NLS Ubuntu Error

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

NLS Ubuntu Error

Post by stevecalderoni »

Trying out NLS on Ubuntu 16. New install. I download and exec the sh script and the below is what I get. rsyslog is running. Restarted the service. Nothing going to NLS.

Any advice would be appreciated

root@web1:/tmp# bash setup-linux.sh -s logs.isonasnet.com -p 5544
Detected rsyslog 8.16.0
Detected rsyslog work directory /var/spool/rsyslog
Destination Log Server: logs.isonasnet.com:5544
Creating /etc/rsyslog.d/99-nagioslogserver.conf...
getenforce command not found, assuming SELinux is disabled.
ERROR: rsyslog configuration check failed.
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: NLS Ubuntu Error

Post by hsmith »

I haven't worked for Nagios for awhile now, but last I knew Ubuntu was not supported. I haven't been watching closely - but I'm not aware of that changing. Red Hat/CentOS is the recommended installation platform.
Former Nagios Employee.
me.
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

Re: NLS Ubuntu Error

Post by stevecalderoni »

A little more on this:

When I try the Manual option the first line gets this:

root@web1:/tmp# ls -d /var/lib/rsyslog || ls -d /var/spool/rsyslog || mkdir -v /var/spool/rsyslog
ls: cannot access '/var/lib/rsyslog': No such file or directory
/var/spool/rsyslog
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

Re: NLS Ubuntu Error

Post by stevecalderoni »

hsmith wrote:I haven't worked for Nagios for awhile now, but last I knew Ubuntu was not supported. I haven't been watching closely - but I'm not aware of that changing. Red Hat/CentOS is the recommended installation platform.
To be clear: I'm not installing NLS on Ubuntu. Just wanting to get log events from it to the NLS that is already running fine

Sharing for the benefit of others....

My initial error is caused by a known bug in rsyslog.

comment the line in the /etc/rsyslog.conf :

$KLogPermitNonKernelFacility on

This allows syslogging to start working.

Now I am trying to get file watch on catalina.out and that isn't working. If anyone has ideas on what to check please share.
Last edited by dwhitfield on Mon May 01, 2017 10:19 am, edited 1 time in total.
Reason: cleaning up double-post
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: NLS Ubuntu Error

Post by mcapra »

hsmith wrote:I haven't worked for Nagios for awhile now, but last I knew Ubuntu was not supported. I haven't been watching closely - but I'm not aware of that changing. Red Hat/CentOS is the recommended installation platform.
Thanks @hsmith! To confirm, we only support clean, minimal installations of Red Hat and CentOS Linux.
stevecalderoni wrote:Now I am trying to get file watch on catalina.out and that isn't working. If anyone has ideas on what to check please share.
Tomcat logs are notoriously tricky to deal with because Java call traces take up multiple lines. Were you encountering specific problems with getting the logs to even make it to Nagios Log Server? We do include a setup script for Linux files that can be found here:
2017_05_01_09_45_14_Source_Setup_Nagios_Log_Server.png
Is that script giving you problems?
You do not have the required permissions to view the files attached to this post.
Former Nagios employee
https://www.mcapra.com/
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

Re: NLS Ubuntu Error

Post by stevecalderoni »

That is the one I used. The conf file gets created and rsyslog restarts successfully. By all rights it should be logging. I do see events from the OS coming in so I know rsyslog is sending something. I'm just not getting the catalina.out file. I am at a total loss on this one.

Conf file created by scripts:

Code: Select all

root@server:/opt/tomcat/logs# cat /etc/rsyslog.d/90-nagioslogserver_opt_tomcat_logs_catalina.out.conf
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Input for CatalinaOut
$InputFileName /opt/tomcat/logs/catalina.out
$InputFileTag CatalinaOut:
$InputFileStateFile nls-state-opt_tomcat_logs_catalina.out # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'CatalinaOut' then @@logs.isonasnet.com:5544
if $programname == 'CatalinaOut' then ~

Spool file exists as well:

root@server:/opt/tomcat/logs# cat /var/spool/rsyslog/nls-state-opt_tomcat_logs_catalina.out
<Obj:1:strm:1:
+iCurrFNum:2:1:1:
+pszFName:1:29:/opt/tomcat/logs/catalina.out:
+iMaxFiles:2:1:0:
+bDeleteOnClose:2:1:0:
+sType:2:1:2:
+tOperationsMode:2:1:1:
+tOpenMode:2:3:384:
+iCurrOffs:2:1:0:
+inode:2:1:0:
+bPrevWasNL:2:1:0:
>End
.
Last edited by mcapra on Mon May 01, 2017 10:08 am, edited 1 time in total.
Reason: please use [code] tags for technical output
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: NLS Ubuntu Error

Post by mcapra »

Can you try altering the rsyslog rule to use a Logstash input other than the default syslog one on 5544? 2056 is used for raw tcp/udp inputs by default. Give this a try:

Code: Select all

if $programname == 'CatalinaOut' then @@logs.isonasnet.com:2056
You'll need to restart the rsyslog process to apply the changes.
Former Nagios employee
https://www.mcapra.com/
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

Re: NLS Ubuntu Error

Post by stevecalderoni »

Thanks for the reply. Still nothing coming after changing to port 2056
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: NLS Ubuntu Error

Post by mcapra »

I would check both the system log on the Ubuntu machine for rsyslog errors, and the Logstash log on the Nagios Log Server machine for errors. Here's the location of the Logstash log on the Nagios Log Server machine if you'd like to share it for review:

Code: Select all

/var/log/logstash/logstash.log
I would also verify that there are no Firewall rules on the Nagios Log Server machine preventing traffic on port 2056.
Former Nagios employee
https://www.mcapra.com/
stevecalderoni
Posts: 15
Joined: Wed Mar 29, 2017 10:47 am

Re: NLS Ubuntu Error

Post by stevecalderoni »

The /var/log/logstash/logstash.log only has 4 errors in it and they are for another device.

iptables shows all needed ports open and the 2056 port is taking traffic

Chain INPUT (policy ACCEPT 144K packets, 212M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2057
43 2580 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2056
1469 88140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5544
59 3020 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3515
85 5100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:9300:9400
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14M 6405M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:5544
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5667
15936 956K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
29620 1540K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
86163 17M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5544
Locked