Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Log Server Legacy Router

https://support.nagios.com/forum/viewtopic.php?t=41760

Page 1 of 2

Log Server Legacy Router

Posted: Wed Dec 28, 2016 8:35 am
by ab3pu
I am configuring some legacy equipment to send logs to Nagios LS. These use port 514. I have read your documentation " Nagios Log Server – Listening On Privileged
Ports" and followed it's instructions. I am not seeing the logs in my dashboard.

TCPDUMP on the LS shows that the packets are getting to the server. (See Below)

Any advice?


[root@localhost ~]# tcpdump -nnvvS host 10.101.2.72
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:31:47.124710 IP (tos 0x0, ttl 254, id 51, offset 0, flags [none], proto UDP (17), length 133)
10.101.2.72.52001 > 10.100.10.7.514: [udp sum ok] SYSLOG, length: 105
Facility local7 (23), Severity notice (5)
Msg: 92413: Dec 28 08:31:43 EST5: %SYS-5-CONFIG_I: Configured from console by bianco on vty0 (10.75.2.13)
0x0000: 3c31 3839 3e39 3234 3133 3a20 4465 6320
0x0010: 3238 2030 383a 3331 3a34 3320 4553 5435
0x0020: 3a20 2553 5953 2d35 2d43 4f4e 4649 475f
0x0030: 493a 2043 6f6e 6669 6775 7265 6420 6672
0x0040: 6f6d 2063 6f6e 736f 6c65 2062 7920 6269
0x0050: 616e 636f 206f 6e20 7674 7930 2028 3130
0x0060: 2e37 352e 322e 3133 29
08:31:47.124756 IP (tos 0xc0, ttl 64, id 23908, offset 0, flags [none], proto ICMP (1), length 161)
10.100.10.7 > 10.101.2.72: ICMP host 10.100.10.7 unreachable - admin prohibited, length 141
IP (tos 0x0, ttl 254, id 51, offset 0, flags [none], proto UDP (17), length 133)
10.101.2.72.52001 > 10.100.10.7.514: [udp sum ok] SYSLOG, length: 105
Facility local7 (23), Severity notice (5)
Msg: 92413: Dec 28 08:31:43 EST5: %SYS-5-CONFIG_I: Configured from console by bianco on vty0 (10.75.2.13)
0x0000: 3c31 3839 3e39 3234 3133 3a20 4465 6320
0x0010: 3238 2030 383a 3331 3a34 3320 4553 5435
0x0020: 3a20 2553 5953 2d35 2d43 4f4e 4649 475f
0x0030: 493a 2043 6f6e 6669 6775 7265 6420 6672
0x0040: 6f6d 2063 6f6e 736f 6c65 2062 7920 6269
0x0050: 616e 636f 206f 6e20 7674 7930 2028 3130
0x0060: 2e37 352e 322e 3133 29

Re: Log Server Legacy Router

Posted: Wed Dec 28, 2016 10:17 am
by mcapra
Have you verified the system times on both machines to be accurate? Logstash can get a bit upset when it receives events "from the future".

Could you share the contents of /var/log/logstash/logstash.log?

Could you also share the output of the following commands:

Code: Select all

grep '' /usr/local/nagioslogserver/logstash/etc/conf.d/*
netstat -anp

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 10:06 am
by ab3pu
Requested information is attacted in nagioslsinfo.txt

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 10:49 am
by rkennedy
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: syslog {
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: type => 'syslog'
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: port => 514
/usr/local/nagioslogserver/logstash/etc/conf.d/000_inputs.conf: }
It looks like you're listening on 514, try switching out the input filter from using the syslog, to a raw tcp/udp input.

Code: Select all

tcp {
    port => 514
    type => sysloglegacy
  }
  udp {
    port => 514
    type => sysloglegacy
  }
If that doesn't work, please show us the full output of ps -ef

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 11:07 am
by ab3pu
Please pretend I am stupid. How do I switch input filter?

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 1:01 pm
by rkennedy
Open the NLS interface, and navigate to Admin -> Global Configuration -> Look at 'Inputs', find the one that is listening on port 514 currently. You can either replace the text with what I inputted there, or create a new input. (if you create a new one, disable the old one by clicking the green 'Active' button, to turn it off.)

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 1:11 pm
by ab3pu
Completed....Still no joy. I have attached the earlier commands that you provided.

Re: Log Server Legacy Router

Posted: Wed Jan 04, 2017 1:51 pm
by rkennedy
Do you have a sample of the log from the legacy router? One thing I've seen in the past, is data actually getting inputted, but the timing parsing completely wrong due to it being in the past / future which becoms problematic. This would explain why we can see the connection on the tcpdump.

Also, on the NLS side, what is the output of ps -ef and also please post your /etc/sysconfig/logstash for us to review.

Re: Log Server Legacy Router

Posted: Thu Jan 05, 2017 8:17 am
by ab3pu
both the end device and the log server get there time via NTP, I checked and clocks are synced.

Attached are the other outputs you asked for.

Re: Log Server Legacy Router

Posted: Thu Jan 05, 2017 4:23 pm
by tgriep
Is the firewall setup to allow inbound traffic on port 514?
Can you run this command and post the output so we can get the list of ports the firewall is allowing?

Code: Select all

service iptables status
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited