does Log Server support Netscaler ?

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: does Log Server support Netscaler ?

Post by cdienger »

Edit the input entry to look like:

Code: Select all

syslog {
    type => "netscaler"
    port => "5560"
}
and then add a filter:

Code: Select all

if [type] == 'netscaler'{
grok {
                                break_on_match => true
                                match => [
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
                                ]
                        }
}
This should take care of the verify problem and work better for filtering the netscaler messages. Just point the netscaler to send logs on port 5560 to NLS.
You do not have the required permissions to view the files attached to this post.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
gornm565
Posts: 72
Joined: Tue Nov 15, 2016 6:11 pm

Re: does Log Server support Netscaler ?

Post by gornm565 »

I did that, verified and applied configuration. I am seeing all the "events" show up with tag _grokparsefailure_sysloginput
What am I doing wrong?
Top
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: does Log Server support Netscaler ?

Post by mcapra »

You might try switching from the syslog input plugin to something like tcp:

Code: Select all

tcp {
    type => "netscaler"
    port => "5560"
}
Former Nagios employee
https://www.mcapra.com/
Top
gornm565
Posts: 72
Joined: Tue Nov 15, 2016 6:11 pm

Re: does Log Server support Netscaler ?

Post by gornm565 »

Shouldn't it be udp then? I think udp is the default for syslog.
mcapra wrote:You might try switching from the syslog input plugin to something like tcp:

Code: Select all

tcp {
    type => "netscaler"
    port => "5560"
}
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: does Log Server support Netscaler ?

Post by tmcdonald »

Typically yes, syslog is sent over UDP. But I have found some documentation that seems to suggest NetScaler devices may be sending over TCP - http://docs.citrix.com/en-us/netscaler/ ... yslog.html

Give it a shot, and if it does not work we can keep troubleshooting.
Former Nagios employee
Top
Locked

Return to “Nagios Log Server”