ERROR: rsyslog configuration check failed.

[Kumar_pinkesh]

output is below :

# rsyslogd -f /etc/rsyslog.conf -N 1

rsyslogd: invalid option -- N
usage: rsyslogd [-46AdhqQvw] [-l hostlist] [-m markinterval] [-n] [-p path]
[-s domainlist] [-r[port]] [-tport[,max-sessions]] [-gport[,max-sessions]] [-f conffile] [-i pidfile] [-x]

[cdienger]

I've attached a script that has the "-N 1" option removed since it doesn't appear your version of rsyslog supports it.

[Kumar_pinkesh]

I have removed "N -1" and tested still same error

# bash setup-linux.sh -s 172.50.50.6 -p 5544

Detected rsyslog 2.0.6
Detected rsyslog work directory /var/spool/rsyslog
Destination Log Server: 172.25.25.6:5544
Creating /etc/rsyslog.d/99-nagioslogserver.conf. . .

Code: Select all

ERROR: rsyslog configuration check failed.

[cdienger]

Try this instead. The previous one was failing because it was trying to start an already running service. This one comments out the section responsible for the check.

[Kumar_pinkesh]

Now I have upgraded the rsyslog version from 2.0.6 to 3.22.1 and now

Code: Select all

setup-Linux.sh

file execution is successful.

But still I cant see the logs on nagios log server and same time if I am checking port status for server

Code: Select all

5544

as well as client

Code: Select all

514

, both are unused/free.


# bash setup-linux.sh -s 172.50.50.6 -p 5544

Detected rsyslog 3.22.1
Detected rsyslog work directory /var/spool/rsyslog
Destination Log Server: 172.50.50.6:5544
Creating /etc/rsyslog.d/99-nagioslogserver.conf...
rsyslog configuration check passed.
Restarting rsyslog service with 'service'...
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Okay.
rsyslog is running with the new configuration.
Visit your Nagios Log Server dashboard to verify that logs are being received.


# netstat -an | grep 5544 : port is free , no connection established

# netstat -an | grep 514 : port is free , no connection established

[cdienger]

Glad to hear you were able to get that upgraded

Verify that you have an input that is active and configured to use 5544 under Administration > Global Configuration. There should be a default input that looks like:

syslog {
type => 'syslog'
port => 5544
}

On the same page you'll see a Verify button. Click that to make sure the config is ok.

Finally, try running:

Code: Select all

 tail -f /var/log/logstash/logstash.log 

while on another terminal restarting the logstash service:

Code: Select all

service logstash restart

Take note of any errors this may log in the logstash.log.

[Kumar_pinkesh]

configuration on log server is fine and verification is also ok.

syslog {
type => 'syslog'
port => 5544
}

After service logstash restart , i can see below logs :

{:timestamp=>"2017-07-10T12:52:42.970000+0000", :message=>"Received an event that has a different character encoding than you configured.", :text=>"\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006\\xFF\\xED\\xFF\\xFD\\u0006", :expected_charset=>"UTF-8", :level=>:warn}
{:timestamp=>"2017-07-17T06:45:39.986000+0000", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}


But still same issue , logs are not moving to log server. And 5544 port status is not in use as well.

[mcapra]

What sorts of machines are you having send their logs to Nagios Log Server currently?

Are any of these machines using an encoding other than:

For Linux:

• UTF-8

For Windows:

• CP-1252

Typically that errors shows up on non-English Windows systems, in which case you need to tell your Nagios Log Server configuration which encoding to expect when it receives the event. Here's an old post with more on that topic including how to figure out which encoding your Windows environment is using:
https://support.nagios.com/forum/viewto ... 14#p219978

[Kumar_pinkesh]

all servers having encoding method : UTF-8 only.

Here when I tried to telnet 5544 from client machine then connection go established and same host can be seen on dashboard .and logs also can be found.

but as per the normal process , automatically log server should listen the port and connection shouldd be established then only log will move, not using telnet.

[cdienger]

There could be another machine sending to this port.

Try reconfiguring /etc/rsyslog.d/99-nagioslogserver.conf. . . to use port 5545 instead and add a source on NLS under Administration > Global > Global Configuration > Inputs, that looks like:

syslog {
type => 'syslog'
port => 5545
}