IBM SC30-3681-08 syslog_user

Youcan use the timestamp, which appears in both the remote-logging output ﬁle

and the talk 2 output, to determine when the ﬁrst ELS message is successfully

remote-logged. Touse the timestamp for this purpose, conﬁgure ELS such that the

timestamp in the monitor queue displays the time-of-day.

Also notice in Figure 9on page 160 that messages 311-313 did not get

remote-logged. This is because an ARPrequest was outstanding and until the ARP

response is received, all but the ﬁrst packet is dropped in the source IBM 2210. The

ARP cache is cleared at a user-conﬁgured refresh rate, and the device issues a

new ARP request.To determine when ARP requests are occurring, events ARP.002

and ARP.011 can be remote-logged, in addition to the ELS events of interest.

Figure 11shows ARP events logged to the

syslog_user_alert

ﬁle that account for

events 445 and 446, which were indicated as missing in Figure 9on page 160 .

Youcan prevent the loss of ELS messages caused by this ARP sequence by

establishing a static relationship between the IP address and the MAC address. The

basic steps are outlined below and are illustrated in Figure 12on page 162.

1. In talk 5, “ping” the remote workstation’s IP address

2. In talk 5, determine the interface (net) number used to send messages to the

remote-workstation’s IP address

12:08:17 SNMP.024: generic trc (P2) at snmp_mg.c(766): Now 0 trap destinations

12:08:17 SNMP.012: comm public added

12:08:27 SNMP.022: ext err (Z1) at snmp_resconf.c(322): add_router_if_info(): sr

rdrec failed

12:08:27 SNMP.022: ext err (Z1) at snmp_resconf.c(322): add_router_if_info(): sr

rdrec failed

12:08:27 SNMP.028: err (E2) at snmp_moh.c(1583) : Duplicate

12:08:28 GW.022: Nt fld slf tst nt 13 int PPP/3

12:08:28 IP.022: add nt 4.0.0.0 int 4.1.1.1 nt 4 int PPP/0

( 297 messages not shown ) Corresponding Sequence

Numbers in

12:08:43 GW.022: Nt fld slf tst nt 12 int PPP/2 Remote-Logging Files :

12:08:43 GW.022: Nt fld slf tst nt 13 int PPP/3

12:08:48 IP.022: add nt 192.9.200.0 int 192.9.200.20 nt 0 int Eth/0 [0310] first message logged

12:08:48 SRT.017: Enabling SRT on port 1 nt 0 int Eth/0 -- not logged (ARP request) --

12:08:48 STP.016: Select as root TB-1, det topol chg -- not logged (ARP request)--

12:08:48 STP.026: Root TB-1, strt hello tmr -- not logged (ARP request)--

12:08:48 ARP.002: Pkt in 1 1 800 nt 0 int Eth/0 [0314]

12:08:48 ARP.002: Pkt in 2 1 800 nt 0 int Eth/0 [0315]

12:08:48 IP.068: routing cache cleared [0316]

( 126 messages not shown )

12:13:38 GW.022: Nt fld slf tst nt 11 int ISDN/0 [0443]

12:13:47 ARP.011: Del ent13nt0intEth/0 [0444]

12:13:47 ARP.011: Del ent13nt0intEth/0 -- not logged (ARP request) --

12:13:47 ARP.002: Pkt in 1 1 800 nt 5 int Eth/4 -- not logged (ARP request)--

12:13:47 ARP.002: Pkt in 2 1 800 nt 0 int Eth/0 [0447]

12:13:50 GW.022: Nt fld slf tst nt 4 int PPP/0 [0448]

Figure 10. Output from Talk2

Nov 20 12:02:53 worksta01 root: THIS IS A TEST MESSAGE (user.alert)

Nov 20 12:08:48 5.1.1.1 Msg [0314] from ** IBM / 2210 **: els: ARP.002: Pkt in 1 1 800 nt 0 int Eth/0

Nov 20 12:08:48 5.1.1.1 Msg [0315] from ** IBM / 2210 **: els: ARP.002: Pkt in 2 1 800 nt 0 int Eth/0

Nov 20 12:08:48 5.1.1.1 Msg [0319] from ** IBM / 2210 **: els: ARP.002: Pkt in 2 1 800 nt 0 int Eth/0

Nov 20 12:13:47 5.1.1.1 Msg [0444] from ** IBM / 2210 **: els: ARP.011: Del ent13nt0intEth/0

Nov 20 12:13:47 5.1.1.1 Msg [0447] from ** IBM / 2210 **: els: ARP.002: Pkt in 2 1 800 nt 0 int Eth/0

Figure 11.Sample Contents from Syslog_user_alert File

Using ELS

Chapter12. Using the Event Logging System (ELS) 161