NetXMS Support Forum

Hello,

   I have read as much as I could about syslog watching and parsing here, but I found out that I cannot start with this functionality as I have problems setting up syslog functionality by itself.

I noticed that netxmsd.conf file has LogFile = {syslog} by default and yet the log in console Syslog is empty.
Somewhere here I read that server log is managed by the agent so I changed agent configuration file (by LogFile = {syslog}), but with no results. Tried with remote agent also.

Is there something specific needed or configured to have syslog accept log from agent ?

My current configuration is:
DBDriver = /opt/netxms/lib/libnxddr_mysql.so
DBServer = localhost
DBName = ******
DBLogin = ******
DBPassword = ******
LogFailedSQLQueries = yes
LogFile = {syslog}
JavaPath=/usr/bin/java
JavaLibraryDirectory=/opt/netxms/java-lib
JDBCDriver=com.mysql.jdbc.Driver
JDBCUrl=jdbc:mysql://localhost:3306/netxms

MasterServers = 127.0.0.1, netxmsserver.company.domain
LogFile = {syslog}

MasterServers = netxmsserverIPaddress
LogFile = {syslog}
FileStore = /var/nxagentd

No subagents or parsing yet.
All we need for the time being is to store larger logs from devices that are not suitable for maintaining large logs by itself (and to keep the logs in one place).

With regards,
Milan Sperl

Hi!

You have mixed two different functions. When you have LogFile = {syslog} in your netxmsd.conf it only means that server will use syslog for logging instead of writing directly to file, and most likely you'll see related messages in /var/log/messages or /var/log/syslog - depending on your distribution and actual syslog configuration. NetXMS server here is just a client for your local syslog server.

NetXMS server can also work a s a syslog server and collect syslog messages from remote hosts and devices (which is what you need as I understand). It is disabled by default, you should change the following server configuration variables:
EnableSyslogDaemon - set to 1;
SyslogListenPort - port for syslog server to listen on (default is 514, but it may be used already by system syslogd);
SyslogRetentionTime - number of days to keep received messages in database (default is 90).

When you restart server you should see incoming syslog messages stored. You can check that new messages coming using syslog monitor (Monitor->Syslog menu in console).

Once you set up syslog receiving, you can configure message matching policy to capture texts from messages and generate events.

Best regards,
Victor

Thank you,

   if I understand it - just by configuring these options and having LogFile = {syslog} in netxmsd.conf (by default) should (after server restart) start up syslog in NetXMS console and start filling it with NetXMS log ?

Tried to check it in View-Syslog and Monitor-Syslog with no results.

/var/log/messages is receiving a few NetXMS server lines but nothing appears in the NetXMS syslog.

Attaching messages log - after server restart.

With regards,
Milan Sperl

Quote from: sperlm on January 24, 2014, 12:29:02 PM
   if I understand it - just by configuring these options and having LogFile = {syslog} in netxmsd.conf (by default) should (after server restart) start up syslog in NetXMS console and start filling it with NetXMS log ?

No, just opposite - LogFile = {syslog} in netxmsd.conf is not related to built-in syslog server in any way. You have to enabled built-in syslog server using EnableSyslogDaemon and company as I described before. Note that these are server configuration variables stored in database (editable in console via Configuration -> Server configuration), not parameters in netxmsd.conf.

Best regards,
Victor

Hello, still no results starting the syslog server, or rather not receiving any data...
I am totally new to the syslog problematics so I cannot say if there is something I am doing wrong.

Not sure what you mean by "opposite" because that is how I understood it in the first place:

Set up server (in NetXMS Server Configuration console):
- EnableSyslogDaemon: 1
- SyslogListenPort: 514
- SyslogRetentionTime: 90

Set up server logging to syslog:
- netxmsd.conf: LogFile = {syslog}

Set up local and one remote agent logging to syslog:
- nxagentd.conf: LogFile = {syslog}

Even added firewall rule, just to be sure
- iptables: -A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT

Restarted iptables. Restarted agent and server by shuttting both down and then starting agent first, server second. Restarted remote agent too.

Still no results.

I suppose parameter in Server Configuration - ExternalAuditPort: 514 is not interfering (it is there by default)?
Even tried to overwrite LogFile = {syslog} to LogFile = {serverIPaddress:514} (and restart server as usual).

Really dont know how to try to solve this problem anymore...

With regards,
Milan Sper

Hi!

LogFile = {syslog} in nxagentd.conf and netxmsd.conf does not relate in any way to built-in syslog server enabled with EnableSyslogDaemon parameter. Setting log file to {syslog} only means that serevr or agent will use system logging facility for logging (syslog call in UNIX). It is up to you (or server admin) to configure syslog on that particular server for remote logging to NetXMS server's syslog server. Here is an example of how to configure rsyslogd for sending messages to remote server: http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/. You should check what syslog server is used on your servers.

In short, message flow for remote agent is like following:

nxagentd -> syslogd ---------------> netxmsd syslog server
-----------------------                        -------------------------
  remote host               network            netxms server


If you want local netxmsd log to be catch by netxms syslog:

netxmsd -> syslogd ---------------> netxmsd syslog server
                                 loopback

Best regards,
Victor

Thanks for the explanation.

I have completely skipped rsyslog configuration and then tried to send TCP with the @@ parameter in the rsyslogd.conf too.
After correctly setting rsyslogd.conf file to send UDP the syslog is filling as expected.

Now I have to explore syslog more to set forwarding only for nxagent/desired events.

With regards,
Milan Sperl