Nagios Support Forum

Posted: **Fri Jul 29, 2016 10:08 am**

Hello,

I am trying to send the postfix log entries from the SMTP server to nagios log server. I added the following lines to /etc/rsyslog.conf:

Code: Select all

### begin forwarding rule ### NAGIOSLOGSERVER
#
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
# # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

mail.* @@syslogA.selic.bc:5544

However only crontab events are being sent. Any ideas?

Posted: **Fri Jul 29, 2016 10:12 am**

Are there any sort of errors in /var/log/logstash/logstash.log?

Posted: **Fri Jul 29, 2016 11:00 am**

Can you please check if this is an error? This log is very hard to read because there's no line breaks. I see some events from the host IP which seem to be not making into log server interface.

Code: Select all

{:timestamp=>"2016-07-29T12:49:45.717000-0300", :message=>"failed action with response of 400, dropping action: [\"index\", {:_id=>nil, :_index=>\"logstash-2016.07.29\", :_type=>\"syslog\", :_routing=>nil}, #<LogStash::Event:0x7f5eb2dc @metadata={\"retry_count\"=>0}, @accessors=#<LogStash::Util::Accessors:0x31553c71 @store={\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, @lut={\"type\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"type\"], \"host\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"host\"], \"message\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"message\"], \"priority\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"priority\"], \"timestamp\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"timestamp\"], \"logsource\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"logsource\"], \"program\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"program\"], \"pid\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"pid\"], \"tags\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"tags\"], \"severity\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"severity\"], \"facility\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@version\"=>\"1\", \"@timestamp\"=>\"2016-07-29T15:49:45.000Z\", \"type\"=>\"syslog\", \"host\"=>\"AAA.BB.EE.FF\", \"priority\"=>22, \"timestamp\"=>\"Jul 29 12:49:45\", \"logsource\"=>\"va581\", \"program\"=>\"postfix/cleanup\", \"pid\"=>\"664\", \"severity\"=>6, \"facility\"=>2, \"facility_label\"=>\"mail\", \"severity_label\"=>\"Informational\"}, \"facility\"], \"timestamp8601\"=>[{\"message\"=>\"4D86110000BC: warning: header From: Nagios-xxxxx <[email protected]> from nagios.xxxxx.bc[AAA.BB.CC.DD]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost.localdomain>\\n\", \"@ve

(username, domain names have been replaced for security reasons)

Posted: **Fri Jul 29, 2016 11:51 am**

Try switching to using raw TCP/UDP for your inputs instead of the syslog input.

Go to Administration > Global > Global Configuration and expand the syslog input.

Replace what is there with this:

Code: Select all

tcp {
    port => 5544
    type => syslog
  }
  udp {
    port => 5544
    type => syslog
  }

This will stop Logstash from dropping logs with a syslog format that it doesn't like, which is the default behavior.

Your syslogs will no longer be broken down in to nice fields, because we're not using the syslog input anymore, but we can have that process done with this grok filter:

Code: Select all

  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }

Let me know what happens.

Posted: **Wed Aug 17, 2016 3:59 pm**

Thanks! This really helped to solve the issue.

Posted: **Wed Aug 17, 2016 4:10 pm**

I'll be closing this thread now, but feel free to open another if you need anything in the future!

Nagios Support Forum

Fowarding maillog entries

Fowarding maillog entries

Re: Fowarding maillog entries

Re: Fowarding maillog entries

Re: Fowarding maillog entries

Re: Fowarding maillog entries

Re: Fowarding maillog entries