Syslog Plugin troubles

[bur3620]

Hi,

I'm trying to install snmptt which is required by the syslog plugin for trap logging and I'm not seeing the snmptrapd.conf file. Does anyone have any idea why this would be missing. Every piece of documentation I can find on Google refers to that .conf file. I've tried reinstalling net-snmp but that didnt work. I am using CentOS 5.0 with Cacti-0.8.7a and net-snmp-5.3.1.

Any help would be appreciated as I have exhausted all known avenues.

Thanks

Dan

[bur3620]

Any one seen this?

[Howie]

You need to create it.

Googling snmptrapd.conf has this page as the top hit, which describes what it should look like.

The snmptt instructions have the line you need for snmptt. That's all you need. Actually, mine has this as the entire file:

Code: Select all

disableAuthorization yes
traphandle default /usr/local/sbin/snmptthandler

I suspect the first line isn't such a good idea, but I was lazy.

[bur3620]

OK, I wasn't sure if that was how it was done. Thanks for your help.

Now when I try to run the snmptt deamon I get the following:


snmptt --daemon
Can't locate Config/IniFiles.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/sbin/snmptt line 3894.
BEGIN failed--compilation aborted at /usr/sbin/snmptt line 3894.

Do you know what this means?

[Howie]

You need to install the Config::IniFiles perl module from CPAN.

Depending on your linux distro, that will either be a .deb/.rpm/etc or cpan -i Config::IniFiles

[bur3620]

That worked. thanks.

Do you know where I am supposed to configure syslog to pipe data to mysql?

Is this in the syslog.conf file?

[Howie]

Sorry - I don't actually use the syslog plugin. I just use syslog-ng, snmptrapd and snmptt...

I would expect it would be in the syslog-ng config.

[bur3620]

Whats the difference?

How do I upgrade?

[bur3620]

OK, I got syslog-ng installed and it seems to be working. I'm receiving traps from my Cisco devices and I can see them in /var/log/snmptt.log

My problem now is getting them into mysql.

syslog-ng.conf:

#
# Syslog-ng example configuration for for Debian GNU/Linux
#
# Copyright (c) 1999 anonymous
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.sample,v 1.3 2003/05/20 08:57:27 asd Exp $
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.
#

options { long_hostnames(off); sync(0); };

source src { unix-stream("/dev/log"); internal(); };
source net { udp(); };

destination snmptt { file("/var/log/snmptt"); };
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };


destination xconsole { pipe("/dev/xconsole"); };

filter f_snmptt { program(snmptt); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_ppp { facility(local2); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

log { source(src); filter(f_snmptt); destination(snmptt); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); };

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO haloe_incoming
(host, facility, priority, level, tag, date,time, program, message)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY','$HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};

log {
source(src); filter(f_snmptt);
destination(d_mysql);
};


Is this right?

I cant seem to get very much help on this so anything would be great!!!

[sebbs]

[quote="
destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO haloe_incoming
(host, facility, priority, level, tag, date,time, program, message)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY','$HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};[/quote]

You sure its "INSERT INTO haloe_incoming and not "INSERT INTO syslog_incoming ??

[chrisgapske]

I think it depends on if you are using syslog or the older plugin.

[sebbs]

exact...i am just guessing that he is using the new version since his post if only a couple of weeks ago.

[chrisgapske]

you could tell by looking at his database

[bur3620]

I caught that right away and changed it. It still doesnt seem to be working right. I think i am going to trash the whole idea and start from scratch with something else, like NOCOL or something like that.

Thanks for the replies.

[bur3620]

PS

Cacti works great for traffic trending and dead host notification though. Still using it for that