Cisco Switch Logs

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 1:28 pm

Not receiving logs from Cisco Switch. I followed the link below for step one:

http://assets.nagios.com/downloads/nagi ... Server.pdf

Then I added the following:

syslog {
type => 'syslog'
port => 514
}

Still not seeing any logs from my switch which I configured with:

logging trap debugging
logging source-interface Vlan11
logging 10.x.x.x (IP address of Log server)

I can ping the log server from the switch.
SWT#ping 10.x.x.x

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
SWT#

jolson · Post by **jolson** » Tue Mar 31, 2015 1:33 pm

Hello,

Have you followed this document? http://assets.nagios.com/downloads/nagi ... Server.pdf

You will need to setup Logstash to run as root - otherwise it cannot listen on ports below 1024. Thank you!

Best,

Jesse

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 1:54 pm

Yes I followed step 1 in the document. How can I verify this action took effect?

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 2:10 pm

Also just noticed that I have the following message with a red ! point at the top saying "Log Collector (logstach) is stopped". I clicked on that and started it but it comes back stopped again.

jolson · Post by **jolson** » Tue Mar 31, 2015 2:17 pm

To verify that Logstash is running as root, please run the following command:

Code: Select all

ps aux | grep logstash |egrep -v "grep"|grep java

The output should look something like the following:

nagios 30791 0.6 10.9 1572788 224224 ? SNsl Mar26 48:37 /usr/bin/java -Djava.io.tmpdir=/usr/local/nagioslogserver/tmp -Xmx500m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -jar /usr/local/nagioslogserver/logstash/vendor/jar/jruby-complete-1.7.11.jar -I/usr/local/nagioslogserver/logstash/lib /usr/local/nagioslogserver/logstash/lib/logstash/runner.rb agent -f /usr/local/nagioslogserver/logstash/etc/conf.d -l /var/log/logstash/logstash.log -w 4

Please note the running user in the upper-left corner of the log. My running-user is nagios. Thanks!

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 3:09 pm

[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]#

jolson · Post by **jolson** » Tue Mar 31, 2015 3:11 pm

Is Logstash running?

Code: Select all

service logstash status

If not - please start it:

Code: Select all

service logstash start

Retry the grep command:

Code: Select all

ps aux | grep logstash |egrep -v "grep"|grep java

Thank you!

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 3:14 pm

[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
root 1746 96.5 6.0 1490032 124576 pts/0 SNl 16:14 0:11 /usr/bin/java -Djava.io.tmpdir=/usr/local/nagioslogserver/tmp -Xmx500m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -jar /usr/local/nagioslogserver/logstash/vendor/jar/jruby-complete-1.7.11.jar -I/usr/local/nagioslogserver/logstash/lib /usr/local/nagioslogserver/logstash/lib/logstash/runner.rb agent -f /usr/local/nagioslogserver/logstash/etc/conf.d -l /var/log/logstash/logstash.log -w 4
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]#

jolson · Post by **jolson** » Tue Mar 31, 2015 3:17 pm

Are there any hints why logstash may be failing?

Code: Select all

tail /var/log/logstash/logstash.log

You will need to follow step 2 of the document as well.

2. Use setcap
the second option will preserve logstash running as the nagios user, however it should be pointed out that this method may be less
secure in some environments as it will allow any java process to listen on
privileged ports. To use this method, run the following
commands:
#
echo -e "\nsetcap 'cap_net_bind_service=+ep' \$(readlink -f \$(which java))" >> \
/etc/sysconfig/logstash
#
service logstash restart
The “Logstash is currently collecting” banner on the Admin Overview page may be briefly unavailable while logstash restarts.

ssavaso · Post by **ssavaso** » Tue Mar 31, 2015 3:39 pm

[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
root 4003 94.2 5.7 1388640 119020 ? SNl 16:34 0:13 /usr/bin/java -Djava.io.tmpdir=/usr/local/nagioslogserver/tmp -Xmx500m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -jar /usr/local/nagioslogserver/logstash/vendor/jar/jruby-complete-1.7.11.jar -I/usr/local/nagioslogserver/logstash/lib /usr/local/nagioslogserver/logstash/lib/logstash/runner.rb agent -f /usr/local/nagioslogserver/logstash/etc/conf.d -l /var/log/logstash/logstash.log -w 4
[root@localhost ~]# ps aux | grep logstash |egrep -v "grep"|grep java
[root@localhost ~]#

It stopped again.

[root@localhost ~]# tail /var/log/logstash/logstash.log
[root@localhost ~]#

tail produces nothing.

Nagios Support Forum

Cisco Switch Logs

Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs

Re: Cisco Switch Logs