Diagnostic Commands and Tools

Both CSA MC and CSAgent have extensive logging capability to troubleshoot issues on the CSA MC, on the CSAgent, or both. This section presents all the log files available on both the console and agent to troubleshoot any issue with the CSA.


As CSA MC is installed on top of Common Services, it's important to be sure that Common Services function properly for a seamless operation of CSA MC. In addition to what we have discussed in Chapter 17, "Troubleshooting CiscoWorks Common Services," there are some additional log files that are necessary to troubleshoot issues with CSA MC.

Windows System Information

To get all the Windows system information in a single file, you can run the winmsd command on the server where you have installed CSA MC. This is particularly important if you want to analyze the problem offline or want to escalate the issue to the Cisco Support Team. To collect the information, work through the steps that follow:

Step 1.

Go to Start > Run.

Step 2.

Type winmsd in the text box.

Step 3.

In the new window, select System Information > and click on Action. Select Save As Text File and name this file.

Server Selftest Information

Server selftest provides quick statistics on the health of the server. This test shows information on serious failures. To perform the selftest, go to Server Configuration > Diagnostics > Self Test > Create when you first log into CiscoWorks. The report appears in the same window. You can right-click it to either save it or view the report.

CSA MC Log Directory

The location of the log directory of CSA MC version 4.5 is ProgramFiles\CSCOpx\CSAMC45\log. This directory contains two very important files:

  • csalog.txt This file in CSA MC is used to record information about the health and state of the CSA MC. This is a very important file for analyzing troubleshooting issues with CSA MC itself, or connectivity issues with the CSA Agent.

  • CSAMC45-Install.log This is the installation log file. If there is an issue with the installation, this log file contains information about it.

CSA Agent Log

CSA Agent log provides details on issues pertaining only to CSAgent and its interactions with the CSA MC. Note that CSA MC has an agent installed to protect the CSA MC server. So, the log information discussion in this section can be found in CSA MC Server also.

CSA Agent Log Directory

This section examines the files that make up the log directory on the CSA Agent. There are three important log files in the log directory (program files\Cisco(or Cisco Systems)\CSAgent\log):

  • CSAgent-Install.log This file contains the CSAgent installation information. If you have an installation or upgrade failure, you need to analyze this log file.

  • Driver_install.log As the name implies, this file contains information about the driver that is installed with the CSA Agent. If there is an installation failure, you need to analyze this file.

  • csalog.txt This is the file where all events that are destined for the event log in the CSA MC are stored. Connectivity checks are logged along with other transactions between the CSAgent and the CSA MC. In addition, the health of the agent is recorded here (i.e., compile problems, etc). In a nutshell, it is the repository for events and troubleshooting information of the agent.

Turning on Debug Mode

To turn on debug mode for the agent to log more detailed messages in the CSAlog.txt, set debug=1 and be sure that the value is not commented out with a semi-colon (;) in front of it in the Program Files\Cisco(Systems)\CSAgent\cfg\sysvars.cf file. This increases the level of detailed information about the agent's state and transactions. Stop the agent service with the net stop csagent command first, then make the changes and restart the service with the net start csagent command at the DOS command prompt. Once you collect the data for troubleshooting, turn the debug-level logging off by commenting the debug=1 line out by placing a semicolon (;) in front of it.

Details Logcsainfo.log file

The csainfo.bat utility is used to collect a log you can use to troubleshoot general CSA issues, such as agent/MC communication issues, and system configuration issues. The file is in Program Files\Cisco(Systems)\CSAgent\bin. When executed, the csainfo.bat file generates a flat text file called csainfo.log (~2-3 MB). This file is created in the same directory as the csainfo.bat file. If you run into a blue screen problem, which is discussed next, you may need to provide a csainfo.log file in addition to the memory dump to Cisco Support Team. Following is some of the critical information that can be extracted from the csainfo.log file:

  • Contents of agent.state file

  • System OS information, including version and service packs

  • Network cards present on the system

  • Base system device configuration data

  • Arp information

  • System routes

  • System interface information

  • netstat command output

  • nbstat command output

  • Management center ping output

  • BT management center ping output

  • nslookup of management center output

Logs for Blue Screen

When your CSA Agent system crashes and the blue screen appears, there is not much troubleshooting you can do. However, with blue screen, the system produces a memory dump with a file name memory.dmp, which contains valuable information about what process caused the blue screen. This memory.dmp file is analyzed by the Cisco developers to find out the root cause of the problem. However, it's extremely important to know how to get the full memory dump file of the system. Work through the following steps to complete the task:

Step 1.

Right click on My Computer > Select Properties > Click on Advanced tab > Click on Startup and Recovery button.

Step 2.

On the Startup and Recovery window, change the drop-down under Write Debugging Information in the System Failure section to Complete Memory Dump.

Step 3.

In the Dump File: text box, change the location and the name of the memory dump file as you desire. By default, it is located in %SystemRoot% and the file is called MEMORY.DMP. We recommend changing the name of the file to something more descriptive, for example yourcompanyname.dmp.

Step 4.

Reboot to make this change take effect.

As mentioned before, memory dump is analyzed by the Cisco developer to find the causes of the dump. To extract information related to the CSAgent from the memory dump file, use the extract.exe utility, which is under Program Files\Cisco(Systems)\CSAgent\bin. Following is the command syntax for extracting the memory dump:

extract memory.dmp > filename.log 

Here the memory.dmp is the name of the memory dump file and filename.log is the name of the file to which you want to extract memory dump information. Note that the extract.exe can be copied into any directory, and you can run it from there. It does not have to be run in the Program Files\Cisco(Systems)\csagent\bin directory.

Rtrformat Utility

This utility comes under the Program Files\Cisco Systems\CSAgent\bin directory. The syntax for running this utility is rtrformat -s state. Use this utility to get the exact state of your rules written to a state file (you can name the output file anything, but this example uses state). If there are issues with rules compilation or other rules-related issues, the Cisco Development team may ask for this information. The file is encrypted so that you cannot read it.

This same utility can be used to troubleshoot connectivity and transaction issues with CSA MC. Follow these steps to read the output of *.rtr files:

Step 1.

Copy a specific *.rtr file from Program Files\Cisco(Systems)\CSAgent\log (for example, request-27-22-17.rtr) to the Program Files\Cisco\CSAgent\bin directory. You need to stop the CSAgent service with the command net stop CSAgent before you can copy the file over to the \bin directory. You also need to stop this CSAgent service to perform Step 2.

Step 2.

Open CMD shell and type in the command: rtrformat request-27-21-02.rtr > output.txt. Here request-27-22-17.rtr is the *.rtr file you want to unscramble. You want the output to go to the output.txt file.

Step 3.

Then start the CSAgent service with the command net start CSAgent at the DOS prompt.

Additional Logs Controlled by the Sysvars.cf file

This is the CSA MC and CSAgent configuration file. In Agent, this file is in Program Files\Cisco(Systems)\CSAgent\cfg, and in CSA MC it is in Program Files\CSCOpx\CSAMC\cfg. This file is not available in the CSA MC 4.5 version. Before you modify this file (sysvars.cf), be sure to back it up. You must stop CSAgent service with the command net stop CSAgent before you make any changes to the file. Otherwise, the change will not take effect. Following are some tasks you can perform after making some changes to this file:

  • Turning on Debug mode As mentioned before, to turn on debug mode for the agent to log more detailed messages in the CSAlog.txt, set debug=1 and uncomment this value by deleting the semicolon (;).

  • Writing events to local file on CSA Agent Parameter log_events_to_esl dictates the writing of various events in readable format into Program Files\Cisco(Systems)\CSAgent\Log\securitylog.txt file. If the value is 0, then no events are written into this file. If it is 1, then all events destined to the MC are written to this file. Make sure to uncomment this parameter by removing the semicolon (;) in front of this value or creating another line without comment. Note, however, that for a standalone agent (for example, Agent runs on Call Manager) all security events are written to this file independently of this variable value. By default, the securitylog.txt does not exist and log_events_to_esl=1 is commented with a semicolon (; log_events_to_esl=1). Once the log_events_to_esl=1 is uncommented, the file will automatically be created in the Program Files\Cisco(Systems)\CSAgent\log directory.

  • Event limiting Under normal circumstance, you will probably not want to modify any values for Event Limiting parameters. This controls the number of events that you can log in the database before limiting occurs. limit.info controls the number of messages at which information level messages will no longer be logged. By default, the limit.info is commented, so it is turned off as follows:


    The other parameters are self-explanatory. Uncomment them as appropriate. These are the default values for MSDE. The limits for SQL Server are (by default) 20 times as big. Example 21-1 shows the limiting number by default.

    Example 21-1. The Default Limiting Number for the Event Logging to the Database

    ;limit.notice=600000 ;limit.warning=700000 ;limit.error=800000 ;limit.alert=900000 ;limit.critical=1000000 

  • Date and Time Formatting To format the date and time strings for the Management User Interface (UI), you can tweak the parameters shown in Example 21-2. By default, parameters are set to the U.S. version. Most likely, you will not have to change this setting, except for British English versions.

    Example 21-2. The Parameters in Sysvars.cf that Controls the Date and Time of the UI

    ; US:   m/d/yy h:mm:ss tt ;date_format=M'/'d'/'yy ;time_format=h':'mm':'ss tt ; Unambiguous:   dd-mmm-yy HH:mm:ss ;date_format=d'-'MMM'-'yy ;time_format=HH':'mm':'ss 

  • Monitor Disk Usage The services in CSA MC and Agent monitor disk usage on the partition containing the CSA MC or Agent installation. These services log a warning event when the amount of free disk space falls below the alert threshold. The alert threshold integer value is in megabytes. The default value for servers is 100 MB, and for agents it is 2 MB as shown in Example 21-3. Uncomment these tokens and change the values if desired.

    Example 21-3. Server and Agent Threshold Values for the CSA MC or CSA Agent

    ;server_alert_threshold=100 ;agent_alert_threshold=2 

  • Limiting RTR File By default, the creation of RTR files is set to 10. The service in CSA MC or Agent checks the number of RTR files in the log directory once an hour with the following command:


Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net