This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Syslog severity in Netsight

Syslog severity in Netsight

Marius_Matijosi
New Contributor II

‎11-23-2016 06:53 AM

My idea was to create severity alarm based on syslog messages i ECM. But I noticed that all syslog messages are logged and displayed with one severity INFO. Severity is coded in first 3 bits of every syslog message. But ECM is ignoring original severity.
Is there any explanation for such behavior?
Can ECM log syslog messages with original severity?

Thanks for your advices.
11 REPLIES 11

Ronald_Dvorak
Honored Contributor
In response to Marius_Matijosi

‎11-24-2016 11:50 AM

Could you explain where to add/change the line for 2. - I don't get it.

Thanks
0 Kudos

Marius_Matijosi
New Contributor II

‎11-24-2016 09:57 AM

Hi Suresh,

I am currently testing on ECM 7.0.4.29

Thanks,
Marius
0 Kudos

Bharathiraja__S
Extreme Employee

‎11-24-2016 06:48 AM

Hi Marius,

can you let me know what is your netsight version ?

Thanks,
Suresh.B
0 Kudos

Marius_Matijosi
New Contributor II

‎11-24-2016 06:31 AM

Hello,
i tried to modify rsyslog.conf.
I got severity in 3 first characters of messages in syslog file. But unfortunately ECM doesn't show these messages in SYSLOG events.
ex. of syslog file:
<6>Nov 24 09:14:18 Fima-03 AAA: Login passed for user admin through xml (172.16.69.100)<6>Nov 24 09:14:20 Fima-03 AAA: User admin logout from xml (172.16.69.100)
<4>Nov 24 09:16:09 172.16.69.6 snmp: SNMP Security access violation from 172.16.100.69

0 Kudos

Ronald_Dvorak
Honored Contributor

‎11-23-2016 08:07 PM

EMC is still showing all messages as severity info even I've some with <3> which should be Error.

<3>Nov 23 21:59:17 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [inactive], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1

<3>Nov 23 21:59:47 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [active], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1

1458aa69b1ed42fb84f726f54dd69967_RackMultipart20161123-53795-n2onjc-syslog_facilities05_inline.png



I'm running EMC 7.0.6.27 and also tried it after a ./stopserver & ./startserver

0 Kudos
GTM-P2G8KFN