Syslog monitor addon beta

[ccsdnoc]

GREAT tool! I was able to get it to work, I did have to make the color change to match the lowercase of my logs "info, warn, crit", etc. I am still unable to get syslog-ng to run on startup as well as the pipe script "syslogpip.sh". If anyone could help out, that'd be great!!

P.S. I am using Fedora Core 4

can't you just put it in /etc/rc.d/rc.local ?

be sure to use full paths for the commands

I just did this and my /etc/rc.d/rc.local file looks like this:

Code: Select all

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

if [ -e /tmp/mysql.pipe ]; then
   while [ -e /tmp/mysql.pipe ]
      do
         mysql -u root --password=MYPASSWORD haloe < /tmp/mysql.pipe
   done
else
   mkfifo /tmp/mysql.pipe
fi

It works...However, when the system boots up, it never goes to the login prompt. The machine just sits at "Starting up HAL: [OK]" with a blinking cursor. To me, the above code is an infinite loop and the "while" statement should be removed.

Perhaps I will try this.
EDIT: My thought did not work...sigh.

[egarnel]

Code: Select all

if [ -e /tmp/mysql.pipe ]; then
   while [ -e /tmp/mysql.pipe ]
      do
         mysql -u root --password=MYPASSWORD haloe < /tmp/mysql.pipe
   done
else
   mkfifo /tmp/mysql.pipe
fi 

what if you put it in its own script; say /usr/local/sbin/pipe.sh
and call that from rc.local ?

perhaps rc.local is tripping up on the syntax somewhere

[ccsdnoc]

Asbolutely Perfect! I have officially intalled and know how to configure this add-on via a Fedora Core 4 box. IT WORKS! I've noticed one thing that I'd like to point out. That is, the time between the actual event on a device and the time it is recorded into the syslog database is about 2 - 3 minutes exactly. I'm not sure if this is my device creating the delay or the Cacti box. I will do more research on this item. So, if you need some help just drop a line. Thank you egarnel for your quick reply and suggestions; they worked!

[egarnel]

hth

[cigamit]

Seems like CURRENT_TIMESTAMP is only implemented in MySQL 4.1+ :/

Not sure if there's an easy workaround....

F

The code that currently uses it isn't very critical, so I can hopefully just remove certain parts of it.

My SVN copy now completely removes this code, so it shouldn't be an issue anymore. I will release a new copy once I get a few more things fixed in it.

[nahun]

First, I love this plugin! on to the question:

I was using an older version of the plugin just fine, but then I found the newer one with the alerts and removal stuff. With the sql file that comes with the plugin, no syslogs go into the database. I edited the sql file and got it so that the syslogs go into the syslog_incoming table (I can see it in MySQL Administrator), but it doesn't go into the syslog table (or logs table because thats how I had it before, but it shouldn't matter right?).

Here's my config.php:

Code: Select all

<?php

$haloedb_type     = "mysql";
$haloedb_default  = "syslog";
$haloedb_hostname = "localhost";
$haloedb_username = "syslogadmin";
$haloedb_password = "****";

$haloe_config["rows_per_page"] = "30";
// $haloe_config["host_rows"] = "25";

//  Integrate with Graph View Timespan Selector. If false, keep seperate timespan settings
$haloe_config["graphtime"] = true;

//  Display timespan selector or not [ only used if $haloe_config["graphtime"]=false ]
$haloe_config["timespan_sel"] = true;

//  Field Mappings, adjust to match the haloe table columns in use
 $haloe_config["haloeTable"]      = "syslog";
//$haloe_config["haloeTable"]      = "syslog_incoming";
// $haloe_config["haloeTable"]      = "logs";
$haloe_config["incomingTable"]   = "syslog_incoming";
$haloe_config["removeTable"]     = "syslog_remove";
$haloe_config["alertTable"]      = "syslog_alert";
$haloe_config["dateField"]       = "date";
$haloe_config["timeField"]       = "time";
$haloe_config["priorityField"]   = "priority";
$haloe_config["levelField"]	 = "level";
$haloe_config["tagField"]	 = "tag";
$haloe_config["facilityField"]   = "facility";
$haloe_config["hostField"]       = "host";
$haloe_config["programField"]    = "program";
$haloe_config["textField"]       = "msg";
$haloe_config["id"]              = "seq";

code snipped

?>

My syslog.sql that I edited:

Code: Select all

--
-- Table structure for table `syslog`
--

CREATE TABLE syslog (
  host varchar(32) default NULL,
  facility varchar(10) default NULL,
  priority varchar(10) default NULL,
  level varchar(10) default NULL,
  tag varchar (10) default NULL,
  date date default NULL,
  time time default NULL,
  program varchar(15) default NULL,
  msg text,
  seq int(10) unsigned NOT NULL auto_increment,
  `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY  (seq),
  KEY host (host),
  KEY seq (seq),
  KEY program (program),
  KEY date (date),
  KEY time (time),
  KEY priority (priority),
  KEY facility (facility)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_alert`
--

CREATE TABLE syslog_alert (
  id int(10) NOT NULL auto_increment,
  name varchar(255) NOT NULL default '',
  `type` varchar(16) NOT NULL default '',
  message text NOT NULL,
  `user` varchar(32) NOT NULL default '',
  `date` int(16) NOT NULL default '0',
  email text NOT NULL,
  PRIMARY KEY  (id)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_incoming`
--

CREATE TABLE syslog_incoming (
  host varchar(32) default NULL,
  facility varchar(10) default NULL,
  priority varchar(10) default NULL,
  level varchar(10) default NULL,
  tag varchar (10) default NULL,
  date date default NULL,
  time time default NULL,
  program varchar(15) default NULL,
  msg text,
  seq int(10) unsigned NOT NULL auto_increment,
  `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  `status` tinyint(4) NOT NULL default '0',
  PRIMARY KEY  (seq),
  KEY host (host),
  KEY seq (seq),
  KEY program (program),
  KEY time (time),
  KEY date (date),
  KEY priority (priority),
  KEY facility (facility)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_remove`
--

CREATE TABLE syslog_remove (
  id int(10) NOT NULL auto_increment,
  name varchar(255) NOT NULL default '',
  `type` varchar(16) NOT NULL default '',
  message text NOT NULL,
  `user` varchar(32) NOT NULL default '',
  `date` int(16) NOT NULL default '0',
  PRIMARY KEY  (id)
) ENGINE=MyISAM;

My syslog-ng.conf:

Code: Select all

options {
#       use_fqdn(yes);
#       use_dns(yes);
#       dns_cache(yes);
        keep_hostname(yes);
        long_hostnames(off);
        sync(1);
        log_fifo_size(1024);
};

source src { unix-stream("/dev/log"); internal(); };

source net {
        udp();
        tcp();
};

destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO syslog_incoming (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG',
'$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};

log { source(net); destination(d_mysql); };

My syslog_mysql.sh:

Code: Select all

#!/bin/bash

if [ -e /tmp/mysql.pipe ]; then
while [ -e /tmp/mysql.pipe ]
do
mysql -u syslogadmin --password=**** syslog < /tmp/mysql.pipe
done
else
mkfifo /tmp/mysql.pipe
fi

I get this from my cacti log, this takes the syslog from the incoming to the syslog table right?:

Code: Select all

 02/22/2006 08:50:48 PM - THOLD: Poller[0] Checking Thresholds
02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"
02/22/2006 08:50:47 PM - SYSTEM STATS: Time:46.3422 Method:cmd.php Processes:10 Threads:N/A Hosts:20 HostsPerProcess:2 DataSources:81 RRDsProcessed:76

Ubuntu 5.10 Breezy
Cacti 0.8.6h
MySQL 4.1.12
PHP 5
syslog-ng 1.6.8

Thanks!

[cigamit]

Code: Select all

02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"

This usually means that your that your syslog_incoming database is not the one provided, as it doesn't have the "status" column which is not something your original syslog table would have. Check and make sure its there.

Code: Select all

show columns from syslog_incoming;

[nahun]

Here is the output:

Code: Select all

Database changed
mysql> show columns from syslog_incoming;
+-----------+------------------+------+-----+-------------------+----------------+
| Field     | Type             | Null | Key | Default           | Extra          |
+-----------+------------------+------+-----+-------------------+----------------+
| host      | varchar(32)      | YES  | MUL | NULL              |                |
| facility  | varchar(10)      | YES  | MUL | NULL              |                |
| priority  | varchar(10)      | YES  | MUL | NULL              |                |
| level     | varchar(10)      | YES  |     | NULL              |                |
| tag       | varchar(10)      | YES  |     | NULL              |                |
| date      | date             | YES  | MUL | NULL              |                |
| time      | time             | YES  | MUL | NULL              |                |
| program   | varchar(15)      | YES  | MUL | NULL              |                |
| msg       | text             | YES  |     | NULL              |                |
| seq       | int(10) unsigned |      | PRI | NULL              | auto_increment |
| timestamp | timestamp        | YES  |     | CURRENT_TIMESTAMP |                |
| status    | tinyint(4)       |      |     | 0                 |                |
+-----------+------------------+------+-----+-------------------+----------------+
12 rows in set (0.00 sec)

and if I change the haloetable in config.php to syslog_incoming I can see the syslogs in cacti.

Thanks cigamit!

[cdukes]

Looks like a nice mod, but how well does it scale?
I have ~2500 devices and am currently using php-syslog-ng which is very fast and written quite well.
Still, it would be neat to have it inside cacti.

[cigamit]

Looks like a nice mod, but how well does it scale?
I have ~2500 devices and am currently using php-syslog-ng which is very fast and written quite well.
Still, it would be neat to have it inside cacti.

With that many, I honestly don't know as I don't have nearly that many hosts to test it on. I made a few changes the other day to speed up the processing by at least 200%, but I have no clue if it would handle more than 200K messages in a 5 minute polling period.

Do your hosts only log messages? Or everything? Any estimate on a average amount of syslog messages received in 5 minutes?

I also need to create a seperate process for the polling, which would ensure no timeouts, but that shouldn't take long.

[cdukes]

I would think that by looking at php-syslog-ng you could get a few good ideas on fast processing?
My devices are routers and switches (not hosts).
It ranges, but I'm currently working for a company that has 30k devices (that's not a typo) and I'm trying to find a solution for syslog that truly scales well. Right now, we are feeding ~2500 devices into php-syslog-ng and it's handling it very well (about 5-15 messages per second)

With that many, I honestly don't know as I don't have nearly that many hosts to test it on. I made a few changes the other day to speed up the processing by at least 200%, but I have no clue if it would handle more than 200K messages in a 5 minute polling period.

Do your hosts only log messages? Or everything? Any estimate on a average amount of syslog messages received in 5 minutes?

I also need to create a seperate process for the polling, which would ensure no timeouts, but that shouldn't take long
g.

[knobdy]

I would think that by looking at php-syslog-ng you could get a few good ideas on fast processing?
My devices are routers and switches (not hosts).
It ranges, but I'm currently working for a company that has 30k devices (that's not a typo) and I'm trying to find a solution for syslog that truly scales well. Right now, we are feeding ~2500 devices into php-syslog-ng and it's handling it very well (about 5-15 messages per second)

What are you actually doing with the data though? We've got a requirement to store data for 11 months and keep 1 month "live". With just the 50+ devices we have (all debugging - also a requirement) I haven't found anything that can handle the load (though I will be looking at php-syslog-ng now). I've been told by many that I'll never find anything that involves a database without processing the messages first...not being a programmer it will take quite a bit of time for me to develop parsing scripts for our environment...

[cdukes]

It would be impossible to keep that much DEBUG data for 30k devices, or damn near close to it. However, the way that php-syslog-ng stores the data keeps the searches fairly fast. Good luck in your search

What are you actually doing with the data though? We've got a requirement to store data for 11 months and keep 1 month "live". With just the 50+ devices we have (all debugging - also a requirement) I haven't found anything that can handle the load (though I will be looking at php-syslog-ng now). I've been told by many that I'll never find anything that involves a database without processing the messages first...not being a programmer it will take quite a bit of time for me to develop parsing scripts for our environment...

[nahun]

Code: Select all

02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"

This usually means that your that your syslog_incoming database is not the one provided, as it doesn't have the "status" column which is not something your original syslog table would have. Check and make sure its there.

Code: Select all

show columns from syslog_incoming;

any other comments or ideas?

[mgb]

@nahun

I seem to have the same problem as you.

Code: Select all

03/02/2006 01:00:11 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "INSERT INTO logs (date, time, priority, facility, host, msg) SELECT date, time, priority, facility, host, msg FROM syslog_incoming where status=1"

But my syslog-ng delivers the data in the logs table. I can see the data but can't uses the alerts or removals part. I am able fill these in but nothing seems to happen.

Here is my config.php

Code: Select all

<?php

$haloedb_type     = "mysql";
$haloedb_default  = "haloe";
$haloedb_hostname = "localhost";
$haloedb_username = "*****";
$haloedb_password = "*****";

$haloe_config["rows_per_page"] = "30";

//  Integrate with Graph View Timespan Selector. If false, keep seperate timespan settings
$haloe_config["graphtime"] = true;

//  Display timespan selector or not [ only used if $haloe_config["graphtime"]=false ]
$haloe_config["timespan_sel"] = true;

//  Field Mappings, adjust to match the haloe table columns in use
$haloe_config["haloeTable"]      = "logs";
$haloe_config["incomingTable"]   = "syslog_incoming";
$haloe_config["removeTable"]     = "syslog_remove";
$haloe_config["alertTable"]      = "syslog_alert";
$haloe_config["dateField"]       = "date";
$haloe_config["timeField"]       = "time";
$haloe_config["priorityField"]   = "priority";
$haloe_config["facilityField"]   = "facility";
$haloe_config["hostField"]       = "host";
$haloe_config["textField"]       = "msg";
$haloe_config["id"]              = "seq";

//  Priority colors, change/add/delete to suit
$haloe_colors["Emergency"] = "FF0000";
$haloe_colors["Critical"]  = "FF0000";
$haloe_colors["alert"]     = "FF0000";
$haloe_colors["err"]     = "FFAB00";
$haloe_colors["warn"]   = "FFFF00";
$haloe_colors["Notice"]    = "FFAB00";
$haloe_colors["Info"]      = "FFAB00";
$haloe_colors["Debug"]     = "D0D0D0";

?>

any idea?