Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Works not e-mailing alerts

Status
Not open for further replies.

Kainfs

Technical User
Jan 17, 2006
19
GB
Hi,

I'm running CiscoWorks LMS 2.5 which sends e-mail alerts from some devices but not others.
Typical e-mail alerts include Config changes and port security violations.
On checking the syslog messages reports in 'Device Centre>Device selector' it seems as if the devices are not sending the syslog messages to the the syslog server (i.e. Cisco Works) even though they appear when directly consoled into the switch.
I've made sure that the switches are in the correct 'Notification Groups' and selected in the Automated Action in 'RME > Tools > Syslog > Automated Actions'.
I've directly copied the config from the switches which are sending the e-mail alerts to the swithces which are'nt so, i doubt whether the config is causing the problem.
Any help/ideas will be gratefully received.

Many thanks
 
Hi,

If you are seeing the Syslog messages in the reports for the device, the it sounds like the syslog messages probably aren't getting to the LMS server.

To check, open the syslog.log file in the logs directory and see if you can see the messages in there. If they're not in there, then they aren't getting to LMS.

You might like to check that your IOS devices have the config line :

logging <ip_address_lms>

Also, are there any firewalls in the way that would cause the syslog messages to be blocked from reaching the LMS server ?

HTH


Nigel Bowden
 
Hi,

I've checked the config for the working switch and the non-working switch and they are virtually identical. They both have the line: logging trap debugging
logging <ip-address of LMS>

In answer to your question: there are no firewalls between the switches and LMS server.

I've been pulling my hair out for two weeks now trying to solve this one.[mad]

Regards
 
Did you check the syslog.log file to see if the messages are actually arriving at the LMS server ?

You should be able to open it with a text editor and search for the IP address of the switch.



Nigel Bowden
 
Hi Nigel,

I've checked the syslog.log and can confirm that it is receiving the sys log messages e.g.


Apr 10 11:39:28 10.0.200.1 53: 2d21h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address ****.****.**** on port FastEthernet2/0/1.
Apr 10 11:39:28 10.0.200.1 54: 2d21h:
 
That's good, at least we know that the syslog messages are getting to the server then.

Next, if you run a syslog report from RME, do you see the messages in the report ?

This will confirm that the syslog messages are getting from the syslog server process in to the RME DB.



Nigel Bowden
 
Hi Nigel,

I've ran a syslog report through RME and it says there are no records!

Not quite sure what i'm doing wrong. I've delted and added the switches back in Campus Manager, added the entries into the local host file.

Regards
 
1. Are your sysloganalyzer process running ?
2. Are your device credentials ok ?

HTH
Martin
 
Hi Martin

I've checked the device credentials and they all look fine.
However, i'm not quite sure how i go about checking to see whether the sysloganalyser process is running? Where would i find this information?

Regards
 
Hi,

You can check if your SyslogAnalyzer process is running by executing CSCOpx\bin\pdshow in the CLI.
pdshow SyslogAnalyzer
would be better.
If at least 1 device is showing Syslogs in the GUI then thats enough to know that SyslogAnalyzer is doing its job.
The syslog message you are using as a reference in this thread is from Apr 10th. RME will, by default, purge those syslog messages older than 9 days. You need to find a newer syslog message. Telnet to the device, do a couple of "config term" and "exit". That will generate new syslog messages. Wait 5 minutes and look into the syslog.log again. Is the new syslog message in there?
What size does your syslog.log file has by the way? 500 MB or more will give you trouble.
The device must be SNMP reachable and Inventory Collected by RME. If this isnt so, then the device is not managed by RME, and SyslogAnalyzer will skip those syslogs when analyzing the syslog.log file.
 
Hi,

I've managed to get the e-mail alerts working now.

It turned out that the devices had not been selected in the appropriate message filter in RME>Tools>Syslog>Message Filters.

Thanks guys for your ideas and help

Kind Regards
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top