Syslog Trap Support

The System Message Log (syslog) protocol lets you send text messages from the Cisco devices to the network management software. The text messages are sent to the
CA Spectrum
Event Manager as SNMP traps. Syslog trap support lets the router device identify the text messages and escalate them to alarms as required. Syslog trap support also lets the Cisco Router model icon communicate alarm severity information.
If an alarm occurs as indicated by the Cisco device icon, the
CA Spectrum
Alarm Severity and a syslog message appear in the Alarm Log.
The syslog messages are classified based on the severity that ranges from 0 to 7 (most severe to least severe). The alarms display in the Alarm Log. Because these alarms are associated with Cisco device models, the corresponding model icon changes color and flashes, depending on the alarm severity.
The following table lists the severity codes and their descriptions:
Emergency -- System is unusable
Alert -- Immediate action required
Critical -- Critical condition
Error -- Error condition
Warning -- Warning condition
Notification -- Normal but significant condition
Informational -- Informational message only
Debugging -- Message that appears during debugging only
The following table maps syslog message severity to the
CA Spectrum
alarm severity:
Alarm Severity
Messages with an alarm severity of 5 through 7 do not generate an alarm because they are of a minor importance. Facility(hardware device, protocol, or a module or system software) lists the messages.
A facility code is an abbreviation of the facility to which the message refers. A facility can be a specific hardware device, a protocol, or software. Within each facility, messages are listed in terms of the severity, from the highest (0) to the lowest (7). A
is an uppercase string that uniquely identifies the message.
An explanation and a recommended action follow each message. Messages appear only when the system remains operational. The following line is an example of a syslog message:
01/01/2001,18:31:15:SYS-5-MOD_INSERT:Module 5 has been inserted.
This message is interpreted as follows:
  • 01/01/2001,18:31:15 is the date and time of the error (this information appears if set for system log messaging).
  • SYS is the facility type.
  • 5 is the severity level, indicating it is a normal but significant condition.
  • MOD_INSERT is the mnemonic that uniquely identifies the message.
  • "Module 5 has been inserted" is the message text that describes the condition.
The System Message Log (syslog) program saves the system messages in a log file or directs the messages to other devices. Syslog software lets you do the following functions:
  • Save logging information for monitoring and troubleshooting
  • Select the type and destination of the logging information
By default, the switch logs normal but significant system messages to its internal buffer and sends these messages to the system console. You can specify how system messages must be saved based on the type of facility and the severity level. Messages can be time-stamped to improve real-time debugging and management.
Add Syslog Trap Mappings to
CA Spectrum
CA Spectrum
includes three text files that
uses to map Cisco syslog traps to
CA Spectrum
The following table shows the syslog text files:
Device Syslog Message
Text File
Cisco Router
Catalyst Switch
Cisco PIX
Each line of these text files contains information to map syslog messages to
CA Spectrum
events. The lines have the following format (for each field, a single space is the delimiter):
<facility> <severity> <mnemonic> <event code>
Follow these steps:
  1. Add a line to the file that contains the previous information.
    For example, to add support for the %SPE-3-SM_DOWNLOAD_FAILED syslog message for Cisco Routers, add the following line to the Rtr.txt file: SPE 3 SM_DOWNLOAD_FAILED 0xffff0001, where 0xffff0001 is an arbitrary code that you select.
  2. Create Event Format and the Probable Cause files for the event and alarm.
    In this case, create Eventffff0001 and Probffff0001. You can enter any text in these files. The following variable data can be read from the Event Message and displayed in the Event Format file:
    {S 1}- Facility {T T1_210017 2}- Severity {S 3}- Mnemonic {S 4} - Message
  3. Add the event-to-alarm mapping. Using the previous example, add the following line:
    0xffff0001 E 50 A 2,0xffff0001
    You must have an EventDisp file in the same directory as the Rtr.txt file.
    An orange alarm is generated if
    receives this syslog trap.
You can do this configuration while the
is running. The
checks for changes to the *.txt files every minute.
Syslog Message Filter
The Cisco Syslog Message Filter OneClick view lets you filter unwanted syslog messages. Filtering syslog messages blocks unwanted alarms or events. SS/CsVendor/SYSLOG contains eight files that correspond to different filter categories. To select the filter category to which a facility belongs, move the facility to the required SS/CsVendor/SYSLOG file.
The following table shows SS/CsVendor/SYSLOG files and corresponding filters:
Corresponding Filter
The facilities are interchangeable with any of the filters.
The filters are as follows:
  • Protocol_Filter
    Affects the Syslog0 file. Set this filter to True to filter all syslog messages whose facilities deal with protocols. For example, BGP, OSPF, SNMP, SPANTREE.
  • System_Filter
    Affects the Syslog1 file. Set this filter to True to filter all syslog messages whose facilities deal with the system. For example, CBUS, MEMSCAN.
  • Environment_Filter
    Affects the contents of the Syslog2 file. Set this filter to True to filter out all syslog messages that deal with environment variables. For example, LCFE, LCGE.
  • Software_Filter
    Affects the contents of the Syslog3 file. Set this filter to True to filter out all syslog messages that deal with internal software. For example, PARSER, RSP, GRPGE.
  • Security_Filter
    Affects the contents of the Syslog4 file. Set this filter to True to filter out all syslog messages that deal with the security of the system. For example, RADIUS, SECURITY.
  • Hardware_Configuration_Filter
    Affects the contents of the Syslog5 file. Set this filter to True to filter out all syslog messages that deal with the hardware configuration of the device. For example, IOCARD, MODEM, DIALSHELF.
  • Connection_Configuration_Filter
    Affects the contents of the Syslog6 file. Set this filter to True to filter out all syslog messages that deal with connection configuration of the device. For example, MROUTE, ISDN, X25.
  • Pix_Firewall_Filter
    Affects the contents of the Syslog7 file. Set this filter to True to filter out all syslog messages that deal with the Cisco PIX Firewall device.