rsyslog logging is missing

[Avinash91]

rsyslog.conf.txt

I have configured the cisco device xx.xx.67.254 to send syslog data to a centralised server xx.xx.83.94 so as to keep track of the logs and search for the required

data using keywords. These are the steps i followed to setup xx.xx.83.94(RHEL) as a centralised server

1.Installed rsyslog service - yum install rsyslog

2.Made sure the syslog service is stopped and started again

3. Enabled syslog traffic on port 514- semanage -a -t syslogd_port_t -p udp 514

4.Setup log file location in the rsyslog.conf file

$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" //Create log file based on the hostname

authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg

5.Enabled module and UDP protocol

$ModLoad imudp
$UDPServerRun 514

6.Open access in firewall-Added this rule to open port
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

7.Restarted syslog service
service rsyslog restart


I have also enabled syslogging on the cisco device.

USCHSRST01#show logging
Syslog logging: enabled (0 messages dropped, 17 messages rate-limited, 0 flushes

, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.


Console logging: level debugging, 321 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 336 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level debugging, 340 message lines logged

Logging to xx.xx.83.94 (udp port 514, audit disabled,
link up),
340 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Logging Source-Interface: VRF Name


This is the rsyslog.conf file.Do I have to add the remote server ip xx.xx.67.254 in the file? If so what is the format

rsyslog.conf.txt

However, i havent received any syslog data from the cisco device on the centralised server.I am able to ping to the cisco device and port 514 is also in LISTEN state.
Is there any other config that i am missing on any of the servers? Can you please help me fix this. Thanks

[mcapra]

There are some special considerations when listening on privileged ports like 514. The lazy solution is to run logstash as root:
https://assets.nagios.com/downloads/nag ... Server.pdf

Be sure to specify the ports when doing remote outputs and try to avoid duplicating them. I've altered the following chunk of your config file:

Code: Select all

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#*.* @10.10.84.185
*.* @10.10.84.185:514

And restart the rsyslog service after making modifications.

[Avinash91]

Thanks for the reply @mcapra

I ran logstash as root user and used a dedicated port 1468 instead of the default port 514 for the CISCO device(xx.xx.67.254 ) to send syslog data.

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.* @@xx.xx.67.254:1468

# ### end of the forwarding rule ###

I than restarted the rsyslog service . I was still unable to see any logs from the device (xx.xx.67.254) so i then added the syslog plugin as input in the /etc/logstash/conf.d/logstash.conf file and restarted the logstash service.

syslog {
type => syslog
port => 1468
}

This is the error message in the /var/log/logstash/logstash.log

{:timestamp=>"2016-11-14T22:43:11.409000-0600", :message=>"Error: Expected one of #, => at line 24, column 14 (byte 472) after output {\n\tnagios {\n\tcommandfile "}
{:timestamp=>"2016-11-14T22:43:11.420000-0600", :message=>"You may be interested in the '--configtest' flag which you can\nuse to validate logstash's configuration before you choose\nto restart a running system."}

Could you please help me with this.

[rkennedy]

Could you please navigate to the Admin -> System Status page, and click 'Download System Profile'? Then, upload it here for us to look at.

[Avinash91]

Thanks for the reply @rkennedy

PFB the profile.


Do let me know if this could help fix the issue

[rkennedy]

You posted a Nagios XI profile, not the one for your NLS machine. Could you post the correct one?

[Avinash91]

Could you please elaborate on which profile I need to send.
Since I haven't created a nagios xi profile with the user I am running on the xx.xx83.94 server, I have sent you the nagios xi admin profile.
The nagios xi user profile also has admin privileges.

[rkennedy]

You've mentioned a rsyslog server, and a cisco device, just to get clarification here, how does this relate to Nagios? It appears you're asking for rsyslog help, and you've posted some logstash errors.

I thought you were using Nagios Log Server, but that doesn't seem to be the case.

[Avinash91]

Just to make sure we are on the same page. I am trying to view the logs from a cisco device on a centralised server by setting up rsyslog. Since that didn't help I have configured logstash to view logs from the cisco device and I am facing the error as mentioned in my previous reply. I am not using a nagios log server so I was confused when you asked for the profile.

So I would like to understand how do I setup the logging on my centralized server either using rsyslog or logstash. Please advice.

[avandemore]

If you are not using Nagios products then you should turn to your vendor for support.

We do have Nagios Log Server if you are interested in that.