Fowarding maillog entries

[vmesquita]

Hello,

I am trying to send the postfix log entries from the SMTP server to nagios log server. I added the following lines to /etc/rsyslog.conf:

Code: Select all

### begin forwarding rule ### NAGIOSLOGSERVER
#
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
# # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

mail.* @@syslogA.selic.bc:5544

However only crontab events are being sent. Any ideas?

[hsmith]

Are there any sort of errors in /var/log/logstash/logstash.log?

[vmesquita]

Can you please check if this is an error? This log is very hard to read because there's no line breaks. I see some events from the host IP which seem to be not making into log server interface.

Code: Select all

{:timestamp=>"2016-07-29T12:49:45.717000-0300", :message=>"failed action with response of 400, dropping action: [\"index\", {:_id=>nil, :_index=>\"logstash-2016.07.29\", :_type=>\"syslog\", :_routing=>nil}, #<LogStash::Event:0x7f5eb2dc @metadata={\"retry_count\"=>0}, @accessors=#<LogStash::Util::Accessors:0x31553c71 @store={\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, @lut={\"type\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"type\"], \"host\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"host\"], \"message\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"message\"], \"priority\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"priority\"], \"timestamp\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"timestamp\"], \"logsource\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"logsource\"], \"program\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"program\"], \"pid\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"pid\"], \"tags\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"tags\"], \"severity\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"severity\"], \"facility\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"facility\"], \"timestamp8601\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@ve

(username, domain names have been replaced for security reasons)

[hsmith]

Try switching to using raw TCP/UDP for your inputs instead of the syslog input.

Go to Administration > Global > Global Configuration and expand the syslog input.

Replace what is there with this:

Code: Select all

tcp {
    port => 5544
    type => syslog
  }
  udp {
    port => 5544
    type => syslog
  }
  

This will stop Logstash from dropping logs with a syslog format that it doesn't like, which is the default behavior.

Your syslogs will no longer be broken down in to nice fields, because we're not using the syslog input anymore, but we can have that process done with this grok filter:

Code: Select all

  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }

Let me know what happens.

[vmesquita]

Thanks! This really helped to solve the issue.

[tmcdonald]

I'll be closing this thread now, but feel free to open another if you need anything in the future!