NetXMS Support Forum

Hi,

Reading that 2.1 includes a Syslog Proxy, I just had to give this a spin.

Doing this, I encountered an issue with the server matching the messages to the correct node. I am using zoning, which probably plays a part in this.

Node A is a router at a site.
Node B is the proxy node.
The site has a single public IP address, so to connect the proxy node I have to create a port forward on that IP address.
That also means I cannot add Node A and Node B into the same zone (IP conflict). Node B is therefore in the Default zone, while Node A is in that site's zone.

I reconfigured Node B to act as Syslog proxy and reconfigured Node A to send syslog messages to Node B.

The result was that the messages were linked to Node C - a completely unrelated router which is sitting in the default zone and happens to have the same internal IP address as Node A.

Based on the above, my guess was that any syslog messages coming in from or proxied through Node B are automatically placed in the Default zone and then matched as per the server's SyslogNodeMatchingPolicy (in my case 0, i.e. IP, then hostname - but being in the wrong zone, the order would not matter).

So I moved Node A into its own zone and changed its IP in NetXMS to its public IP, syslog was reconfigured to send directly to the NetXMS server.
Node B was moved into the site's zone.

That should fix all other devices on the network sending syslog through Node B (haven't tested this yet) while the router's syslog goes straight to the NetXMS server.

Next problem now: the server has two systems with the same public IP address and can't tell where the messages are actually coming from.
I changed the SyslogNodeMatchingPolicy from 0 to 1 and restarted the NetXMS server, but that made no difference. Clearly the hostname matching isn't working in this case. I am not even sure which hostname it's comparing? The Object or the Primary host name? Changing the Object name made no difference.
I need to use an FQDN for the Primary host name to be able to query the router, but the router in question only sends the hostname in the syslog message. If I put an FQDN in as hostname on the router itself, it appears to ignore everything from the first "." onwards when it adds it to syslog messages. Other devices do not even allow hostnames longer than maybe 16 characters. Looks like I've hit a dead end?

Is there a way to setup "rules" to handle assigning syslog messages to devices?
How do other users handle this?

Maybe a future solution would be for NetXMS to ignore the actual IP/hostname presented for data collection and only use the interface IP addresses for IP conflict, topology and syslog checks, considering that the IP used to query the proxy node is not actually on the proxy node?

Cheers

Set ZoneId = x
in the proxying agent's config, it will tell the server in which zone it should look for SNMP Trap and Syslog message sources when proxied by this Agent.

Just tried that:
- Moved the proxy back into the default zone (0)
- Moved the router back into the site's zone (
- Configured proxy agent with zoneid 8
- Restarted proxy agent and ran configuration poll
- Reconfigured router to send syslog to proxy node from internal interface

Result: messages show as coming from the beforementioned Node C that's in the default zone.
Looks like the zoneid in the config is being ignored?

Hi,

proxy node should be part of the zone. Working setup should looks like following:

Nodes A and B are in site zone;
Site's public IP translated to node B;
Node B set as zone's proxy;
ZoneId in nxagentd.conf on node B set to ID of site's zone;
Primary IP for node A set to internal IP address reachable from node B.

Best regards,
Victor

Hi Victor,

The problem with the suggested setup is this (example IPs):
Node A: Firewall with public IP 100.100.100.1, private IP 192.168.0.1
Node B: Server with private IP 192.168.0.2

To connect the proxy on Node B, I have to configure a port forward and add Node B using the public IP 100.100.100.1.
However, Node A has that IP on one of the interfaces. The result is that NetXMS does not let me place both nodes into the same zone, because of an IP address conflict.

In the past I noticed that the above does not cause issues if:
- I add Node B while Node A does not exist in NetXMS and place it in the right zone
- I add Node A and place it directly into the right zone (at that point NetXMS doesn't know about the IP conflict yet).

While the IP conflict is technically still there, NetXMS doesn't seem to complain or break with this setup.

Maybe the IP address conflict is actually a bug?

Cheers

Hi,

Just to test this, I did the following:
- removed Node A from NetXMS
- ensured the Node B is in the site's zone and has the ZoneId config set
- confirmed the site has Node B configured as its proxy
- restarted Node B's NetXMS service and ran a configuration poll
- re-added Node A, directly placing it in the site's zone using its internal IP address
- confirmed Node A is sending logs from its internal interface to Node B

That means the following conditions are all met:
x Nodes A and B are in site zone
x Site's public IP translated to Node B
x Node B set as zone's proxy
x ZoneId in nxagentd.conf on Node B set to ID of site's zone
x Primary IP for Node A set to internal IP address reachable from Node B

Result:
The logs are still showing as coming from the node that has the same internal IP address, but is located in the default zone 0.

I upped debugging on the server to 8 and could see the following in the logs (IPs/Hostnames) changed:
[20-Dec-2016 09:36:46.273] [DEBUG] AgentConnectionEx::onSyslogMessage(): Received message from agent at <PROXY_PUBLIC_IP>, node ID 47780
<190>620: <ROUTER_HOSTNAME>: 000616: Dec 20 09:36:45.266 AEDT: %SEC-6-IPACCESSLOGNP: list 23 denied 0 42.237.64.29 -> 0.0.0.0, 1 packet
[20-Dec-2016 09:36:46.273] [DEBUG] Syslog message: ipAddr=<ROUTER_INTERNAL_IP> objectId=29870 tag="620" msg="620: <ROUTER_HOSTNAME>: 000616: Dec 20 09:36:45.266 AEDT: %SEC-6-IPACCESSLOGNP: list 23 denied 0 42.237.64.29 -> 0.0.0.0, 1 packet  "
[20-Dec-2016 09:36:46.285] [DEBUG] AgentConnectionEx::onSyslogMessage(): Received message from agent at <PROXY_PUBLIC_IP>, node ID 47780
[20-Dec-2016 09:36:46.285] [DEBUG] AgentConnectionEx::onSyslogMessage(): Received message from agent at <PROXY_PUBLIC_IP>, node ID 47780
[20-Dec-2016 09:36:46.285] [DEBUG] AgentConnectionEx::onSyslogMessage(): message ID is invalid (node <PROXY_NODE_NAME> [47780])

Not sure where the message ID is invalid is coming from?

Cheers

Definitely not working for me.

I just configured another site and ended up with syslog data for a router in zone 65 showing as coming from a router in zone 33. They just happen to have the same internal IP address (both are being monitored via proxies and the proxies have the correct ZoneId entries in their configuration file and are in the same zones as the routers).

Just in case - please check that server parameter TrapSourcesInAllZones is set to 0.

Best regards,
Victor

Also, could you please post complete agent config (from proxy node)? And what is server version?

Hi Victor,

TrapSourcesInAllZones is set to 1. I thought that's what it has to be to accept traps/syslog from all zones?
I am pretty sure I had problems with SNMP traps in the past while this was set to 0?

Server Version: 2.1-M1
Agent Version: 2.1-M1

Agent Configuration below, with some information replaced with XYZs.

ConfigIncludeDir = C:\XYZ\NetXMS\etc\nxagentd.conf.d
LogFile = C:\XYZ\NetXMS\nxagentd.log
FileStore = C:\XYZ\NetXMS\var
EnableWatchdog = yes
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
SubAgent = ups.nsm
RequireAuthentication = yes
SharedSecret = XYZXYZXYZ
MasterServers = W.X.Y.Z
EnableProxy = yes
EnableSNMPProxy = yes
EnableSNMPTrapProxy = yes
EnableSyslogProxy = yes
EnableWatchdog = yes
ZoneId = 65

Cheers

Ok. I switched to 0. Works now.

I just don't understand why?
Originally for zoning I had to turn this on. Now with the proxy I have to turn it off? 

This option intended for direct receiving of syslog messages and SNMP traps from nodes in other zones. When it is on, server ignores zone ID provided by proxy and do match only based on source IP address. This option can only be turned on if you have unique IP addresses of trap/syslog senders across all zones. For non-unique addresses you have to use zone proxies.

Best regards,
Victor

Another note on having external IP address from router set as primary address for proxy node - you can try to set option "This is address of remote management node" in communications options for proxy node. That way server will not consider primary IP part of proxy node.

Best regards,
Victor