Nagios Support Forum

we know that NagiosXI log server uses port 5544,

however, in our network environment, it did not allows port other than default syslog port - 514,

so we would like to know how to allow nagios log server to receive custom ports from any network devices, in our case we are using cisco nexus series switches.

we except your kind guidance on this,

Special privilege is needed to run on ports 1024 and below. https://assets.nagios.com/downloads/nag ... Server.pdf covers this. To run on anything above 1024 you'll just need to modify the port option on the input.

we are looking to configure network switches (nx-os, cat-os), which by default are configured to push the log thru udp port 514.

kindly provide the recommendation to configure the syslog to accept the log messages in port 514, instead of 5544.

Note: we already tried the workaround which you provided earlier and it did not worked. find the input script that we used.

syslog {
type => 'syslog'
port => 514
}

Please let us know if any thing to be changed in input script.

FYI. logstash output

[root@usa0300lv6332 ~]# cat /etc/sysconfig/logstash
###############################
# Default settings for logstash
###############################

# Override Java location
#JAVACMD=/usr/bin/java

# Set a home directory
APP_DIR=/usr/local/nagioslogserver
LS_HOME="$APP_DIR/logstash"

# set ES_CLUSTER
ES_CLUSTER=$(cat $APP_DIR/var/cluster_uuid)

# Arguments to pass to java
#LS_HEAP_SIZE="256m"
LS_JAVA_OPTS="-Djava.io.tmpdir=$APP_DIR/tmp"

# Logstash filter worker threads
#LS_WORKER_THREADS=1

# pidfiles aren't used for upstart; this is for sysv users.
#LS_PIDFILE=/var/run/logstash.pid

# user id to be invoked as; for upstart: edit /etc/init/logstash.conf
#LS_USER=nagios
LS_USER=root
#LS_GROUP=root
LS_GROUP=nagios

# logstash logging
#LS_LOG_FILE=/var/log/logstash/logstash.log
#LS_USE_GC_LOGGING="true"

# logstash configuration directory
LS_CONF_DIR="$LS_HOME/etc/conf.d"

# Open file limit; cannot be overridden in upstart
#LS_OPEN_FILES=2048

# Nice level
#LS_NICE=0

# Increase Filter workers to 4 threads
LS_OPTS=" -w 4"

if [ "x$1" == "xstart" -o "x$1" == "xrestart" -o "x$1" == "xreload" ];then
GET_LOGSTASH_CONFIG_MESSAGE=$( php /usr/local/nagioslogserver/scripts/get_logstash_config.php )
GET_LOGSTASH_CONFIG_RETURN=$?
if [ "$GET_LOGSTASH_CONFIG_RETURN" != "0" ]; then
echo $GET_LOGSTASH_CONFIG_MESSAGE
exit 1
fi
fi

setcap 'cap_net_bind_service=+ep' $(readlink -f $(which java))
[root@usa0300lv6332 ~]#

Finally, it worked after providing the input script like below.

syslog {
type => 'network'
port => 514
}

changed the type from 'syslog' to 'network'

Thanks for the update and glad it is working now, but I'm not sure why it would matter what the type was set to. You should be able to have multiple instances using the same type. Perhaps there was an extra hidden character in there? Feel free to ignore this if you're satisfied with it working as is, but I'd be curious to see if the problem comes back if you change the type back to syslog.

Previously, the script was like below.

syslog {
type => 'syslog''
port => 514
}

After the changes:

syslog {
type => 'network''
port => 514
}

sorry typo error.

syslog {
type => 'syslog'
port => 514
}

After the changes:

syslog {
type => 'network'
port => 514
}

cdienger wrote:You should be able to have multiple instances using the same type.

Issues with the ElasticSearch template/datatypes notwithstanding, I would agree.

I know at least Cisco and Barracuda take some liberties with their interpretation of RFC 3164 which could lead to some string != long style problems.

Thanks for the input, @mcapra.

@thanigaivel.a if you still want to troubleshoot this, I would like to see the config. This can be viewed/copied by going to Admin > Global(All Instances) > View > All Files Combined.