syslog plugin install help

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Moderators, Developers

Post Reply
Author
Message
seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

syslog plugin install help

#1 Post by seanmancini » Wed Oct 02, 2019 3:59 pm

Hey all

I have just installed the syslog plugin and I am running into an issue I see all the logs coming in as unproccessed messgeges I have checked the forum and seen similar issues
however none of the proposed fixes have worked for me


Here are all my congifs

------rsyslog.conf----







# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
ModLoad imtcp
InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###




-----rsyslog.d cacti file



$ModLoad imudp
$UDPServerRun 514
$ModLoad ommysql

$template cacti_syslog,"INSERT INTO syslog_incoming(facility_id, priority_id, program, date, time, host, message) \
values (%syslogfacility%, %syslogpriority%, '%programname%', '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', TRIM('%msg%'))", SQL

*.* >localhost,cacti,cacti,cacti;cacti_syslog

---- I have put the following line into my.cnf

sql_mode=NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

I have verified It has taken

MariaDB [(none)]> show global variables like 'sql_mode';
+---------------+--------------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------------+
| sql_mode | NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+---------------+--------------------------------------------+
1 row in set (0.00 sec)


I am using the cacti DB as the syslog db


| syslog |
| syslog_alert |
| syslog_facilities |
| syslog_host_facilities |
| syslog_hosts |
| syslog_incoming |
| syslog_logs |
| syslog_priorities |
| syslog_programs |
| syslog_remove |
| syslog_removed |
| syslog_reports |
| syslog_statistics |
| user_auth |
| user_auth_cache |
| user_auth_group |
| user_auth_group_members |
| user_auth_group_perms |
| user_auth_group_realm |
| user_auth_perms |
| user_auth_realm |
| user_domains |
| user_domains_ldap |
| user_log |
| vdef |
| vdef_items |
| version |
+-------------------------------------+
122 rows in set (0.00 sec)

syslog.JPG
syslog.JPG (87.6 KiB) Viewed 362 times
I confirm that the syslog messgeges are coming in

I am kinda lost as to where to go from here

Any help would be appreciated

Thanks !

seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

Re: syslog plugin install help

#2 Post by seanmancini » Wed Oct 02, 2019 5:14 pm

Ok did some more digging one thing I notice is that when I make an alert rule cacti notices that the message I am looking for is coming in from systlog
So I still need to figure out why I am not able to see any of the messeges in the plugin view

Frustrating !!!

BTW I am using centos selinux is disabled

seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

Re: syslog plugin install help

#3 Post by seanmancini » Wed Oct 02, 2019 5:23 pm

Ok more info here is a look at the syslog table

MariaDB [cacti]> select * FROM syslog;
+-------------+-------------+------------+---------+---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----+
| facility_id | priority_id | program_id | host_id | logtime | message | seq |
+-------------+-------------+------------+---------+---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----+
| 1 | 6 | 1 | 1 | 2019-10-02 20:42:18 | WAN:579d5e22: (Device information)



Nothing in the alert table though

MariaDB [cacti]> select * FROM syslog_alert;
Empty set (0.00 sec)

seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

Re: syslog plugin install help

#4 Post by seanmancini » Wed Oct 02, 2019 5:30 pm

I have checked the syslog_incoming table and it is populating fine as well


MariaDB [cacti]> select * FROM syslog_incoming;
+-------------+-------------+---------+------------+----------+----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----+--------+
| facility_id | priority_id | program | date | time | host | message | seq | status |
+-------------+-------------+---------+------------+----------+----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+-----+--------+
| 3 | 6 | systemd | 2019-10-02 | 22:25:03 | xyz | Removed slice User Slice of apache.

seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

Re: syslog plugin install help

#5 Post by seanmancini » Wed Oct 02, 2019 9:53 pm

even more digging

Here is the output from the syslog_proccess.php script

php syslog_process.php -d
SYSLOG: Syslog Table IS Partitioned
SYSLOG: Unique ID = 119
SYSLOG: Found 0, New Message(s) to process
SYSLOG: Found 0, Removal Rule(s) to process
SYSLOG: Found 0, Alert Rules to process
SYSLOG: Moved 135, Message(s) to the 'syslog' table
SYSLOG: Deleted 135, Already Processed Message(s) from incoming
SYSLOG: Deleted 0, Syslog alarm log Record(s)
SYSLOG: Deleted 0, Syslog Host Record(s)
SYSLOG: Deleted 0, Old programs from programs table
SYSLOG: Deleted 0, Syslog Host/Facility Record(s)
SYSLOG: Processing Reports...
SYSLOG: We have 0 Reports in the database
SYSLOG: Finished processing Reports...
2019/10/02 22:50:55 - SYSTEM SYSLOG STATS: Time:0.04 Deletes:0 Incoming:0 Removes:0 XFers:135 Alerts:0 Alarms:0 Reports:0

something very weird is going on I can figure this out

netniV
Cacti Guru User
Posts: 3132
Joined: Sun Aug 27, 2017 12:05 am

Re: syslog plugin install help

#6 Post by netniV » Mon Oct 21, 2019 5:20 am

What rules do you have setup to be processed against the incoming messages?

seanmancini
Cacti User
Posts: 110
Joined: Wed Mar 13, 2019 3:37 pm
Location: toronto
Contact:

Re: syslog plugin install help(resolved)

#7 Post by seanmancini » Mon Oct 21, 2019 7:15 am

Hey sorry I forgot to reply to this I fixed mynissue
Looks like the plugin checks time against server time and not the php time

I fixed the timezone in the os and I got it working

Thanks !

Post Reply