Syslog monitor addon beta

General discussion about Plugins for Cacti

Moderators: Developers, Moderators

Post Reply
ccsdnoc
Posts: 6
Joined: Sat Feb 18, 2006 1:35 pm
Location: Meadville, PA
Contact:

Post by ccsdnoc »

egarnel wrote:
ccsdnoc wrote:GREAT tool! I was able to get it to work, I did have to make the color change to match the lowercase of my logs "info, warn, crit", etc. I am still unable to get syslog-ng to run on startup as well as the pipe script "syslogpip.sh". If anyone could help out, that'd be great!!

P.S. I am using Fedora Core 4
can't you just put it in /etc/rc.d/rc.local ?

be sure to use full paths for the commands
I just did this and my /etc/rc.d/rc.local file looks like this:

Code: Select all

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

if [ -e /tmp/mysql.pipe ]; then
   while [ -e /tmp/mysql.pipe ]
      do
         mysql -u root --password=MYPASSWORD haloe < /tmp/mysql.pipe
   done
else
   mkfifo /tmp/mysql.pipe
fi
It works...However, when the system boots up, it never goes to the login prompt. The machine just sits at "Starting up HAL: [OK]" with a blinking cursor. To me, the above code is an infinite loop and the "while" statement should be removed.

Perhaps I will try this.
EDIT: My thought did not work...sigh. :cry:
Donald D. Quindardo
Computer Technician & Web Master
Crawford Central School District
11280 Mercer Pike
Meadville, PA 16335
User avatar
egarnel
Cacti Pro User
Posts: 708
Joined: Thu Nov 21, 2002 8:55 am
Location: Austin, TX

Post by egarnel »

Code: Select all

if [ -e /tmp/mysql.pipe ]; then
   while [ -e /tmp/mysql.pipe ]
      do
         mysql -u root --password=MYPASSWORD haloe < /tmp/mysql.pipe
   done
else
   mkfifo /tmp/mysql.pipe
fi 
what if you put it in its own script; say /usr/local/sbin/pipe.sh
and call that from rc.local ?

perhaps rc.local is tripping up on the syntax somewhere
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
ccsdnoc
Posts: 6
Joined: Sat Feb 18, 2006 1:35 pm
Location: Meadville, PA
Contact:

Post by ccsdnoc »

Asbolutely Perfect! I have officially intalled and know how to configure this add-on via a Fedora Core 4 box. IT WORKS! :lol: I've noticed one thing that I'd like to point out. That is, the time between the actual event on a device and the time it is recorded into the syslog database is about 2 - 3 minutes exactly. I'm not sure if this is my device creating the delay or the Cacti box. I will do more research on this item. So, if you need some help just drop a line. Thank you egarnel for your quick reply and suggestions; they worked!
Donald D. Quindardo
Computer Technician & Web Master
Crawford Central School District
11280 Mercer Pike
Meadville, PA 16335
User avatar
egarnel
Cacti Pro User
Posts: 708
Joined: Thu Nov 21, 2002 8:55 am
Location: Austin, TX

Post by egarnel »

hth :P
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

cigamit wrote:
flavour wrote:Seems like CURRENT_TIMESTAMP is only implemented in MySQL 4.1+ :/

Not sure if there's an easy workaround....

F
The code that currently uses it isn't very critical, so I can hopefully just remove certain parts of it.
My SVN copy now completely removes this code, so it shouldn't be an issue anymore. I will release a new copy once I get a few more things fixed in it.
User avatar
nahun
Cacti User
Posts: 92
Joined: Wed Feb 15, 2006 11:27 pm
Location: Idaho
Contact:

Post by nahun »

First, I love this plugin! on to the question: :D

I was using an older version of the plugin just fine, but then I found the newer one with the alerts and removal stuff. With the sql file that comes with the plugin, no syslogs go into the database. I edited the sql file and got it so that the syslogs go into the syslog_incoming table (I can see it in MySQL Administrator), but it doesn't go into the syslog table (or logs table because thats how I had it before, but it shouldn't matter right?).

Here's my config.php:

Code: Select all

<?php

$haloedb_type     = "mysql";
$haloedb_default  = "syslog";
$haloedb_hostname = "localhost";
$haloedb_username = "syslogadmin";
$haloedb_password = "****";

$haloe_config["rows_per_page"] = "30";
// $haloe_config["host_rows"] = "25";

//  Integrate with Graph View Timespan Selector. If false, keep seperate timespan settings
$haloe_config["graphtime"] = true;

//  Display timespan selector or not [ only used if $haloe_config["graphtime"]=false ]
$haloe_config["timespan_sel"] = true;

//  Field Mappings, adjust to match the haloe table columns in use
 $haloe_config["haloeTable"]      = "syslog";
//$haloe_config["haloeTable"]      = "syslog_incoming";
// $haloe_config["haloeTable"]      = "logs";
$haloe_config["incomingTable"]   = "syslog_incoming";
$haloe_config["removeTable"]     = "syslog_remove";
$haloe_config["alertTable"]      = "syslog_alert";
$haloe_config["dateField"]       = "date";
$haloe_config["timeField"]       = "time";
$haloe_config["priorityField"]   = "priority";
$haloe_config["levelField"]	 = "level";
$haloe_config["tagField"]	 = "tag";
$haloe_config["facilityField"]   = "facility";
$haloe_config["hostField"]       = "host";
$haloe_config["programField"]    = "program";
$haloe_config["textField"]       = "msg";
$haloe_config["id"]              = "seq";

code snipped

?>
My syslog.sql that I edited:

Code: Select all

--
-- Table structure for table `syslog`
--

CREATE TABLE syslog (
  host varchar(32) default NULL,
  facility varchar(10) default NULL,
  priority varchar(10) default NULL,
  level varchar(10) default NULL,
  tag varchar (10) default NULL,
  date date default NULL,
  time time default NULL,
  program varchar(15) default NULL,
  msg text,
  seq int(10) unsigned NOT NULL auto_increment,
  `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY  (seq),
  KEY host (host),
  KEY seq (seq),
  KEY program (program),
  KEY date (date),
  KEY time (time),
  KEY priority (priority),
  KEY facility (facility)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_alert`
--

CREATE TABLE syslog_alert (
  id int(10) NOT NULL auto_increment,
  name varchar(255) NOT NULL default '',
  `type` varchar(16) NOT NULL default '',
  message text NOT NULL,
  `user` varchar(32) NOT NULL default '',
  `date` int(16) NOT NULL default '0',
  email text NOT NULL,
  PRIMARY KEY  (id)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_incoming`
--

CREATE TABLE syslog_incoming (
  host varchar(32) default NULL,
  facility varchar(10) default NULL,
  priority varchar(10) default NULL,
  level varchar(10) default NULL,
  tag varchar (10) default NULL,
  date date default NULL,
  time time default NULL,
  program varchar(15) default NULL,
  msg text,
  seq int(10) unsigned NOT NULL auto_increment,
  `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  `status` tinyint(4) NOT NULL default '0',
  PRIMARY KEY  (seq),
  KEY host (host),
  KEY seq (seq),
  KEY program (program),
  KEY time (time),
  KEY date (date),
  KEY priority (priority),
  KEY facility (facility)
) ENGINE=MyISAM;

-- --------------------------------------------------------

--
-- Table structure for table `syslog_remove`
--

CREATE TABLE syslog_remove (
  id int(10) NOT NULL auto_increment,
  name varchar(255) NOT NULL default '',
  `type` varchar(16) NOT NULL default '',
  message text NOT NULL,
  `user` varchar(32) NOT NULL default '',
  `date` int(16) NOT NULL default '0',
  PRIMARY KEY  (id)
) ENGINE=MyISAM;
My syslog-ng.conf:

Code: Select all

options {
#       use_fqdn(yes);
#       use_dns(yes);
#       dns_cache(yes);
        keep_hostname(yes);
        long_hostnames(off);
        sync(1);
        log_fifo_size(1024);
};

source src { unix-stream("/dev/log"); internal(); };

source net {
        udp();
        tcp();
};

destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO syslog_incoming (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG',
'$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};

log { source(net); destination(d_mysql); };
My syslog_mysql.sh:

Code: Select all

#!/bin/bash

if [ -e /tmp/mysql.pipe ]; then
while [ -e /tmp/mysql.pipe ]
do
mysql -u syslogadmin --password=**** syslog < /tmp/mysql.pipe
done
else
mkfifo /tmp/mysql.pipe
fi
I get this from my cacti log, this takes the syslog from the incoming to the syslog table right?:

Code: Select all

 02/22/2006 08:50:48 PM - THOLD: Poller[0] Checking Thresholds
02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"
02/22/2006 08:50:47 PM - SYSTEM STATS: Time:46.3422 Method:cmd.php Processes:10 Threads:N/A Hosts:20 HostsPerProcess:2 DataSources:81 RRDsProcessed:76
Ubuntu 5.10 Breezy
Cacti 0.8.6h
MySQL 4.1.12
PHP 5
syslog-ng 1.6.8

Thanks!
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

nahun wrote:

Code: Select all

02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"
This usually means that your that your syslog_incoming database is not the one provided, as it doesn't have the "status" column which is not something your original syslog table would have. Check and make sure its there.

Code: Select all

show columns from syslog_incoming;
User avatar
nahun
Cacti User
Posts: 92
Joined: Wed Feb 15, 2006 11:27 pm
Location: Idaho
Contact:

Post by nahun »

Here is the output:

Code: Select all

Database changed
mysql> show columns from syslog_incoming;
+-----------+------------------+------+-----+-------------------+----------------+
| Field     | Type             | Null | Key | Default           | Extra          |
+-----------+------------------+------+-----+-------------------+----------------+
| host      | varchar(32)      | YES  | MUL | NULL              |                |
| facility  | varchar(10)      | YES  | MUL | NULL              |                |
| priority  | varchar(10)      | YES  | MUL | NULL              |                |
| level     | varchar(10)      | YES  |     | NULL              |                |
| tag       | varchar(10)      | YES  |     | NULL              |                |
| date      | date             | YES  | MUL | NULL              |                |
| time      | time             | YES  | MUL | NULL              |                |
| program   | varchar(15)      | YES  | MUL | NULL              |                |
| msg       | text             | YES  |     | NULL              |                |
| seq       | int(10) unsigned |      | PRI | NULL              | auto_increment |
| timestamp | timestamp        | YES  |     | CURRENT_TIMESTAMP |                |
| status    | tinyint(4)       |      |     | 0                 |                |
+-----------+------------------+------+-----+-------------------+----------------+
12 rows in set (0.00 sec)
and if I change the haloetable in config.php to syslog_incoming I can see the syslogs in cacti.

Thanks cigamit!
User avatar
cdukes
Cacti User
Posts: 61
Joined: Tue Mar 26, 2002 1:25 pm
Location: Morrisville, NC
Contact:

Nice mod but...

Post by cdukes »

Looks like a nice mod, but how well does it scale?
I have ~2500 devices and am currently using php-syslog-ng which is very fast and written quite well.
Still, it would be neat to have it inside cacti.
cigamit
Developer
Posts: 3369
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Re: Nice mod but...

Post by cigamit »

cdukes wrote:Looks like a nice mod, but how well does it scale?
I have ~2500 devices and am currently using php-syslog-ng which is very fast and written quite well.
Still, it would be neat to have it inside cacti.
With that many, I honestly don't know as I don't have nearly that many hosts to test it on. I made a few changes the other day to speed up the processing by at least 200%, but I have no clue if it would handle more than 200K messages in a 5 minute polling period.

Do your hosts only log messages? Or everything? Any estimate on a average amount of syslog messages received in 5 minutes?

I also need to create a seperate process for the polling, which would ensure no timeouts, but that shouldn't take long.
User avatar
cdukes
Cacti User
Posts: 61
Joined: Tue Mar 26, 2002 1:25 pm
Location: Morrisville, NC
Contact:

Re: Nice mod but...

Post by cdukes »

I would think that by looking at php-syslog-ng you could get a few good ideas on fast processing? :-)
My devices are routers and switches (not hosts).
It ranges, but I'm currently working for a company that has 30k devices (that's not a typo) and I'm trying to find a solution for syslog that truly scales well. Right now, we are feeding ~2500 devices into php-syslog-ng and it's handling it very well (about 5-15 messages per second)


cigamit wrote:
With that many, I honestly don't know as I don't have nearly that many hosts to test it on. I made a few changes the other day to speed up the processing by at least 200%, but I have no clue if it would handle more than 200K messages in a 5 minute polling period.

Do your hosts only log messages? Or everything? Any estimate on a average amount of syslog messages received in 5 minutes?

I also need to create a seperate process for the polling, which would ensure no timeouts, but that shouldn't take long
g.
knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

Re: Nice mod but...

Post by knobdy »

cdukes wrote:I would think that by looking at php-syslog-ng you could get a few good ideas on fast processing? :-)
My devices are routers and switches (not hosts).
It ranges, but I'm currently working for a company that has 30k devices (that's not a typo) and I'm trying to find a solution for syslog that truly scales well. Right now, we are feeding ~2500 devices into php-syslog-ng and it's handling it very well (about 5-15 messages per second)
What are you actually doing with the data though? We've got a requirement to store data for 11 months and keep 1 month "live". With just the 50+ devices we have (all debugging - also a requirement) I haven't found anything that can handle the load (though I will be looking at php-syslog-ng now). I've been told by many that I'll never find anything that involves a database without processing the messages first...not being a programmer it will take quite a bit of time for me to develop parsing scripts for our environment...
User avatar
cdukes
Cacti User
Posts: 61
Joined: Tue Mar 26, 2002 1:25 pm
Location: Morrisville, NC
Contact:

Re: Nice mod but...

Post by cdukes »

It would be impossible to keep that much DEBUG data for 30k devices, or damn near close to it. However, the way that php-syslog-ng stores the data keeps the searches fairly fast. Good luck in your search :-)


knobdy wrote:
What are you actually doing with the data though? We've got a requirement to store data for 11 months and keep 1 month "live". With just the 50+ devices we have (all debugging - also a requirement) I haven't found anything that can handle the load (though I will be looking at php-syslog-ng now). I've been told by many that I'll never find anything that involves a database without processing the messages first...not being a programmer it will take quite a bit of time for me to develop parsing scripts for our environment...
User avatar
nahun
Cacti User
Posts: 92
Joined: Wed Feb 15, 2006 11:27 pm
Location: Idaho
Contact:

Post by nahun »

cigamit wrote:
nahun wrote:

Code: Select all

02/22/2006 08:50:47 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "UPDATE syslog_incoming set status=1"
This usually means that your that your syslog_incoming database is not the one provided, as it doesn't have the "status" column which is not something your original syslog table would have. Check and make sure its there.

Code: Select all

show columns from syslog_incoming;
any other comments or ideas?
[size=75]Solaris 10 x86 [color=red][b]||[/b][/color] Cacti - 0.8.7 [color=red][b]||[/b][/color] MySQL - 5.0.45 [color=red][b]||[/b][/color] PHP - 5.2.6 [color=red][b]||[/b][/color] RRDTool - 1.2.23 [color=red][b]||[/b][/color] NET-SNMP - 5.4.1 [color=red][b]||[/b][/color] Syslog-ng 2.0.5
[url=http://www.indigo-networks.com]indigo-networks.com[/url][/size]
mgb
Cacti User
Posts: 124
Joined: Mon Jun 21, 2004 4:06 am
Location: North of the Netherlands

Post by mgb »

@nahun

I seem to have the same problem as you.

Code: Select all

03/02/2006 01:00:11 PM - CMDPHP: Poller[0] ERROR: SQL Exec Failed "INSERT INTO logs (date, time, priority, facility, host, msg) SELECT date, time, priority, facility, host, msg FROM syslog_incoming where status=1"
But my syslog-ng delivers the data in the logs table. I can see the data but can't uses the alerts or removals part. I am able fill these in but nothing seems to happen.

Here is my config.php

Code: Select all

<?php

$haloedb_type     = "mysql";
$haloedb_default  = "haloe";
$haloedb_hostname = "localhost";
$haloedb_username = "*****";
$haloedb_password = "*****";

$haloe_config["rows_per_page"] = "30";

//  Integrate with Graph View Timespan Selector. If false, keep seperate timespan settings
$haloe_config["graphtime"] = true;

//  Display timespan selector or not [ only used if $haloe_config["graphtime"]=false ]
$haloe_config["timespan_sel"] = true;

//  Field Mappings, adjust to match the haloe table columns in use
$haloe_config["haloeTable"]      = "logs";
$haloe_config["incomingTable"]   = "syslog_incoming";
$haloe_config["removeTable"]     = "syslog_remove";
$haloe_config["alertTable"]      = "syslog_alert";
$haloe_config["dateField"]       = "date";
$haloe_config["timeField"]       = "time";
$haloe_config["priorityField"]   = "priority";
$haloe_config["facilityField"]   = "facility";
$haloe_config["hostField"]       = "host";
$haloe_config["textField"]       = "msg";
$haloe_config["id"]              = "seq";

//  Priority colors, change/add/delete to suit
$haloe_colors["Emergency"] = "FF0000";
$haloe_colors["Critical"]  = "FF0000";
$haloe_colors["alert"]     = "FF0000";
$haloe_colors["err"]     = "FFAB00";
$haloe_colors["warn"]   = "FFFF00";
$haloe_colors["Notice"]    = "FFAB00";
$haloe_colors["Info"]      = "FFAB00";
$haloe_colors["Debug"]     = "D0D0D0";

?>
any idea?
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests