Make RSYSLOG listen on default port 514?
Make RSYSLOG listen on default port 514?
We have a firewall which can forward rsyslog style logs, but doesn't allow change of port. Is there any issues if I change Nagios Log Server config to listen on the default port (514)?
-
avandemore
- Posts: 1597
- Joined: Tue Sep 27, 2016 4:57 pm
Re: Make RSYSLOG listen on default port 514?
You should be able to follow this document here:
https://assets.nagios.com/downloads/nag ... Server.pdf
Please let us know if that resolves your issue.
https://assets.nagios.com/downloads/nag ... Server.pdf
Please let us know if that resolves your issue.
Previous Nagios employee
Re: Make RSYSLOG listen on default port 514?
I did the config suggested but it's not working, the device is sending logs but it doesn't show up on log server. Any idea on how I could check this issue?
Re: Make RSYSLOG listen on default port 514?
Please post the following things for us to review -
Also, please attach your /etc/sysconfig/logstash file.
Code: Select all
grep -R '' /usr/local/nagioslogserver/logstash/etc/*
netstat -anp
ps -ef
Former Nagios Employee
Re: Make RSYSLOG listen on default port 514?
I attached the output to this message.
You do not have the required permissions to view the files attached to this post.
Re: Make RSYSLOG listen on default port 514?
Do you have a logstash input rule for 514? I see the following input rules:
But I do not see an input rule listening on port 514, only 1514.
You might also try configuring the inputs as raw tcp/udp to ensure the default syslog filter isn't getting tripped up:
Code: Select all
input {
tcp {
port => 5544
type => syslog
}
udp {
port => 5544
type => syslog
}
tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
tcp {
type => 'import_json'
tags => 'import_json'
port => 2057
codec => json
}
syslog {
type => 'syslog'
port => 1514
}
}
You might also try configuring the inputs as raw tcp/udp to ensure the default syslog filter isn't getting tripped up:
Code: Select all
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Make RSYSLOG listen on default port 514?
I have this rule on the web configuration, but maybe it's not updating somewhere?
You do not have the required permissions to view the files attached to this post.
Re: Make RSYSLOG listen on default port 514?
Lets try this:
Login to the Nagios Log Server GUI, navigate to Administration -> System Status, figure out which machine you are connected to by viewing the IP of [This instance]
From that machine, run this command:
From the GUI session you have open, attempt to apply the configuration, check the output of the previous tail command.
After all of that, share the output of your tail command and a fresh output of grep -R '' /usr/local/nagioslogserver/logstash/etc/*
Login to the Nagios Log Server GUI, navigate to Administration -> System Status, figure out which machine you are connected to by viewing the IP of [This instance]
From that machine, run this command:
Code: Select all
tail -f /usr/local/nagioslogserver/var/jobs.log
After all of that, share the output of your tail command and a fresh output of grep -R '' /usr/local/nagioslogserver/logstash/etc/*
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Make RSYSLOG listen on default port 514?
tail -f /usr/local/nagioslogserver/var/jobs.log
grep -R '' /usr/local/nagioslogserver/logstash/etc/*
Code: Select all
Processed 0 node jobs.
Processed 0 global jobs.
tail: /usr/local/nagioslogserver/var/jobs.log: file truncated
Running command delete_snapshot with args 'a:1:{s:4:"path";s:75:"/usr/local/nagioslogserver/snapshots/applyconfig.snapshot.1469826500.tar.gz";}' for job id: AVl1Q-ikWDSCIsXnl286
SUCCESS
Running command apply_config with args 'a:2:{s:5:"sh_id";s:20:"AVl1Q-jUWDSCIsXnl2-L";s:10:"sh_created";i:1483731101;}' for job id: AVl1Q-jhWDSCIsXnl2-M
WARNING: Default JAVA_OPTS will be overridden by the JAVA_OPTS defined in the environment. Environment JAVA_OPTS are -Djava.io.tmpdir=/usr/local/nagioslogserver/tmp
SUCCESS
Processed 2 node jobs.
Processed 0 global jobs.
tail: /usr/local/nagioslogserver/var/jobs.log: file truncated
Code: Select all
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Created Fri, 06 Jan 2017 17:31:57 -0200
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Global filters
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:filter {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [program] == 'apache_access' {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'message', '%{COMBINEDAPACHELOG}']
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: date {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: mutate {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: replace => [ 'type', 'apache_access' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: convert => [ 'bytes', 'integer' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: convert => [ 'response', 'integer' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [program] == 'apache_error' {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: mutate {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: replace => [ 'type', 'apache_error' ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [type] == "syslog" {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [syslog_program] == "postfix/qmgr" {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: patterns_dir => ["/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ "syslog_message", "%{POSTFIXQMGR}" ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: add_tag => [ "postfixqmgr", "grokked"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [syslog_program] == "postfix/smtpd" {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: patterns_dir => ["/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ "syslog_message", "%{POSTFIXSMTPD}" ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: add_tag => [ "postfixsmtpd", "grokked"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: if [syslog_program] == "postfix/smtp" {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: grok {
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: patterns_dir => ["/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: match => [ "syslog_message", "%{POSTFIXSMTP}" ]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: add_tag => [ "postfixsmtp", "grokked"]
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:# Local filters
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Created Fri, 06 Jan 2017 17:31:57 -0200
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Global inputs
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:input {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 5544
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => syslog
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: udp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 5544
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => syslog
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'eventlog'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 3515
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: codec => json {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: charset => 'CP1252'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'import_raw'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tags => 'import_raw'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 2056
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'import_json'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tags => 'import_json'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 2057
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: codec => json
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: syslog {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'syslog'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 1514
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: tcp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 514
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => syslog
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: udp {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 514
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => syslog
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:# Local inputs
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Logstash Configuration File
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Dynamically created by Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Created Fri, 06 Jan 2017 17:31:57 -0200
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Required output for Nagios Log Server
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:output {
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: elasticsearch {
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: cluster => '155bf3a6-eb50-41aa-8f41-112a4db21fc6'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: host => 'localhost'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: document_type => '%{type}'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: node_name => '6a7ce4ea-e1b9-47a1-af18-1c4d47243d20'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: protocol => 'transport'
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: workers => 4
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf: }
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:}
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Global outputs
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:# Local outputs
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:#
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
/usr/local/nagioslogserver/logstash/etc/conf.d/999_outputs.conf:
Re: Make RSYSLOG listen on default port 514?
I see the 514 inputs in the Logstash configuration now and it appears as though the apply config job ran successfully.
Are you receiving the expected events on 514 now? If not, can you share the output of the following commands (you may need to yum install nmap):
Are you receiving the expected events on 514 now? If not, can you share the output of the following commands (you may need to yum install nmap):
Code: Select all
netstat -an
nmap localhost -p 514
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/