added syslog from a linux server and added a new raw log input from the same linux serer reading custom logs.
Followed the trouble shooting from here:
https://support.nagios.com/kb/article.p ... ategory=42
Here is tcpdump event:
07:10:44.206958 IP 184.150.227.68.37299 > ls.domain.com.5544: Flags [P.], seq 26832:28160, ack 1, win 229, options [nop,nop,TS val 3207067991 ecr 2393396913], length 1328
07:10:44.206980 IP ls.domain.com.5544 > 184.150.227.68.37299: Flags [.], ack 28160, win 853, options [nop,nop,TS val 2393396981 ecr 3207067991], length 0
nothing is making into the dashboard.
Some logs appeared 12 hours ago for 15min, but nothing since then.
Thoughts?
not seeing any events in the dashboard
Re: not seeing any events in the dashboard
Is that the full output of the tcpdump? Seems pretty slim. Can you let the tcpdump run, and then restart rsyslog on the source Linux machine?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: not seeing any events in the dashboard
restarted rsyslog:
[root@server rsyslog.d]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: rsyslogd: module 'imfile' already in this config, cannot be added [v8.1908.0 try https://www.rsyslog.com/e/2221 ]
rsyslogd: module 'imfile' already in this config, cannot be added [v8.1908.0 try https://www.rsyslog.com/e/2221 ]
[ OK ]
[root@server rsyslog.d]#
Lots of packets seen at the LS server:
16:56:51.533772 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags , seq 1110731601, win 14600, options [mss 1460,sackOK,TS val 3242235187 ecr 0,nop,wscale 6], length 0
16:56:51.533802 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [S.], seq 4126277604, ack 1110731602, win 21247, options [mss 8961,sackOK,TS val 2428565147 ecr 3242235187,nop,wscale 7], length 0
16:56:51.551232 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags , seq 1881137469, win 14600, options [mss 1460,sackOK,TS val 3242235217 ecr 0,nop,wscale 6], length 0
16:56:51.551248 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [S.], seq 1810750712, ack 1881137470, win 21247, options [mss 8961,sackOK,TS val 2428565165 ecr 3242235217,nop,wscale 7], length 0
16:56:51.612350 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], ack 1, win 229, options [nop,nop,TS val 3242235267 ecr 2428565147], length 0
16:56:51.612913 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [P.], seq 1:779, ack 1, win 229, options [nop,nop,TS val 3242235267 ecr 2428565147], length 778
16:56:51.612925 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 779, win 222, options [nop,nop,TS val 2428565227 ecr 3242235267], length 0
16:56:51.613706 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 779:3675, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 2896
16:56:51.613723 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 3675, win 212, options [nop,nop,TS val 2428565227 ecr 3242235212], length 0
16:56:51.614296 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 3675:5123, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 1448
16:56:51.614310 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 5123, win 290, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.614378 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 5123:10915, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 5792
16:56:51.614391 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 10915, win 381, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.614395 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 10915:12363, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 1448
16:56:51.614397 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 12363, win 403, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.618358 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 0
16:56:51.618384 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [P.], seq 1:61, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 60
16:56:51.618389 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 61, win 210, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.622233 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 61:1509, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 1448
16:56:51.622248 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 1509, win 233, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.622298 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 1509:4405, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 2896
16:56:51.618505 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 4405, win 278, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.618523 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 4405:7301, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 2896
[root@server rsyslog.d]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: rsyslogd: module 'imfile' already in this config, cannot be added [v8.1908.0 try https://www.rsyslog.com/e/2221 ]
rsyslogd: module 'imfile' already in this config, cannot be added [v8.1908.0 try https://www.rsyslog.com/e/2221 ]
[ OK ]
[root@server rsyslog.d]#
Lots of packets seen at the LS server:
16:56:51.533772 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags , seq 1110731601, win 14600, options [mss 1460,sackOK,TS val 3242235187 ecr 0,nop,wscale 6], length 0
16:56:51.533802 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [S.], seq 4126277604, ack 1110731602, win 21247, options [mss 8961,sackOK,TS val 2428565147 ecr 3242235187,nop,wscale 7], length 0
16:56:51.551232 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags , seq 1881137469, win 14600, options [mss 1460,sackOK,TS val 3242235217 ecr 0,nop,wscale 6], length 0
16:56:51.551248 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [S.], seq 1810750712, ack 1881137470, win 21247, options [mss 8961,sackOK,TS val 2428565165 ecr 3242235217,nop,wscale 7], length 0
16:56:51.612350 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], ack 1, win 229, options [nop,nop,TS val 3242235267 ecr 2428565147], length 0
16:56:51.612913 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [P.], seq 1:779, ack 1, win 229, options [nop,nop,TS val 3242235267 ecr 2428565147], length 778
16:56:51.612925 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 779, win 222, options [nop,nop,TS val 2428565227 ecr 3242235267], length 0
16:56:51.613706 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 779:3675, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 2896
16:56:51.613723 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 3675, win 212, options [nop,nop,TS val 2428565227 ecr 3242235212], length 0
16:56:51.614296 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 3675:5123, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 1448
16:56:51.614310 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 5123, win 290, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.614378 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 5123:10915, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 5792
16:56:51.614391 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 10915, win 381, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.614395 IP 222.150.227.12.48322 > ls.domain.com.2060: Flags [.], seq 10915:12363, ack 1, win 229, options [nop,nop,TS val 3242235212 ecr 2428565147], length 1448
16:56:51.614397 IP ls.domain.com.2060 > 222.150.227.12.48322: Flags [.], ack 12363, win 403, options [nop,nop,TS val 2428565228 ecr 3242235212], length 0
16:56:51.618358 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 0
16:56:51.618384 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [P.], seq 1:61, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 60
16:56:51.618389 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 61, win 210, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.622233 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 61:1509, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 1448
16:56:51.622248 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 1509, win 233, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.622298 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 1509:4405, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 2896
16:56:51.618505 IP ls.domain.com.5544 > 222.150.227.12.37835: Flags [.], ack 4405, win 278, options [nop,nop,TS val 2428565232 ecr 3242235284], length 0
16:56:51.618523 IP 222.150.227.12.37835 > ls.domain.com.5544: Flags [.], seq 4405:7301, ack 1, win 229, options [nop,nop,TS val 3242235284 ecr 2428565165], length 2896
Re: not seeing any events in the dashboard
Looking at nagiosLS GUI:
I see some packets appearing in the GUI.
import_raw <133>Sep 13 10:55:52 server OCS_CALLED_TAG: # 2019/09/13 09:58:58
I dont see anything before and after the initial restart.
Thanks
I see some packets appearing in the GUI.
import_raw <133>Sep 13 10:55:52 server OCS_CALLED_TAG: # 2019/09/13 09:58:58
I dont see anything before and after the initial restart.
Thanks
Re: not seeing any events in the dashboard
I'm seeing a couple of errors when rsyslogd is restarted. Can you just run a service rsyslog status just to make sure it's running.
Then if you could send me the configuration files in /etc/rsyslog.d/, as well as a system profile from Log Server, that would be great.
Then if you could send me the configuration files in /etc/rsyslog.d/, as well as a system profile from Log Server, that would be great.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: not seeing any events in the dashboard
I PMed the files you asked for.
I am just checking in
Thanks
I am just checking in
Thanks
Re: not seeing any events in the dashboard
My apologies for the delay. I've PM'd you a zip file with rsyslog config files. Everything looked good, except the configs. It looks like you had 3 logs you were trying to get to Log Server. 2 of those were doubled up, having their own configuration files, as well as an entry in 99-nagioslogserver.conf. There was also conflicting information between those configurations. I'm not sure if that's the source of the problem, but it's certainly not helping.
In the new configuration files I sent, I have the logs going to Log Server by host name, rather than IP. They're also going to port 2060. If you'd rather they go to the syslog port, then you will have to change the port in the config files to 5544.
In the new configuration files I sent, I have the logs going to Log Server by host name, rather than IP. They're also going to port 2060. If you'd rather they go to the syslog port, then you will have to change the port in the config files to 5544.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: not seeing any events in the dashboard
chekcing
no PM in my INBOX.
Thanks
no PM in my INBOX.
Thanks
Re: not seeing any events in the dashboard
Okay should be there now. I tried sending as code blocks rather than a zip.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!