Hi all, I am having some issues trying to get my cisco devices to display syslog events in my operations console. I created rules for each event (started with just one event in fact (Warning)), and then sent test messages from my Syslog listeners group, which is basically a group with my Windows 7 workstation in it with KD syslog server running on it, and it is set to forward all messages to my OpsMgr server. I've followed this: http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/18ce5b69-2d1f-4abd-9de3-543a6a1bf630 and this: http://support.microsoft.com/kb/942863/en-us and this: http://cornasdf.blogspot.com/2010/06/syslog-monitoring-walkthrough-with.html which were all very helpful, but I still fail to see the messages coming through on the console. I know that the messages are being sent to the server (I setup a KD syslog listener on it with console), and I know that it is listening on port 514 (netstat -an | findstr 514). I have setup the rules for Errors, Warnings and notifications. I have set the severity to <= 3 for Errors, = 4 for Warnings, and 5 for Notifications. As I mentioned before I setup a group called syslog collectors that is just my local workstation to get it setup and working (eventually I will setup a dedicated server), and I set the rules to be enabled on the syslog collectors group (override enable). Other things I have tried: I have scrapped the rules, and sent everything to the Management server target, but that didn't work either. I am not receiving anything after (as far as I know) setting up a management pack called Syslogs_, Setup new rules (Authoring, create new rule, alert generating, event based, Syslog (Alert)), next, selected Syslogs_ as my mgmt pack, next, Set a rule name called Syslog Warnings, rule category Alert, Rule Target agent, (i've also tried my syslog collectors, Windows computer, and management server), unchecked rule is enabled, setup the severity as mentioned above, and then created my rule. I am wondering if you can see if there is something that I am missing or if there is a specific way that I can manage Cisco syslog messages with OpsMgr. BTW, I have also tried using xSNMP, but I couldn't get it to show the syslogs either. I think that is a little over my head as there are some things in there that are disabled by default, and I have no idea how to get the overrides to work. Thanks in advance for your help! HEllo??? Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

Hi, I would like to share the following post with you for your reference: Generating Alerts from UNIX/Linux SysLog messages in Operations Manager 2007 http://blogs.technet.com/b/cliveeastwood/archive/2007/09/07/generating-alerts-from-unix-linux-syslog-messages-in-operations-manager-2007.aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi I have another walk through here - this just does event collection so may be a first step to make sure SCOM is actually picking up the syslogs. If we can collect the data then we can look to troubleshoot why we can't alert on it. http://systemcentersolutions.wordpress.com/2010/01/28/syslog-event-collection/ Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Thanks for the reply gents. Nicholas, I read through that post as well as the others that I posted. Great information, but I still couldn't get it reporting. Thanks for the awesome walkthru Graham. I will give it a go. BTW, I am using Kiwi Daemon Syslog server to open up 514 and collect the syslogs on the agents. Is this ok, or should I be doing it some other way? Also, what does the facilites 9 represent? Is that just for Cron messages in ix? Thanks again guys!Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I might well have misunderstood which server you mean when you say "agent" but be aware that the agent which is receiving the syslog data shouldn't have the Kiwi Syslog daemon running on it. If Kiwi Syslog daemon is using port 514 then the OpsMgr agent won't be able to use that port ... and hence you won't receive any data in OpsMgr. The netstat -an only shows the port is in use .. not which service is using it. If the Kiwi syslog daemon is running on the OpsMgr agent server and then can you stop the service and bounce the System Center Management Service and then re-test. Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Thanks Graham, I read and followed the tutorial to the T, but I am still unable to see the events or alerts generated by KD syslog generator. I did a CRON test just as your post suggested, and set the rules accordingly. What I think I am having an issue with is how does the agent (another computer with the firewall turned off) with the MOMagent on it know to parse these events to the server? This is a windows 7 machine that I am using to test with as the actual agent. Would that have something to do with it? Or, how does the agent computer know to listen on port 514 UDP? I suppose since the FW is down it will listen to packets that are sent to it, but for some reason it isn't passing them onto the console... Thanks in advancePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Graham, I read and followed the tutorial to the T, but I am still unable to see the events or alerts generated by KD syslog generator. I did a CRON test just as your post suggested, and set the rules accordingly. What I think I am having an issue with is how does the agent (another computer with the firewall turned off) with the MOMagent on it know to parse these events to the server? This is a windows 7 machine that I am using to test with as the actual agent. Would that have something to do with it? Or, how does the agent computer know to listen on port 514 UDP? I suppose since the FW is down it will listen to packets that are sent to it, but for some reason it isn't passing them onto the console... Thanks in advancePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Got it working Graham. It was the agent. For some reason I coulnd't use my Windows 7 box so I just used a 2008 server as the agent and it works great now. Thanks again for your help!Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.