wierd problem with syslog

[kbartoletta]

I am having a strange problem with the syslog plugin - or actually getting certain logs to forward to my cacti syslog server. I have it installed and work fine but I am unable to capture certain logs from one of our servers...

We have 2-3 different existing syslog servers that we use for different purposes... I am trying to pull all of these logs into one central location for viewing my our operations people. One of them is running kiwi and collects all of our firewall logs.... it is forwarding everything to my cacti syslog box and all logs are
getting process to syslog_incoming the way they should. I have another syslog server that collects all logs from our routers and switches, this is a linux box running ksyslogd... when I try to forward this servers logs to my cacti syslog server - I am only seeing certain logs come in... It looks like only the local log messages from the server itself and not the messages from any of the routers or switches. I am wondering if this is because of the log message formating.

I am forwarding everything from this box with

*.* @X.X.X.X

I can sit there an tail the /var/log/messages file on this box and see that messages are coming into this box, however when I tail -f the /var/log/messages file on my cacti syslog server I am not seeing all of the messages.



For instance, when I restart the syslog dameon on the router/switch syslog server, I get the following logs into my cacti syslog server....

hostname.domain.biz 2006-09-28 09:05:34 syslog: syslogd shutdown succeeded notice

hostname.domain.biz 2006-09-28 09:05:31 syslog: klogd shutdown succeeded notice

hostname.domain.biz 2006-09-28 09:05:31 exiting on signal 15 info

hostname.domain.biz 2006-09-28 09:05:31 syslogd 1.4.1: restart (remote reception). info

hostname.domain.biz 2006-09-28 09:05:31 syslog: syslogd startup succeeded notice

hostname.domain.biz 2006-09-28 09:05:31 kernel: klogd 1.4.1, log source = /proc/kmsg started.


********************************************************************

however I am not getting any syslogs forwarded to my cacti syslog server from this box that orginate from other location (i.e my routers and switches) the messages resemble the following....

*************************************************************
Sep 28 09:11:00 hostname rpd[2469]: bgp_listen_accept: Connection attempt from unconfigured neighbor: X.X.X.X+59859

Sep 28 09:11:44 hostname rpd[2469]: bgp_traffic_timeout: NOTIFICATION sent to 209.168.246.34 (External AS 13653): code 4 (Hold Timer Expired Error), Reason: holdtime expired for X.X.X.X (External AS ######)

Sep 28 09:09:22 hostname 2006 Sep 28 09:09:20 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 3/48

Sep 28 09:13:00 hostname rpd[2469]: bgp_listen_accept: Connection attempt from unconfigured neighbor: X.X.X.X+59862

Any ideas?

Thanks in advance!

[rony]

First thing I would check... Make sure that your syslog configuration on the Cacti server is setup to send all facilites and levels to the log file you are monitoring.

Most network equipment defaults to LOCAL0 - LOCAL7 levels.

[kbartoletta]

I found a blurb in the syslogd man pages that says that syslogd, by default does not forward messages recieved from other hosts (i.e the network devices) - there is a switch "-h" that is supposed to enable this functionality. I have not tried it yet though. To this point, I dont believe that they switch/router syslog server is forwarding the messages because I am not even seeing them coming into the local /var/log/messages file.

[rony]

Ironically, I was just about to post that....