report template:

Step 1 Select Resource Manager Essentials > Reports > Custom Report Templates.

The custom templates dialog box appears.

Step 2 Click Create.

The Application Selection dialog box appears.

Step 3 Select Syslog.

Step 4 Click Next.

The Syslog custom report template dialog box appears. The messages that have previously been defined are displayed here.

Step 5 Enter a unique name for the custom report template, in the Custom Report Name field, for example, OSPFNOMEMORY.

Step 6 Specify whether you want the custom report template to be Public or Private.

Public templates can be seen and used by other users who have the permissions to do these tasks. Private templates can be seen and used by only owner (creator) of the templates.

Step 7 Click Add in the Define New Message Type section of your dialog box.

The Define New Message Type dialog box appears.

Step 8 Enter the required information:

Column

Description

Facility

You can enter the codes for the facilities you want reported. A facility is a hardware device, a protocol, or a module of the system software. See the Cisco IOS reference manual, System Error Messages, for a predefined list of system facility codes.

Each code can consist of two or more uppercase letters. You can enter several facility codes, separated by commas.

If you do not enter any facility but use the asterisk, all the facilities will be reported.

In this example, enter OSPF.

Sub-Facility

You can enter the codes for the sub-facilities you want reported. Sub-Facility is the subfacility in the device that generated the Syslog message.

This is an optional field.

If you do not enter any sub-facility but use the asterisk, all the sub- facilities will be reported.

In this example, leave in the default asterisk.

Severity

You can enter codes for the message severity levels you want reported.

The following codes are supported:

0—Emergencies

1—Alerts

2—Critical

3—Errors

4—Warnings

5—Notifications

6—Informational

If you do not enter any severity level but use the asterisk, all severity levels will be considered.

In this example, enter 2.

Mnemonic

You can enter a code that uniquely identifies the error message.

To match for Catalyst 5000 family devices, enter a hyphen (-) to indicate an empty mnemonic field.

You can enter several mnemonics, separated by commas.

In this example, enter NOMEMORY

Description

You can enter an appropriate description for the Syslog message. In this example, leave in the default asterisk.

Step 9 Click Save.

The new message type is added, and appears in the Define New Message Type section of your dialog box.

If you want to save the information and add another message type, click Save and Add.

Step 10 Click Finish.

A confirmation message appears that the report has been successfully created.

For more details about the columns in the Syslog custom report template dialog box, see the topic Creating a Custom Report Template in the section Enabling and Tracking Syslogs Using Syslog Analyzer and Collector.

For more details about the field descriptions of the Define New Message Type dialog box, see the topic, Adding a Message Type in the section Enabling and Tracking Syslogs Using Syslog Analyzer and Collector.

Verification

To make sure the report was created, select Resource Manager Essentials > Reports > Custom Templates.

Your custom report template is displayed in the dialog box on the Custom Templates page.

To run this Syslog custom report:

Step 1 Select Resource Manager Essentials > Reports > Report Generator.

The RME Reports dialog box appears, in the Report Generator page.

Step 2 Go to the first drop-down list box, select Syslog.

Step 3 Go to the second drop-down list box, select the required custom report. (Custom reports that you created appear in the drop-down list box with a separator, therefore your report, OSPFNOMEMORY appears here.)

The Device Selector appears, along with the fields that allow you to enter information in the Scheduling and Job Info fields.

Step 4 Select the required devices using the Device Selector. (See the topic, Using RME Device Selector in the section Adding and Troubleshooting Devices Using Device Management, for more details.)

Step 5 Select 24 Hours in the Date Range group.

Step 6 Select Immediate from the Run Type drop-down list, in the Scheduling group.

Step 7 Click Finish.

Your OSPFNOMEMORY custom report appears in a separate browser window.

For more details on Syslog Custom Reports, see the topic Defining Custom Report Templates in the section Enabling and Tracking Syslogs Using Syslog Analyzer and Collector.