Discussion:
Send Syslog Messages to History
rodyan
2012-11-06 21:53:36 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69736#69736

--------------------------------------------------------------
Hello,

I already read and review some information related to syslog, also testing the devices I already know that my zenoss receive the information, but I don't see the events on the console and neither on the Event Console.

So I like to know or if somebody can give an advice about how I can send all the syslog messages to History.

Thks for your help.

BR

Rodyan
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69736#69736]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-07 20:17:59 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69748#69748

--------------------------------------------------------------
Your question is not very clear to me. What exactly is your problem, not seeing syslog events in the Event Console or sending them to event history ?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69748#69748]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-12 23:01:14 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69866#69866

--------------------------------------------------------------
Hello, thks for answer

And the problem is "both", I cannot see the syslog messages on Event Console, and if I look the "history", the syslog messages cannot be found.

Also checking with tcpdump I can see that the related device already send the syslog messages to zenoss.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69866#69866]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-13 04:33:11 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69874#69874

--------------------------------------------------------------
I couldn't tell from your message if you configured Zenoss properly to receive syslog messages so I will assume you did not and I'll try to give you some hints.
By default, both zensyslog and rsyslog will collide trying to listen on port UDP/514 and usually rsyslog will get there first. There are several ways of doing it but the easiest in my opinion (anyway the one I'm using) is the following :
* make sure iptables firewall is disabled or configure it properly
* configure rsyslog to forward a copy of all messages or only messages you want to local host (127.0.0.1) but on port UDP/5514 instead
* configure zensyslog to listen on port UDP/5514 paying attention to the minimal syslog severity level you're interested in
If you chose to do it this way, make sure you disable IPv6 completely on the server. When the two IP stacks (v4 and v6) are active, the server will forward messages to local host using IPv6 in preferrence and zensyslog will never listen to the designated port in IPv6, only in IPv4. It took me a lot of effort (and hair pulling) to find this out.

Hope this will help you start recevinig syslog messages in Zenoss.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69874#69874]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-13 04:34:49 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69875#69875

--------------------------------------------------------------
I forgot to mention but rsyslog is installed by default in CentOS v6.x and needs to be installed in v5.x
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69875#69875]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-13 14:19:11 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69881#69881

--------------------------------------------------------------
Hi, thks for the answer.

Well actually I don't have running the rsyslog on the server, only the "zensyslog", this is content of the "zensyslog.conf":

***@mysrvr:/usr/local/zenoss/zenoss/etc$ more zensyslog.conf
#PARAMETER      VALUE
syslogport      514
logorig         select this
logseverity     Debug

My zenoss is running on Ubuntu Server and the IPv6 and Firewall are disabled.

***@mysrvr:~$ lsmod | grep ipv6
***@mysrvr:~$

Is necessary that rsyslog is running?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69881#69881]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-14 15:48:11 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/69911#69911

--------------------------------------------------------------
I attached here below the zensyslog configuration that I'm using right now, hoping that it will give you some guidelines. I'm using port 5514 but you can easily adapt it to your needs.
Runnig rsyslog (as well as syslog) is not a requirement for running Zenoss but running a server without system logging is not recommended. If you run Zenoss on CentOS v5.x, syslog can not be configured to listen on other port than 514 so you will have to make sure it is stopped and prevent it to be started at boot. Doing this will allow zensyslog to listen for incoming syslog messages but you might lose other important server info and warnings. Good news it is that you can easily repalce it with rsyslog.
On CentOS v6.x, rsyslog is installed by default so you have many options. You can stop it completely, you can configure it to listen on other port than 514 or you can allow it to listen on 514 and forward the messahes to zensyslog which is listening on another port like I suggested.
My recommendation is first to stop syslog/rsyslog and make sure zensyslog receives syslog messages as it is. Then after you have this working, you can move to add system logging into the equation.
Let me know if you need more help on this.

Loading Image... Loading Image...
Loading Image... Loading Image...
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69911#69911]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-21 14:38:26 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70050#70050

--------------------------------------------------------------
Hello,

Thks for the answer, I was checking the config file, and I put this info:

#PARAMETER      VALUE
syslogport     514
logorig          select this
logseverity     Debug
maxlogsize     10240
maxqueuelen     12000
monitor          localhost

Only for test of course, but I cannot see the syslog events on th event console or in the history

My zenoss version is 3.2.1

The OS pltaform is Ubuntu and the rsyslog is installed by default but is not running right now.

I dont' know what other information could be useful.

BR
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70050#70050]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-21 18:32:52 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70064#70064

--------------------------------------------------------------
I was wondering why is it that have the line "*logorig     select this*" in your zensyslog.conf ? I have a Zenoss Core v3.1 in production and a v4.2 in test and neither of them has this in their zensyslog.conf file. Can you please paste here the results of the following command (must be root) :  *netstat -pa | grep 514*  ?
Also, since you have set the zensyslog logging level to debug, can you see any errors or warnings in there ?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70064#70064]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-22 22:06:48 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70098#70098

--------------------------------------------------------------
Hi,

After run the command I don't receive any information

And the line "logorig select this" I saw that line in another post, do you think that this line could be wrong?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70098#70098]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Ryan Matte
2012-11-22 22:42:27 UTC
Permalink
Ryan Matte [http://community.zenoss.org/people/rmatte] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70099#70099

--------------------------------------------------------------
You really need to give us more information about the syslog that you're sending to Zenoss.  By default Zenoss does not accept any syslogs with a facility level of local7 and no syslogs with a severity lower than 4.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70099#70099]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-22 22:52:31 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70103#70103

--------------------------------------------------------------
Hello Ryan,

Thks for the answer, the syslog messages that I need receive, I see the next info:

2012-11-22 16:47:47,850 DEBUG zen.ZenSyslog: Queueing event {'firstTime': 1353624446.8083601, 'severity': 2, 'facility': 'local0', 'eventClassKey': u'SessionId', 'component': 'SessionId', 'agent': 'zensyslog', 'summary': '........[more info]

So the "Severity = 2" and "Facility = local0"

The devices are Citrix NetScaler
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70103#70103]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Ryan Matte
2012-11-22 22:55:13 UTC
Permalink
Ryan Matte [http://community.zenoss.org/people/rmatte] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70104#70104

--------------------------------------------------------------
Zenoss also has some mappings that block certain event types by default.  What is an example of the summary of one of these syslogs?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70104#70104]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-22 23:19:04 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70111#70111

--------------------------------------------------------------
Hello this is an example:

2012-11-22 17:16:06,066 DEBUG zen.ZenSyslog: Queueing event {'firstTime': 1353626148.11479, 'severity': 2, 'facility': 'local0', 'eventClassKey': u'SessionId', 'component': 'SessionId', 'agent': 'zensyslog', 'summary': '132167- 192.168.5.15 User AXT01162 : Group(s) BASICO_EXTERNOS : Vserver 192.168.2.14:443 - 11/22/2012:23:28:11 GMT GET /GC/servlet/com.telefonica.gc.servsup.servlet.ActualizaServiciosSuplementarios?dn=5520242042&activarServicios=562%7C34%7C7% - -', 'priority': 6, 'manager': 'zenoss-server', 'eventGroup': 'syslog', 'device': 'NetcalerSrvr', 'lastTime': 1353626148.11479, 'ipAddress': '192.168.2.30', 'monitor': 'localhost'}

BR
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70111#70111]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Ryan Matte
2012-11-22 23:26:44 UTC
Permalink
Ryan Matte [http://community.zenoss.org/people/rmatte] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70112#70112

--------------------------------------------------------------
It's queueing the event with a severity of 2, and the facility level is high enough to clear the filters so it should be coming in.  Are you receiving any alerts in Zenoss at all?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70112#70112]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-23 15:02:18 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70126#70126

--------------------------------------------------------------
Hi,

For all the others devices using SNMP that are been monitored yes,

But from this devices in particular I cannot see the information con Event Console or History

But in the zensyslog I see information and using an sniffer the device is sending the syslog information to Zenoss

This is very strange, I think that could be a configuration issue, but I don' know jejeje.

Any ideas?

BR
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70126#70126]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Ryan Matte
2012-11-23 15:13:54 UTC
Permalink
Ryan Matte [http://community.zenoss.org/people/rmatte] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70137#70137

--------------------------------------------------------------
It certainly sounds like you have some disconnect between zensyslog and zenhub.  If you go to Advanced -> Collectors -> localhost -> Performance and view the Event Queue graph, do you see a lot of queue items for zensyslog in there?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70137#70137]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-23 17:58:27 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70130#70130

--------------------------------------------------------------
Hi, the information in the graph for zensyslog:

cur: 12000
avg: 11906
max: 12000
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70130#70130]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Ryan Matte
2012-11-23 18:30:28 UTC
Permalink
Ryan Matte [http://community.zenoss.org/people/rmatte] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70144#70144

--------------------------------------------------------------
That's your problem right there.  Zensyslog's event queue is maxed out meaning you're either sending way too much syslog traffic to it, or it's not connected to zenhub.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70144#70144]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-23 19:29:44 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70133#70133

--------------------------------------------------------------
ouch!!!

An there's a way to fix it?, I dont' know myabe with other collector o anything else?

BR
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70133#70133]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-11-23 16:09:00 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70128#70128

--------------------------------------------------------------
The parameter logorig should be either true or false. I would suggest you to delete the line "*logorig     select this*" from your zensyslog.conf and do another test.
As for the command can you try it again like this :
*netstat -pna | grep 514*  ?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70128#70128]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rodyan
2012-11-23 17:58:46 UTC
Permalink
rodyan [http://community.zenoss.org/people/rodyan] created the discussion

"Re: Send Syslog Messages to History"

To view the discussion, visit: http://community.zenoss.org/message/70131#70131

--------------------------------------------------------------
This is the result:

# netstat -pna | grep 514
udp   165504      0 0.0.0.0:514             0.0.0.0:*                           26297/.python.bin
udp        0      0 127.0.0.1:37386         127.0.0.1:514           ESTABLISHED 28451/perl
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70131#70131]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...