Note that different device types/vendors would have different settings for enabling forwarding of syslogs. User need to contact Device vendors on this information.

 

Here is an example considering "Cisco IOS router" is the device being managed by NCM.

 

Setting up Syslog events on a Cisco IOS router(In the below example, 1.1.1.1 is the Syslog/NCM server, 1.2.2.2 is the IP address of the client that logged into the device and made the change and 1.3.3.3 is the IP address of the router/switch which is generating the Syslog messages ):
 

Add the following command to a Cisco IOS Router for enabling Syslog events (syslog messages will be sent to the server with IP address 1.1.1.1):

r2621-vpn(config)#logging 1.1.1.1

In NCM DS:

Monitor the following log files for this testing:

1.) $PRODUCT_HOME/cm/Syslog

2.) $PRODUCT_HOME/logs/event.log

3.) $PRODUCT_HOME/logs/commmgr.log
 

After making a configuration change to the device outside of the NCM application, you should see the following happen in the 3 log files.

A "%SYS-5-CONFIG..." message should be seen in the Syslog file.

A "Sending Pull IDX ..." for the device that generated the config syslog event should be seen in the event.log file.

The syslog config event along with a "Scheduling pull in x seconds ..." where x is the Delay time entered for the Device Server in Tools -> System Administration.
 

In the example below is 120 seconds since the Delay setting is 2 minutes. By default the Delay is set to 20 minutes after a NCM installation. Here is the 2 minute setting. If you change the Delay setting, you will need to restart the "voyence" service.
 

/opt/voyence/cm/Syslog

Mar 7 13:11:50 1.3.3.3 2511: *Dec 13 04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2)

Mar 7 13:11:51 1.3.3.3 2512: *Dec 13 04:20:21: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 1.1.1.1 started - CLI initiated

Mar 7 13:14:20 1.3.3.3 2513: *Dec 13 04:22:50: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. Writing current configuration to 1.1.1.1
 

/opt/voyence/logs/event.log

Mar 07 13:11:52 -1282004064/syslog#4: EventHandler::Found IDX 1033 in matchText 1.3.3.3

Mar 07 13:11:52 -1282004064/syslog#4: Syslog:: Sending Pull IDX 1033 Message for user EXTERNAL:console:cisco:vty1 (1.2.2.2) to CommMgr

Mar 07 13:11:52 -1282004064/syslog#4: EventHandler::Found IDX 1033 in matchText 1.3.3.3

/opt/voyence/logs/commmgr.log

Mar 07 13:11:52 -1282004064/syslog#8: 1::deviceEvent(1033,syslog,Mar 7 13:11:50 1.3.3.3 2511: *Dec 13 04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2) 

Mar 07 13:11:52 -1282004064/syslog#8: )
Mar 07 13:11:52 -1282004064/syslog#4: Matched SYS-5-CONFIG Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from (.*) by .* on .*
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by (.) on .|from .* by (.*)
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by .* on (.*)
Mar 07 13:11:52 -1282004064/syslog#4: syslog ConfigChange event detected by user EXTERNAL:console:cisco:vty1 (1.2.2.2)
Mar 07 13:11:52 -1282004064/syslog#8: 1::deviceEvent(1033,syslog,Mar 7 13:11:51 1.3.3.3 2512: *Dec 13 04:20:21:

%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 1.1.1.1 started - CLI initiated
Mar 07 13:11:52 -1282004064/syslog#8: )
Mar 07 13:11:52 -1273603168/30#2: Scheduling pull in 120 seconds: Device IDX#1033: Event[syslog]: Mar 7 13:11:50 1.3.3.3 2511: *Dec 13

04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2)
Mar 07 13:11:52 -1273603168/30#8: Timer set to pop at Mon Mar 7 13:13:52 2011 for

idx(1033),user(RVhURVJOQUw6Y29uc29sZTpjaXNjbzp2dHkxICgxMC43LjE4Ny4yNSk=),task(),cmd()

Mar 07 13:11:52 -1273603168/30#4: Scheduling App Pull for dsevent type SYSLOG for idx 1033
Mar 07 13:11:52 -1273603168/30#2: Manager::Stored device changed user RVhURVJOQUw6Y29uc29sZTpjaXNjbzp2dHkxICgxMC43LjE4Ny4yNSk=

 

You should see a Pull scheduled in Schedule Manager in NCM UI, after the event is seen above. The "Job Name" should have "Pull upon device SYSLOG event".
 

After the configuration pull completes, there should be a new DCS revision seen for the device under Device Properties if there was actually a config change on the device.

The DCS revision should show the "Create By" column set to "EXTERNAL:console:cisco:vty1 (1.2.2.2)".  The IP address 1.2.2.2 is the IP address of the client that logged into the device and made the change and the "cisco" is the user that made the change on the device in the message seen in the "Created By" and syslog message.


The Syslog event information should be captured and shown in the Comments section of the DCS revision.