Important This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Understanding syslog debug events

This section contains the following topics that describe the debug events that a user might see when syslog debugging is enabled for a given device agent:

To learn how to enable syslog debugging, see Managing-device-agents. To learn how to manage syslog external event filters, see Managing-external-event-filters.

Each debug event displays INFO in the Severity column, Debug in the Category column, Syslog Debugging in the Event column, and nothing in the Target column.

The Date/Time column displays the timestamp when the event was created at the TrueSight Network Automation application server, not when the underlying message was created by the device agent. The Source column shows System for events from the Local agent, and System-{Remote_Agent_Name} for events from remote device agents.

Events fired when a syslog processing queue becomes full at an agent, or when a full queue frees up again

These events are not debug events. The full event displays Syslog message queue full; one or more messages dropped in the Event column, while the not-full event shows Syslog message queue was full, but it is now down to 95% capacity. The Source column for these events displays System for the Local agent, and System-<Remote_Agent_Name> for remote agents. The Description column for these events displays the name of the queue involved (typically InetMessageQueue ).

The syslog processor is designed to handle a small but steady stream of messages, with short bursts at higher volume. When the syslog queue gets full, it indicates that TrueSight Network Automation is unable to process a constant high volume of syslog messages. The solution is to reduce the messages at the source (the most frequent culprits are PIX/ASA devices), or filter the messages using a relay (such as kiwi or syslog-ng).

Agent initialization sequence

The following table shows an example sequence of debug events during initialization of an agent at address 172.21.127.10 in a system containing two enabled syslog External Event Filters: Configuration Changes and Received message with Critical severity.

Message processing sequence - rejected local echo

The following table shows an example sequence of debug events in which a device agent receives a syslog message encapsulated in a single packet directly from device bcan-cisco1760-02 at address 172.21.125.4.

The message indicates that someone connected to the device from the device agent's platform triggered the firing of the syslog message, therefore the agent does not forward it to the TrueSight Network Automation server as a potential syslog event, because it is probably an echo of server's own device communications. Logging to a file named C:\syslog_info is enabled for the agent.

Message processing sequence - rejected via filtering

The following table shows an example sequence of debug events in which a device agent receives a syslog message encapsulated in a single packet directly from device ban-cisco4003-01 at address 172.21.127.68.

The message content does not match either of the enabled filters, therefore the agent does not forward it to the TrueSight Network Automation server as a potential syslog event. Logging to a file named C:\syslog_info is enabled for the agent.

Message processing sequence - accepted syslog event

The following table shows an example sequence of debug events in which the Local agent receives a syslog message fragmented across two packets, originating from device bcan-cisco1760-01 at address 172.21.127.58, relayed from a known syslog relay at address 172.21.127.25.

The message content matches one of the enabled filters, therefore the device agent forwards it to the TrueSight Network Automation server which determines that it came from a known device and turns it into a syslog event. Logging to a file named C:\syslog_info is enabled for the agent.

Note that syslog messages received directly from devices is never fragmented. Fragmentation is only possible in relayed messages. It is also possible for relayed packets to contain multiple embedded syslog messages.

Miscellaneous debug events

The following table shows some less common, miscellaneous syslog debug events:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*