The solution is to edit the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file and remove "{STRING 6}" and then update the event cache on the SpectroSERVER. The following is an example of the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file after making the change:

Event04bd013c
{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}

Example: %BGP-3-NOTIFICATION: aBcDeFgHiJkL neighbor aBcDeFgHiJkL 100/100 (aBcDeFgHiJkL) 100 bytes aBcDeFgHiJkL

Related Issues/Questions:
SPECTRUM ParseMap error when processing Cisco BGP-3-NOTIFICATION syslog trap

Problem Environment:
SPECTRUM 08.01.00.00
SPECTRUM 09.00.00.00
ParseMap
 BGP-3-NOTIFICATION

The following error is seen in the SPECTRUM Events when processing the Cisco BGP-3-NOTIFICATION syslog trap:

.

Causes of this problem:
The cause is the Cisco BGP-3-NOTIFICATION syslog trap is not formatted as expected. The following is the format of the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file:

Event04bd013c
{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}

Example: %BGP-3-NOTIFICATION: aBcDeFgHiJkL neighbor aBcDeFgHiJkL 100/100 (aBcDeFgHiJkL) 100 bytes aBcDeFgHiJkL

The following is an example of the format of the BGP-3-NOTIFICATION syslog trap received by SPECTRUM:

%BGP-3-NOTIFICATION: sent to neighbor 38.103.69.120 4/0 (hold time expired) 1234 bytes

When you stack one on top of the other, you will notice in the syslog received, there are no characters to the right of "bytes" as represented by "{STRING 6}" in the BGP-3-NOTIFICATION parsemap file:

{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}
sent to neighbor 38.103.69.120 4/0 (hold time expired) 1234 bytes

According to the Cisco web page http://www.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfbgp.html#wp658747, the following is the correct format for this syslog:

Error Message 
%BGP-3-NOTIFICATION : [chars] neighbor [IP_address] [dec]/[dec] ([chars]) [dec] bytes [chars]

Explanation    An error condition has been detected in the BGP session. A notification packet is being sent or received, and the session will be reset. This message appears only if the log-neighbor-changes command is configured for the BGP process.

Recommended Action    This message represents an error in the session. Its origin should be investigated. If the error occurs periodically, copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.

According to the Cisco web site, there should be characters to the right of "bytes" but the BGP-3-NOTIFICATION syslog trap received by SPECTRUM does not contain any characters to the right of "bytes".

.

Additional Information:
 Making the above change could cause devices that are sending the Cisco BGP-3-NOTIFICATION syslog trap as documented by Cisco to error. Cisco should be contacted to verify the proper format of the BGP-3-NOTIFICATION syslog trap and the problem devices corrected as needed.


(Legacy KB ID CNC TS32491 )

-