Syslog Analysis

Available Languages

Download Options

PDF (255.9 KB)
View with Adobe Reader on a variety of devices

Updated:August 3, 2007

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Syslog Analysis

Table Of Contents

Syslog Analysis

Configuring a Custom Report

Viewing Custom Reports

Using 24-Hour Reports

Viewing the Severity Level Summary

Defining an Automatic Action

Viewing the Unexpected Device Report

Changing Storage Options

Defining Message Filters

Viewing Syslog Collector Status

Syslog Analysis

The syslog analysis features provide a central error-message logging system for classifying, sorting, and integrating device error messages and exceptions. You can perform the following procedures with Syslog Analysis:

•Set options to specify how much message data to store.

•Define custom reports, including reports on data for the last 24 hours.

•Set a new user URL for system messages. This option lets you create a script or web page with message information about your operation.

•Define automated actions based on message filters.

•Set up a remote syslog collector analyzer and filter.

•Define message filters.

All Essentials users can generate message log reports, custom reports and summaries, and severity alert reports and summaries:

•Severity Level Summaries—Messages based on the severity level of the messages, with detailed reports available for each type of message

•Standard Reports—Messages for a group of devices within a selected date range

•Custom Reports—Reports defined by the system administrator

•Unmanaged Device Reports—Messages for unmanaged devices

•24-hour Reports—Reports data from the last 24 hours.

Note   For Syslog Analysis options to be used, all devices must be configured to send syslog messages to the Essentials server or the remote syslog analyzer collector.

The following sections are presented in this chapter:

•Configuring a Custom Report

•Viewing Custom Reports

•Using 24-Hour Reports

•Viewing the Severity Level Summary

•Defining an Automatic Action

•Viewing the Unexpected Device Report

•Changing Storage Options

•Defining Message Filters

•Viewing Syslog Collector Status

For additional information about Syslog Analysis, refer to the online help.

Configuring a Custom Report

Scenario: You want to configure a custom report to monitor several alert types.

To configure a custom report, perform the following steps:

Step 1 Select Admin > Syslog Analysis > Define Custom Report.

The Define Custom Report dialog box appears. (See .)

Figure 7-1 Define Custom Report Dialog Box

Step 2 Click Add.

The Define Custom Report dialog box is modified to include message types. (See .)

Figure 7-2 Define Custom Report Dialog Box

Step 3 Enter a name for the report, up to 64 characters long.

Step 4 Select the alerts from the Syslog Message Types column. Click Add after each selection to place the alerts in the Reported Messages column.

Step 5 Select the 24-Hour Report check box to add the report to the 24-Hour Reports task folder. The report will be generated when you select Tasks > 24-Hour Reports > Syslog Messages.

Step 6 Click Advanced to set more options, such as facility and severity codes.

Step 7 Click Finish.

A confirmation message appears.

Viewing Custom Reports

Scenario: You want to determine which routers on your network have changed running configurations over a specified period.

To view a custom report, perform the following steps:

Step 1 Select Tasks > Syslog Analysis > Custom Reports.

The Custom Reports dialog box appears. (See .)

Figure 7-3 Custom Reports Dialog Box

Step 2 Select System Views from the Views column, then click All.

Step 3 Click Next.

The Select Report Name and Dates dialog box appears. (See .)

Figure 7-4 Select Report Name and Dates Dialog Box

Step 4 Select the report name and the date, then click Finish.

The Configuration Changes Report appears. Print the report and save it as a CSV or plain text file.

Using 24-Hour Reports

Use 24-hour reports to identify the syslog messages generated over the last 24 hours.

You can add 24-hour reports by performing the procedure for Configuring a Custom Report.

Scenario: You just came in from the field or arrived for your shift and you want a status report for the most recent syslog messages.

Step 1 Select Tasks > 24-Hour Reports > Syslog Messages.

The Syslog 24-Hour Report appears. (See .)

Figure 7-5 Syslog 24-Hour Report

Step 2 Click on a report name to view details. The example is using Reload Report. (See .)

Figure 7-6 Reload Report

Step 3 Click Close to close the report.

Viewing the Severity Level Summary

Scenario: You want to obtain a snapshot of the error-message severity levels for the routers on your network.

To view the severity-level summary, perform the following steps:

Step 1 Select Tasks > Syslog Analysis > Severity Level Summary.

The Severity Level Summary dialog box appears. (See .)

Figure 7-7 Severity Level Summary Dialog Box

Step 2 Select System Views > All Routers from the Views column, click All, then click Next.

The Select Dates dialog box appears. (See .)

Figure 7-8 Select Dates Dialog Box

Step 3 Select Today to see the Severity Level Summary for the current day, then click Finish.

The Severity Level Summary appears. (See .)

Step 4 Print the report and save it as a CSV or plain text file.

Figure 7-9 Severity Level Summary

Step 5 Click on the links to display messages logged by the device. (See .)

Figure 7-10 Device Center

Step 6 Click Close to close the report.

Defining an Automatic Action

Scenario: You want Essentials to automatically send e-mail to a group of employees whenever certain syslog messages are filtered.

To define an automatic action, perform the following steps:

Step 1 Select Admin > Syslog Analysis > Define Automated Action.

The Define Automated Action dialog box appears.

Step 2 Click Add.

The Define Automated Action dialog box appears. (See .)

Figure 7-11 Define Automatic Action Dialog Box

Step 3 Enter a name for the action.

Step 4 Add the types of messages to filter by selecting them from the list, then click Add. To remove message types, select them in the left column, then click Delete. You can modify message types by selecting them, then clicking Advanced.

Step 5 Select the Enable Action check box.

Step 6 Enter the script name in the Command Line field, or click Browse to select the script on your hard drive or network.

Step 7 Click Finish.

A confirmation message appears.

Note   An executable program called sampleEmailScript.pl is available that performs the e-mail function. For more information about the e-mail script, select Admin > Syslog Analysis > Define Automated Action, then click example.

Viewing the Unexpected Device Report

Scenario: You want to view messages for new devices that have been added to the network but are not yet managed by Essentials. You will use this report to determine which unexpected devices you need to add to your inventory.

To generate an unexpected device report, perform the following steps:

Step 1 Select Tasks > Syslog Analysis > Unexpected Device Report.

The Select Dates dialog box appears. (See .)

Figure 7-12 Select Dates Dialog Box

Step 2 Select All, then click Finish.

The Unexpected Device Report appears. (See .)

Figure 7-13 Unexpected Device Report

Step 3 Print the report or save it as a CSV file.

Step 4 Click Close to close the report.

Changing Storage Options

Scenario: You want to store network syslog information for 7 days to use in the reports.

To set syslog storage options, perform the following steps:

Step 1 Select Admin > Syslog Analysis > Change Storage Options.

The Change Storage Options dialog box appears. (See .)

Figure 7-14 Change Storage Options Dialog Box

Step 2 Enter information in the fields as required. The default values are shown in .

Note   Storage capacity for managed devices and unexpected devices depends on available hard disk space.

Step 3 Click Finish.

A confirmation message appears.

Defining Message Filters

Scenario: You want to view messages that pertain to firewall status and filter out other types of messages.

To define message filters, perform the following steps:

Step 1 Select Admin > Syslog Analysis > Define Message Filter.

The Define Message Filter dialog box appears. (See .)

Figure 7-15 Define Message Filter Dialog Box

Step 2 Select the message types to filter, then click Add.

The Define Message Filter Dialog Box again appears. (See .)

Figure 7-16 Define Message Filter Dialog Box

Step 3 Select Enable Filter.

Step 4 Name the filter name, select the message types, then click Add to add them to the Filtered Messages column.

Step 5 Click Finish.

A confirmation message appears.

Viewing Syslog Collector Status

To view syslog collection information, perform the following steps:

Step 1 Select Admin > Syslog Analysis > Syslog Collector Status.

The Syslog Collector Status window appears. (See .)

Figure 7-17 Syslog Collector Status Window

Step 2 Click Close to close the window.

This completes the chapter on Syslog Analysis.