Not able to see syslog alerts on cacti in the syslog tab

[snasre]

Hello everyone,


I installed syslog plugin and syslog-ng. When I do a tcpdump on port 514 I can see syslog alerts but I am still not able to see syslog alerts in cacti.

When I run syslog_process.php this is the output

sudo php syslog_process.php
07/21/2014 08:22:27 PM - SYSTEM SYSLOG STATS:Time:0.15 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:28 Alarms:0 Reports:0


What is the issue?

Thanks
Sanket

[cigamit]

You make no mention of how exactly you setup syslog-ng to log the syslog messages into a mysql table, and whether you setup the syslog plugin to point to that table (in the config)

[snasre]

Well I just install syslog-ng but did not setup syslog-ng to log the syslog messages into a mysql table. How do I do that. Is it true that the syslog messages are stored in the mysql db. I did not setup a separate db for syslog but used the same cacti db.

I am completely novice to the syslog. Please help

Thanks
Sanket

[cigamit]

Lots of examples out there on google and even some in our forums
http://forums.cacti.net/viewtopic.php?t=26040

[snasre]

http://docs.cacti.net/plugin:syslog.config


I used the above link for installing syslog plugin. Well they said that if I am setting up using a cacti db, then the plugin install will take care of creation of tables.. so i dint make any change to the config.php file
then I did not install rsyslog as it was not required after that installed syslog-ng. but still its not working

[cigamit]

Yes, cacti can setup the tables, but it is still up to you to tell your syslog client (syslog-ng or rsyslog) to log to the proper database / table. The plugin can't do that for you. Depending on how many machines you will be logging from, you may want it in a separate database, just to isolate it from your Cacti database itself.

[snasre]

Well I have to log many devices but have to do it on cacti database. Can you give me any troubleshooting steps as in why I am not able to see cacti alerts?

Thanks
Sanket

[cigamit]

You still haven't posted your syslog-ng config file where you told it to log to the mysql database.

[snasre]

Oh sorry:

Here is the syslog-ng file content:


@version:3.2

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

[cigamit]

Ya, you didn't set it up to forward to the mysql table. Honestly, I would uninstall syslog-ng and install rsyslog, its much easier to work with. Then just follow the directions on
http://docs.cacti.net/plugin:syslog.config
to get it logging to the database.

[snasre]

Well I hve been instructed to use syslog-ng only. I know I have to make this changes on syslog-ng file :

destination cacti_syslog { udp("192.168.0.111" port(514)); };
Then append this line with 'destination(cacti_syslog);'
log { source(sys); destination(consoleall); };
becomes
log { source(sys); destination(consoleall); destination(cacti_syslog); }
Alternatively, anywhere that you have a 'log' line that you want to redirect, append 'destination(cacti_syslog);'
log { source(sys); filter(f_cron); filter(f_info); destination(croninfo); destination(cacti_syslog); };
log { source(sys); filter(f_cron); filter(f_warn); destination(cronwarn); destination(cacti_syslog); };
log { source(sys); filter(f_cron); filter(f_error); destination(cronerr); destination(cacti_syslog); };


192.168.0.111 - Whats this ip? is this the ip of cacti?
and abt adding destination(cacti_syslog); line, I am totally confused abt what this destinaton is?


Thanks
Sanket

[cigamit]

You do that on any other remote server, not on the cacti server itself. You then have a completely different line on the Cacti server that you have to add to make it log those incoming messages from other servers to the mysql database.

Maybe we need to take a step back and determine exactly what you are trying to do and on what server you are trying to do it on.

[snasre]

I made changes to the syslog-ng file. The changes have been bolded:


# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
destination cacti_syslog { udp(ip(x.x.x.x) port(514)); };
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); destination(cacti_syslog); };
log { source(s_sys); filter(f_default); destination(d_mesg); destination(cacti_syslog); };
log { source(s_sys); filter(f_auth); destination(d_auth); destination(cacti_syslog); };
log { source(s_sys); filter(f_mail); destination(d_mail); destination(cacti_syslog); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); destination(cacti_syslog); };
log { source(s_sys); filter(f_news); destination(d_spol); destination(cacti_syslog); };
log { source(s_sys); filter(f_boot); destination(d_boot); destination(cacti_syslog); };
log { source(s_sys); filter(f_cron); destination(d_cron); destination(cacti_syslog); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:


But when I restart the syslog-ng service, it restarts but throws an error:

Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Error parsing source, syntax error, unexpected KW_DESTINATION, expecting '}' in /etc/syslog-ng/syslog-ng.conf at line 26, column 2:

destination cacti_syslog { udp(ip(x.x.x.x) port(514)); };
^^^^^^^^^^^

syslog-ng documentation: http://www.balabit.com/support/document ... =syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

[snasre]

ohh..so you mean the syslog-ng on cacti does not have to changed. Well my cacti server is running cent os. So what changes needs to be made on the cacti server?


Thanks
Sanket

[cigamit]

The syslog-ng on your Cacti server has to be changed to make it log to the MySQL database. I posted a tutorial earlier on how to do it.
http://forums.cacti.net/viewtopic.php?t=26040

Start somewhere around
5. Edit the /etc/init.d/syslog-ng file.

Too bad you are forced to use syslog-ng, as from my past usage of it, its not has easy to deal wtih as rsyslog.