Syslog processing explained
Article ID: 331218
Updated On: 04-07-2025
Products
VMware Smart Assurance
Issue/Introduction
Understanding Syslog processing in NCM Device Servers
Environment
NCM - 10.1.x
Resolution
Note: Different device types/vendors would have different settings for enabling forwarding of Syslogs. User need to contact Device vendors on this information.
In NCM DS:
Below explanation is by considering "Cisco IOS Router" which is being managed by NCM.
Setting up Syslog events on a Cisco IOS router. (In the below example, 1.1.1.1 is the Syslog/NCM server, 1.2.2.2 is the IP address of the client that logged into the device and made the change and 1.3.3.3 is the IP address of the router/switch which is generating the Syslog messages ):
Add the following command to a Cisco IOS Router for enabling Syslog events (syslog messages will be sent to the server with IP address 1.1.1.1):
<CISCO_DEVICE>(config)#logging 1.1.1.1In NCM DS:
Monitor the following log files for this testing:
- $VOYENCE_HOME/cm/Syslog
- $VOYENCE_HOME/logs/event.log
- $VOYENCE_HOME/logs/commmgr.log
After making a configuration change to the device outside of the NCM application, you should see the following happen in the 3 log files.
- A "%SYS-5-CONFIG..." message should be seen in the Syslog file.
- A "Sending Pull IDX ..." for the device that generated the config syslog event should be seen in the event.log file.
- The syslog config event along with a "Scheduling pull in x seconds ..." where x is the Delay time entered for the Device Server in Tools -> System Administration should be seen in the commmgr.log file.
In the example below is 120 seconds since the Delay setting is 2 minutes. By default the Delay is set to 20 minutes after a NCM installation.
NOTE: Changing the Delay setting needs the "voyence" service restart for changes to get implemented.
/opt/voyence/cm/Syslog
Mar 7 13:11:50 1.3.3.3 2511: *Dec 13 04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2)
Mar 7 13:11:51 1.3.3.3 2512: *Dec 13 04:20:21: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 1.1.1.1 started - CLI initiated
Mar 7 13:14:20 1.3.3.3 2513: *Dec 13 04:22:50: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. Writing current configuration to 1.1.1.1
/opt/voyence/logs/event.log
Mar 07 13:11:52 -1282004064/syslog#4: EventHandler::Found IDX 1033 in matchText 1.3.3.3
Mar 07 13:11:52 -1282004064/syslog#4: Syslog:: Sending Pull IDX 1033 Message for user EXTERNAL:console:cisco:vty1 (1.2.2.2) to CommMgr
Mar 07 13:11:52 -1282004064/syslog#4: EventHandler::Found IDX 1033 in matchText 1.3.3.3
/opt/voyence/logs/commmgr.log
/opt/voyence/logs/commmgr.log
Mar 07 13:11:52 -1282004064/syslog#8: 1::deviceEvent(1033,syslog,Mar 7 13:11:50 1.3.3.3 2511: *Dec 13 04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2)
Mar 07 13:11:52 -1282004064/syslog#8: )
Mar 07 13:11:52 -1282004064/syslog#4: Matched SYS-5-CONFIG Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from (.*) by .* on .*
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by (.) on .|from .* by (.*)
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by .* on (.*)
Mar 07 13:11:52 -1282004064/syslog#4: syslog ConfigChange event detected by user EXTERNAL:console:cisco:vty1 (1.2.2.2)
Mar 07 13:11:52 -1282004064/syslog#8: 1::deviceEvent(1033,syslog,Mar 7 13:11:51 1.3.3.3 2512: *Dec 13 04:20:21:
Mar 07 13:11:52 -1282004064/syslog#4: Matched SYS-5-CONFIG Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from (.*) by .* on .*
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by (.) on .|from .* by (.*)
Mar 07 13:11:52 -1282004064/syslog#4: Matched changedby from .* by .* on (.*)
Mar 07 13:11:52 -1282004064/syslog#4: syslog ConfigChange event detected by user EXTERNAL:console:cisco:vty1 (1.2.2.2)
Mar 07 13:11:52 -1282004064/syslog#8: 1::deviceEvent(1033,syslog,Mar 7 13:11:51 1.3.3.3 2512: *Dec 13 04:20:21:
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 1.1.1.1 started - CLI initiated
Mar 07 13:11:52 -1282004064/syslog#8: )
Mar 07 13:11:52 -1273603168/30#2: Scheduling pull in 120 seconds: Device IDX#1033: Event[syslog]: Mar 7 13:11:50 1.3.3.3 2511: *Dec 13
Mar 07 13:11:52 -1282004064/syslog#8: )
Mar 07 13:11:52 -1273603168/30#2: Scheduling pull in 120 seconds: Device IDX#1033: Event[syslog]: Mar 7 13:11:50 1.3.3.3 2511: *Dec 13
04:20:20: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (1.2.2.2)
Mar 07 13:11:52 -1273603168/30#8: Timer set to pop at Mon Mar 7 13:13:52 2011 for
Mar 07 13:11:52 -1273603168/30#8: Timer set to pop at Mon Mar 7 13:13:52 2011 for
idx(1033),user(RVhURVJOQUw6Y29uc29sZTpjaXNjbzp2dHkxICgxMC43LjE4Ny4yNSk=),task(),cmd()
Mar 07 13:11:52 -1273603168/30#4: Scheduling App Pull for dsevent type SYSLOG for idx 1033
Mar 07 13:11:52 -1273603168/30#2: Manager::Stored device changed user RVhURVJOQUw6Y29uc29sZTpjaXNjbzp2dHkxICgxMC43LjE4Ny4yNSk=
Mar 07 13:11:52 -1273603168/30#2: Manager::Stored device changed user RVhURVJOQUw6Y29uc29sZTpjaXNjbzp2dHkxICgxMC43LjE4Ny4yNSk=
You should see a Pull scheduled in Schedule Manager in NCM UI, after the event is seen above. The "Job Name" should have "
Pull upon device SYSLOG event".After the configuration pull completes, there should be a new DCS revision seen for the device under Device Properties if there was actually a config change on the device.
The DCS revision should show the "Created By" column set to "EXTERNAL:syslog". The Syslog event information should be captured and shown in the Comments section of the DCS revision.
The DCS revision should show the "Created By" column set to "EXTERNAL:syslog". The Syslog event information should be captured and shown in the Comments section of the DCS revision.
Additional Information
Please see here for an overview of the Syslog Protocol for Cisco devices: An Overview of the syslog Protocol
Feedback
Was this article helpful?
Yes
No
Powered by
