Syslog monitor addon beta

General discussion about Plugins for Cacti

Moderators: Moderators, Developers

Post Reply
Author
Message
sini
Cacti User
Posts: 91
Joined: Mon Nov 24, 2003 10:22 am
Location: Hungary

#241 Post by sini » Wed Nov 29, 2006 12:16 pm

Hi,

Same to me. The data inside the syslog_incoming table is not transferred automatically to the syslog table.
I can see the sql inserts in myslq.pipe
I use cacti-0.8.6i and haloe 0.4 with plugin arch.
Sini

Whizzer
Posts: 3
Joined: Tue May 31, 2005 4:56 am

#242 Post by Whizzer » Thu Nov 30, 2006 8:06 am

Hi,

The Syslog plugin is great and is a big plus to the Cacti application. Only one minor thing isn't working like I was hoping for, but due to the lack of knowledge about php/mysql (just a Cisco network administrator with a passion for linux/unix), I can't seem to solve it myself.

The problem is pretty simpel. Entries get displayed "twice", or more specific: date, time & message sequence is displayed twice. Example of a logging entry:

Code: Select all

INSERT INTO syslog_incoming (host, facility, priority, level, tag, date, time, program, msg)

VALUES ( 'switch15', 'local6', 'notice', 'notice', 'b5', '2006-11-30', '13:46:48', '36761:', '36761: Nov 30 13:46:48.115 CET: LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet3/7, changed state to up' );
As you can see, date and time are added seperate int the database, but also together with the message. The same goed for the seq # (36761 in this example). On page 9 of this topic you can see twelzy's screenshot which (besides the seq number) does the same thing.

Can anyone help me to fix this? If you need more info, let me know!

Regards,

Whizzer

cigamit
Developer
Posts: 2787
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

#243 Post by cigamit » Fri Dec 01, 2006 7:28 pm

Whizzer wrote: As you can see, date and time are added seperate int the database, but also together with the message.
What syslog to mysql program are you using? Its the one doing it improperly. Unless ofcourse your servers are reporting improperly to the server. The plugin only reads what the syslog daemon actually inserted, and directly moves it over.

Whizzer
Posts: 3
Joined: Tue May 31, 2005 4:56 am

#244 Post by Whizzer » Mon Dec 04, 2006 4:30 am

cigamit wrote:
Whizzer wrote: As you can see, date and time are added seperate int the database, but also together with the message.
What syslog to mysql program are you using? Its the one doing it improperly. Unless ofcourse your servers are reporting improperly to the server. The plugin only reads what the syslog daemon actually inserted, and directly moves it over.
I've used a script which also was found somewhere around here. Several version are posted, maybe it's the wrong one.

Let me post some (hopefully) interesting info for you:

OS: Fedora Core 6
Cacti: 0.8.6i
Mysql: 5.0.27 (The one which comes with FC6 or yum updates)
And of course syslog-ng.

Most interesting part of syslog-ng.conf:

Code: Select all

destination d_mysql {
    pipe("/tmp/mysql.pipe" template("INSERT INTO syslog_incoming (host, facility, priority, level, tag, date, time, program, msg)
    VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n")
    template-escape(yes));
    };
and the script which puts the log in Mysql:

Code: Select all

#!/bin/bash

if [ -e /tmp/mysql.pipe ]; then
 while [ -e /tmp/mysql.pipe ]
  do
  mysql -u TheUser --password=ThePassword syslog < /tmp/mysql.pipe
 done
else
 mkfifo /tmp/mysql.pipe
fi
And the mysql database structure:

Code: Select all

mysql> SHOW COLUMNS FROM syslog;
+----------+------------------+------+-----+---------+----------------+
| Field    | Type             | Null | Key | Default | Extra          |
+----------+------------------+------+-----+---------+----------------+
| facility | varchar(10)      | YES  |     | NULL    |                |
| priority | varchar(10)      | YES  |     | NULL    |                |
| date     | date             | YES  |     | NULL    |                |
| time     | time             | YES  |     | NULL    |                |
| host     | varchar(128)     | YES  |     | NULL    |                |
| message  | text             | YES  |     | NULL    |                |
| seq      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
+----------+------------------+------+-----+---------+----------------+
7 rows in set (0.01 sec)

mysql>
Any help is welcome! But again, I'm not an PHP/MySQL hero, so if changes need to be done in the databse structure, please let me know how to do this... ;-)

cinico
Posts: 4
Joined: Mon Dec 04, 2006 7:56 pm

#245 Post by cinico » Mon Dec 04, 2006 8:06 pm

I have a similar problem I think.

I am running CactiEZ Beta v0.2 with no modifications except the Discovery plugin has been updated.

Host Info follows:
Cacti Version - 0.8.6i
Plugin Architecture - 1.0
Poller Type - Cactid v0.8.6i
Server Info - Linux 2.6.9-42.0.3.EL
Web Server - Apache/2.0.52 (CentOS)
PHP - 4.3.9
PHP Extensions - yp, xml, wddx, tokenizer, sysvshm, sysvsem, standard, sockets, shmop, session, pspell, posix, pcre, overload, mime_magic, iconv, gmp, gettext, ftp, exif, dio, dbx, dba, curl, ctype, calendar, bz2, bcmath, zlib, openssl, apache2handler, gd, mysql, snmp, eAccelerator
MySQL - 4.1.20
RRDTool - 1.2.15
SNMP - 5.1.2
Plugins
  • PHP Network Weathermap (weathermap - v0.82)
    Thresholds (thold - v0.3.0)
    Device Monitoring (monitor - v0.7)
    Network Discovery (discovery - v0.7)
    Network Tools (tools - v0.2)
    Syslog Monitoring (haloe - v0.4)
    mactrack
    RRD Cleaner (rrdclean - v1.1)
    Update Checker (update - v0.3)
    FlowView (flowview - v0.3)
    Host Info (hostinfo - v0.1)
    Error Images (errorimage - v0.1)
I used Webmin to configure Local3 facility coming in via Net source to go to MySQL.

It works great. All I do is tell my Cisco switch to log to the CactiEZ server on Local3 and the host and log entries show up under the Syslog tab in Cacti. My only problem is that all of these Net entries are doubled. :(

Localhost entries are not.

Can someone give me a clue as to why that might be?

Thanks!

dpartow
Posts: 19
Joined: Thu May 04, 2006 6:53 pm

syslog installation issues

#246 Post by dpartow » Wed Dec 27, 2006 10:39 pm

Hi all.

I want to see syslog from systems. I already installed syslog-ng and when I install the haloe plugin I see no data. Is there something I am missing? Do I have to configure syslog-ng?

I have the following installed

Cacti Version 0.8.6i
Plugin Architecture 1.0
Poller Type CMD.php
Server Info Linux 2.6.9-34.ELsmp
Web Server Apache/2.0.52 (Red Hat)
PHP Version 4.3.9
PHP Extensions yp, xml, wddx, tokenizer, sysvshm, sysvsem, standard, sockets, shmop, session, pspell, posix, pcre, overload, mime_magic, iconv, gmp, gettext, ftp, exif, dio, dbx, dba, curl, ctype, calendar, bz2, bcmath, zlib, openssl, apache2handler, ldap, mysql, snmp
MySQL Version 4.1.20
RRDTool Version 1.2.15
SNMP Version 5.1.2
Plugins PHP Network Weathermap (weathermap - v0.82)
Thresholds (thold - v0.3.0)
Update Checker (update - v0.3)
Host Info (hostinfo - v0.1)
Network Tools (tools - v0.2)
Device Monitoring (monitor - v0.7)
NTop Viewer (ntop - v0.1)
Syslog Monitoring (haloe - v0.4)


Can someone help me? E-mail me or post. My e-mail address is [email protected]

cigamit
Developer
Posts: 2787
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

#247 Post by cigamit » Fri Dec 29, 2006 10:33 pm

Yep, it has to be configured, and a script has to be setup. Most of the important items have already been done for you, just need to copy and paste.

Google Serach of Cacti.net

dpartow
Posts: 19
Joined: Thu May 04, 2006 6:53 pm

syslog-ng with plugin not working for me PLEASE HELP

#248 Post by dpartow » Sat Dec 30, 2006 11:29 pm

Hi all.

Can you please give me a detail instructions on how to do this? I am really having some difficulty.

I have already created the mysql database called syslog.

I just need help with seeing the syslogs in the plugin in cacti.

Can someone help me? E-mail me or post. My e-mail address is [email protected]

pconrad
Posts: 19
Joined: Mon Jun 12, 2006 8:29 am

Problems searching message

#249 Post by pconrad » Tue Jan 02, 2007 3:27 pm

When I try to search the message text for an IP address (192.168.1.1) it doesn't put the periods in the search area. It replaces them with spaces (192 168 1 1) Because of this, it never returns the correct data. How can I search for IP addresses?
"So Long, and thanks for all the fish!" DA

cigamit
Developer
Posts: 2787
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Re: Problems searching message

#250 Post by cigamit » Thu Jan 04, 2007 10:49 pm

pconrad wrote:When I try to search the message text for an IP address (192.168.1.1) it doesn't put the periods in the search area. It replaces them with spaces (192 168 1 1) Because of this, it never returns the correct data. How can I search for IP addresses?
Known bug, I am working on it.

User avatar
nahun
Cacti User
Posts: 92
Joined: Wed Feb 15, 2006 11:27 pm
Location: Idaho
Contact:

#251 Post by nahun » Tue Jan 09, 2007 1:14 pm

This is a feature request, so not urgent, just a suggestion.

I get millions of logs so I don't keep them all in one table. I wrote a script to move them into another table each week. Sometimes though I would like to view those old syslogs in other tables. Maybe there could be a setting of which table to use to view the syslogs without going to the config.php.

Just a suggestion and it might be stupid :P
[size=75]Solaris 10 x86 [color=red][b]||[/b][/color] Cacti - 0.8.7 [color=red][b]||[/b][/color] MySQL - 5.0.45 [color=red][b]||[/b][/color] PHP - 5.2.6 [color=red][b]||[/b][/color] RRDTool - 1.2.23 [color=red][b]||[/b][/color] NET-SNMP - 5.4.1 [color=red][b]||[/b][/color] Syslog-ng 2.0.5
[url=http://www.indigo-networks.com]indigo-networks.com[/url][/size]

idle
Cacti User
Posts: 73
Joined: Wed May 26, 2004 10:49 am
Location: Barcelona
Contact:

#252 Post by idle » Sat May 19, 2007 6:03 am

There is error in a syslog.sql from last version at cactiusers.
There isn't column "status" in table syslog.
That was my reason why data wouldn't go into table syslog from syslog_incoming. Now all wonderfully. :)

User avatar
adrianmarsh
Cacti User
Posts: 435
Joined: Wed Aug 17, 2005 8:51 am
Location: UK

#253 Post by adrianmarsh » Sat May 19, 2007 7:29 am

nahun,

Not a stupid suggestion. I too have the same problem. I "snort" one windows server event log out to my cacti PC, and after about 2 weeks worth of logs it takes an age to even view the syslog plugin, never mind search it.

Clearing the syslog tables is my temporary fix (not a good one obviously).

I'd be interested in seeing your script for moving the tables.

Adrian

pyoung
Posts: 13
Joined: Mon Nov 07, 2005 2:51 pm
Contact:

#254 Post by pyoung » Thu May 24, 2007 2:59 pm

I read over this thread (all 17 pages!), and didn't see an answer to the question I have:

Does this work with the cactid poller, or do you have to run poller.php to have this work? I've converted our cacti install here to use cactid, but the cronjob that runs poller.php is still in place (if I comment it out, syslogs no longer update)..

Help?

User avatar
adrianmarsh
Cacti User
Posts: 435
Joined: Wed Aug 17, 2005 8:51 am
Location: UK

#255 Post by adrianmarsh » Thu May 24, 2007 4:22 pm

The only cronjobs should be poller.php and fastpoller.php (latter for CactiEZ)

Poller.php in turn calls cactid (based on your Settings via the www page). Its cactid vs cmd.php, either initiated from poller.php

You don't run cactid manually.

Post Reply