SNMPTT/SYSLOG viewer Plugin for Cacti. v 1.4.3 (2009/02/06)

[gthe]

munozm - Do you use last vesrion (1.3.96) ?

[munozm]

I was running .92 and upgraded to .96. This seems to fix the issue on what rules I can see so thats good.

I now notice other strange things with the Rules. I have about 5 rules in there, 1 snmptt, 4 syslog. Only one of the syslog rules increments Count trig although all of the rules see the proper items when a test is done on their filter. I'm not trying to do anything crazy with the rules, just trying to see it work. For instance, on one of the ones that doesn't work, I'm simply trying to match on the host, if it sees it then email me, again, it sees a ton of entries when I test on the filter.

The one rule that does work doesn't seem to send email. How does it send email? I use postfix locally on the box and receive alerts from other tools on the box.

It would be great if you could create a rule from the syslog and trap views so you could easily set it up to get emails on certain events.

Thanks.

[gthe]

I now notice other strange things with the Rules. I have about 5 rules in there, 1 snmptt, 4 syslog. Only one of the syslog rules increments Count trig although all of the rules see the proper items when a test is done on their filter. I'm not trying to do anything crazy with the rules, just trying to see it work. For instance, on one of the ones that doesn't work, I'm simply trying to match on the host, if it sees it then email me, again, it sees a ton of entries when I test on the filter.

The one rule that does work doesn't seem to send email. How does it send email? I use postfix locally on the box and receive alerts from other tools on the box.

Thats may be because when poller exec rule it use only new records (trap or syslog), and after this mark recors as "already processed". So any records processed only one time (by default).
But when you create and test rule - you test it on any record (new and already processed - i.e. on all records in db). So, for really use rule you need:
- OR wait until such new record (trap or syslog message) will be received and processed by poller;
- OR force execution rule on already processed record (for this use last actions in rule row).

If new records received and rule don't work - I need to look at this rule and record.

It would be great if you could create a rule from the syslog and trap views so you could easily set it up to get emails on certain events.
Thanks.

Thats not so simple, but I will try.

[cigamit]

First of all, I would like to thank you for the superb work on this plugin. I now use it for all my Syslog messages and if you like, will include it by default on the next release of my CactiEZ CD.

I would like to add 2 contributes to which I have added to my local system.

1. I first thought that my Removal rules were not being processed. This is because the viewer is showing all messages as they come in, and not just the processed ones. Adding a "WHERE status=2" to the SQL queries for syslog messages in snmptt_db.php has corrected this.

2. To give it a bit of smarts in removing messages and to help speed up the process, I have set it to order the rules by

ORDER BY `is_delete` ASC, `count_triggered` DESC

This will cause it to process all deletion rules first, and to process the rules that see the highest amount of hits first. This will cause each rule afterwards to have less messages to search, thus causing the script to complete slightly faster.

I currently have 15000 messages a minute pouring through my syslogs (most are removed), and it doesn't appear to be having any issues yet.

[gthe]

First of all, I would like to thank you for the superb work on this plugin. I now use it for all my Syslog messages and if you like, will include it by default on the next release of my CactiEZ CD.

I am very glad to hear it from you, but may be before it - we need decide change (or not) plugin name.

I would like to add 2 contributes to which I have added to my local system.

1. I first thought that my Removal rules were not being processed. This is because the viewer is showing all messages as they come in, and not just the processed ones. Adding a "WHERE status=2" to the SQL queries for syslog messages in snmptt_db.php has corrected this.

Agree. And now it in settings tab.

2. To give it a bit of smarts in removing messages and to help speed up the process, I have set it to order the rules by

ORDER BY `is_delete` ASC, `count_triggered` DESC

This will cause it to process all deletion rules first, and to process the rules that see the highest amount of hits first. This will cause each rule afterwards to have less messages to search, thus causing the script to complete slightly faster.

If I have correctly understood you - it must be:

Code: Select all

ORDER BY `is_delete` DESC, `count_triggered` DESC

[eternal]

I changed the database and I'm now getting syslog messages in your great snmptt plugin.

I'm testing some of the rules and notice a few things.

I have the rule type to syslog.
Initially I was matching on host='192.168.168.1' and was seeing matches, then it stopped. I deleted the rule, re-added it but the count now stays at 0. If I use the test button, it shows what should be the matches.

When I try and use syslog-priority, it only shows Normal for a drop down and doesn't seem to let me change it or add manually. Your Syslog section shows it properly though, info, notice, err, warning, etc. under priority.

For syslog-facility, it only shows options in the dropdown that are actually under Eventname under the trap section for the same device. Your syslog section shows it properly though, local4, etc. under facility.

Thanks for your help.

Will need to change
snmptt_db_admin.php
snmptt_db.php
poller_snmptt.php

replace syslog_ng with syslog if your database outside of cacti is syslog and not syslog_ng

also had to run this

DROP TABLE IF EXISTS `syslog`.`plugin_snmptt_syslog`;
CREATE TABLE `syslog`.`plugin_snmptt_syslog` (
`id` int(10) unsigned NOT NULL auto_increment,
`host` varchar(128) default NULL,
`sourceip` varchar(45) NOT NULL,
`facility` varchar(10) default NULL,
`priority` varchar(10) default NULL,
`sys_date` datetime default NULL,
`message` text,
`status` tinyint(4) NOT NULL default '0',
`alert` tinyint(3) NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `facility` (`facility`),
KEY `priority` (`priority`),
KEY `sourceip` (`sourceip`),
KEY `status` (`status`),
KEY `alert` (`alert`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

instead of the given one

[gthe]

eternal - NO, no changes are needed!
It is all already done in next version which will be released shortly.
From its change-log:

- Syslog database name now may be any and changed in settings. Default is [syslog_ng]. If You have another - than after install/update plugin - change setting and import plugin_snmptt_syslog.sql in You syslog db.

Thanks.

[gthe]

New version in first post!

--- 1.4.1 ---

• - Syslog database name now may be any and changed in settings. Default is [syslog_ng]. If You have another - than after install/update plugin - change setting and import plugin_snmptt_syslog.sql in You syslog db.
  - Now you can use one of two viewing mode's - "show all records" or "show only records, already processed by poller (i.e. by rules)". Change mode in settings tab.
  - Create rule based on traps;
  - Create rule based on syslog message;
  
  Minor updates:
  - Correct sorting in settings;
  - Speed up of the process rule's executing by process all deletion rules first, and to process the rules that see the highest amount of hits first. (thanks cigamit);

[jfarese]

I installed snmptt and have created some rules, however, any rule that is supposed to send an email does not send the email when triggered. All other types of rules seem to work.(regular emails from cacti do work as well) Any suggesting on where/what to look for?

Thanks

[cigamit]

Check your settings under the Mail / DNS settings in Cacti. Try sending a test email to yourself from there.

[gthe]

--- 1.4.2 ---

• - Added new parameter for choose join method (dns hostname or ip-address). Use that method which you use in hostname field of cacti device's.
  - Fix 2 error in poller.
  - Fix error with creating rule from record.
  - Added setting to use regular or smaller tab.
  
  Minor updates:
  - Settings tab look more like Cacti default;
  - ReCheck user rigth;

[jfarese]

cigamit

I am amble to send emails no problem from the test page. I know mail works as I wrote a mail function and use it as a workaround under the user_functions. This sends me emails properly.

[GuessWho]

Gthe,
I just installed your plugin on another cacti box that I manage and noticed that the snmptt_functions.php file in the lib directory of the plugin uses a mysql function ROW_COUNT(). Unfortunately this function was not introduced to mysql until version 5.0.1. See here:
http://dev.mysql.com/doc/refman/5.0/en/ ... _row-count

I continue to get the error:
2/05/2009 12:20:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:21:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:22:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:23:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:24:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:25:29 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:26:29 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:27:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:28:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:29:29 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"
02/05/2009 12:30:30 PM - CMDPHP: Poller[0] ERROR: SQL Cell Failed!, Error:'1064', SQL:"SELECT ROW_COUNT();"

Is this something that we can change or is one or your requirements mysql 5?
Thanks.

[gthe]

I fix it tomorrow.

[savagemindz]

Hi gthe,

I have a few little problems and I am hoping you can help with.

When I create a rule in the "edit filter for rule" and I select "snmptt - eventname" and I try to type into the Value Field your script will try to auto fill the name but it always picks the first entry (in my case authenticationFailure) regardless of what I type.

Also I would like to be able to type a trap that has not yet been triggered (and so is not in the list). I can paste the name of the trap into the value field but testing it does not return the correct values. I pasted "netscreenTrapTrf" but on testing it I got "authenticationFailure" traps rather than nothing. Also if I save this filter I get eventname='authenticationFailure' in the sql field of the main rule window.

Is it possible to create rules against traps that have not yet been triggered?

I am using version 1.4.1

Finally, and this isn't a problem. You have a missing "php" in "snmptt/include/snmptt_header_ext.php" here....

Code: Select all

<head>
        <title>cacti - snmptt plugin</title>
        <?
        // vim: ts=4:sw=4:nu:fdc=4
        /**
          * Send (Cache Control) headers
          *

should be....

Code: Select all

<head>
        <title>cacti - snmptt plugin</title>
        <?php
        // vim: ts=4:sw=4:nu:fdc=4
        /**
          * Send (Cache Control) headers

Btw I also would just like to say also that this is a truely excellent plugin. Keep up the good work.

Thanks

iain