Rsyslogd error during config processing stop is followed by unreachable statements

Expected behavior ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-05-15 ...

Rsyslog is doing exactly what you are telling it to do, but it’s generating a
warning that what you are telling it is probably not what you intended

What you told it to do is to stop processing message, and then follow that with
additional actions to process the log (which will never be used because you
told it to stop processing)

It’s far clearer to use {} to group messages than to use the &

what you told it to do was (in psudocode)

if info, except for mail and cron then write to Stor_temp

for all messages then write to Messages and throw away the log (don’t process
anything else in the config)

Since there are then actions that will never be executed, rsyslog warns about
this.

a better way to write this would be

«`
*.* ?Messages
*.info,mail.none,cron.none {
?Stor_Temp
stop
}
«`

this makes it much more clear about what statements you intend to be grouped. If
you used this syntax, the original would have been

*.info,mail.none,cron.none ?Stor_Temp
*.* {
?Messages
stop
}

and since the *.* means everything, this is the equivalent of:

*.info,mail.none,cron.none ?Stor_Temp
{
?Messages
stop
}

and since there is no condition for the block, this is the equivalent of:

*.info,mail.none,cron.none ?Stor_Temp
?Messages
stop
<followed by the rest of your config>

does this make it clear why your original config wasn’t working the way you
expected and why the warning message was correct?

David Lang

On Thu, 16 May 2019, josuegonzalezm wrote:
Date: Thu, 16 May 2019 09:00:58 -0700 From: josuegonzalezm

@rgerhards yes i know that is not a command i just said that as an expression sorry ;-) and yes i tested it and it didn’t give me an error! This is amazing .. I don’t understand why if i put
«`
*.info,mail.none,cron.none ?Stor_Temp
*.* ?Messages
& stop
«`
during config processing: STOP is followed by unreachable statements! but if i write your answer this doesn’t give it

«`
*.* ?Messages
*.info,mail.none,cron.none ?Stor_Temp
& stop
«`
anywise, thanks ! i going to generat some of logs and see what happen

Источник

Содержание

  1. holybit / 1-run_rsyslog
  2. error 2207; liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! #3457
  3. Comments
  4. Environment
  5. problem using ( & stop ) / STOP is followed by unreachable statements! #3668
  6. Comments
  7. Expected behavior
  8. Actual behavior
  9. Steps to reproduce the behavior
  10. Environment
  11. How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
  12. Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
  13. Install Rsyslog on Ubuntu 18.04
  14. Allow Rsyslog through Firewall
  15. Configure Ubuntu 18.04 as a Log Server
  16. Define Allowed Senders
  17. Configure Rsyslog Template
  18. Configure Remote Client
  19. Verify Remote Ports Connection
  20. How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
  21. Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
  22. Install Rsyslog on Ubuntu 18.04
  23. Allow Rsyslog through Firewall
  24. Configure Ubuntu 18.04 as a Log Server
  25. Define Allowed Senders
  26. Configure Rsyslog Template
  27. Configure Remote Client
  28. Verify Remote Ports Connection

holybit / 1-run_rsyslog

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
$ /usr/sbin/rsyslogd -v
rsyslogd 7.4.7, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
See http://www.rsyslog.com for more information.
$ /usr/sbin/rsyslogd
rsyslogd: error during parsing file (null), on or before line 93: STOP is followed by unreachable statements!
[try http://www.rsyslog.com/e/2207 ]
# & stop in 4.conf below seems to be the issue

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

Источник

error 2207; liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! #3457

Hello,
I am getting this error in messages, when starting rsyslogd ver 8.24

liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http://www.rsyslog.com/e/2207

I added those lines to rsyslog.conf to save all logs to dir structure by IP and host

$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote

$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop

The logging is working OK, but I think the configuration can be done better.
(error during config processing: STOP is followed by unreachable statements)

Environment

rsyslogd 8.24.0
«SUSE Linux Enterprise Server 12 SP3»

The text was updated successfully, but these errors were encountered:

the conf is rather default one, just lines for remote logging were add.

grep -v ^# /etc/rsyslog.conf |grep -v ^$
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$klogConsoleLogLevel 1
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/.conf
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
if (
/ kernel up to warning except of firewall /
($syslogfacility-text == ‘kern’) and
($syslogseverity

what I want seems to be working OK, maybe I could do some performance tuning for remote logging.

all logs from remote servers (few 100s) and also the localhost, are sent to NAS «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»

there is nothing in /var/log/messages (but I dont mind as the logs are on different location, same as the remote servers)

so the error is more like a warning, I have «strange» configuration, if I remove the «extra» lines then I will be ok.
Thank you David.

Источник

problem using ( & stop ) / STOP is followed by unreachable statements! #3668

Expected behavior

● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-05-15 16:53:50 EDT; 15h ago .

May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Stopped System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Starting System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com rsyslogd[20753]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»20753″ x-info=»http://www.rsyslog.com»] start
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.

Actual behavior

● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-16 08:50:07 EDT; 5s ago .

May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»3604″ x-info=»http://www.rsyslog.com»] start
May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: error during config processing: STOP is followed by unreachable statements! [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
May 16 08:50:07 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.

Steps to reproduce the behavior

In the rsyslog.conf, to get the current behavior i put » & stop» and it just works when i don’t use it. I need to use that command to discard the log that matches the conditions

Environment

  • rsyslog version: 8.24.0-34.el7.
  • platform: CentOS Linux release 7.6.1810
  • rsyslog.conf

The text was updated successfully, but these errors were encountered:

Источник

How to Configure Remote Logging with Rsyslog on Ubuntu 18.04

In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04

Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.

Please enable JavaScript

Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.

Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.

Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.

Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.

Configure Remote Logging Server with Rsyslog on Ubuntu 18.04

Install Rsyslog on Ubuntu 18.04

Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.

If it is not installed, run the command below to install it.

apt install rsyslog -y

Once the installation is done, start and enable the rsyslog service.

Allow Rsyslog through Firewall

If firewall is running, open rsyslog through it.

Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;

Want to use NXLog to forward logs? Check out our article by following the link below;

Configure Ubuntu 18.04 as a Log Server

Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;

Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.

By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.

To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;

Verify that rsyslog is now listening on two ports;

You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.

Open the new port on UFW;

Define Allowed Senders

You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.

Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:

$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]

ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.

Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.

It is good to specify senders with high traffic volume before those with lower volume.

As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.

To allow specific hosts for either UDP or TCP logging, enter the following lines;

Configure Rsyslog Template

Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:

Thus, we can create our template like;

Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.

If all is well, proceed to restart rsyslog.

Rsyslogd is now ready to receive logs from remote hosts.

Configure Remote Client

Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.

Verify Remote Ports Connection

To verify connectivity to remote rsyslog server TCP port 50514, run the command below;

Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;

On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.

If all is good, edit the rsyslog configuration file as shown below;

To send authentication logs over port 514/UDP, add the following line at the end of the file.

To send all logs over port 50514/TCP, add the following line at the end of the file.

As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;

Restart the rsyslog service on the client.

You can now log out of the client and login again. The authentication logs should be available on rsyslog server.

Login to the server and verify the same.

In our case, we send only authentication logs to remote rsyslog server.

Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.

Источник

How to Configure Remote Logging with Rsyslog on Ubuntu 18.04

In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04

Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.

Please enable JavaScript

Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.

Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.

Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.

Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.

Configure Remote Logging Server with Rsyslog on Ubuntu 18.04

Install Rsyslog on Ubuntu 18.04

Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.

If it is not installed, run the command below to install it.

apt install rsyslog -y

Once the installation is done, start and enable the rsyslog service.

Allow Rsyslog through Firewall

If firewall is running, open rsyslog through it.

Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;

Want to use NXLog to forward logs? Check out our article by following the link below;

Configure Ubuntu 18.04 as a Log Server

Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;

Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.

By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.

To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;

Verify that rsyslog is now listening on two ports;

You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.

Open the new port on UFW;

Define Allowed Senders

You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.

Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:

$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]

ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.

Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.

It is good to specify senders with high traffic volume before those with lower volume.

As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.

To allow specific hosts for either UDP or TCP logging, enter the following lines;

Configure Rsyslog Template

Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:

Thus, we can create our template like;

Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.

If all is well, proceed to restart rsyslog.

Rsyslogd is now ready to receive logs from remote hosts.

Configure Remote Client

Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.

Verify Remote Ports Connection

To verify connectivity to remote rsyslog server TCP port 50514, run the command below;

Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;

On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.

If all is good, edit the rsyslog configuration file as shown below;

To send authentication logs over port 514/UDP, add the following line at the end of the file.

To send all logs over port 50514/TCP, add the following line at the end of the file.

As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;

Restart the rsyslog service on the client.

You can now log out of the client and login again. The authentication logs should be available on rsyslog server.

Login to the server and verify the same.

In our case, we send only authentication logs to remote rsyslog server.

Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.

Источник

Источник

error 2207; liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! #3457

Comments

meem6 commented Feb 1, 2019

Hello,
I am getting this error in messages, when starting rsyslogd ver 8.24

liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http://www.rsyslog.com/e/2207

I added those lines to rsyslog.conf to save all logs to dir structure by IP and host

$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote

$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop

The logging is working OK, but I think the configuration can be done better.
(error during config processing: STOP is followed by unreachable statements)

Environment

rsyslogd 8.24.0
«SUSE Linux Enterprise Server 12 SP3»

The text was updated successfully, but these errors were encountered:

meem6 commented Feb 7, 2019

the conf is rather default one, just lines for remote logging were add.

grep -v ^# /etc/rsyslog.conf |grep -v ^$
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$klogConsoleLogLevel 1
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/.conf
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
if (
/ kernel up to warning except of firewall /
($syslogfacility-text == ‘kern’) and
($syslogseverity

meem6 commented Feb 7, 2019

what I want seems to be working OK, maybe I could do some performance tuning for remote logging.

all logs from remote servers (few 100s) and also the localhost, are sent to NAS «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»

there is nothing in /var/log/messages (but I dont mind as the logs are on different location, same as the remote servers)

so the error is more like a warning, I have «strange» configuration, if I remove the «extra» lines then I will be ok.
Thank you David.

Источник

problem using ( & stop ) / STOP is followed by unreachable statements! #3668

Comments

josuegonzalezm commented May 16, 2019 •

Expected behavior

● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-05-15 16:53:50 EDT; 15h ago .

May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Stopped System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Starting System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com rsyslogd[20753]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»20753″ x-info=»http://www.rsyslog.com»] start
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.

Actual behavior

● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-16 08:50:07 EDT; 5s ago .

May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»3604″ x-info=»http://www.rsyslog.com»] start
May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: error during config processing: STOP is followed by unreachable statements! [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
May 16 08:50:07 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.

Steps to reproduce the behavior

In the rsyslog.conf, to get the current behavior i put » & stop» and it just works when i don’t use it. I need to use that command to discard the log that matches the conditions

Environment

  • rsyslog version: 8.24.0-34.el7.
  • platform: CentOS Linux release 7.6.1810
  • rsyslog.conf

The text was updated successfully, but these errors were encountered:

Источник

I did not receive any data #1

Comments

ucakmakci commented Dec 22, 2016 •

My zabbix version 2.4.8

I made all the settings. I did not receive any data.

###########################################################
yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General
###########################################################
cpanm install CHI
cp zabbix_syslog_create_urls.pl /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
cp zabbix_syslog_lkp_host.pl /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
mkdir /etc/zabbix/scripts/lib
cp lib/ZabbixAPI.pm /etc/zabbix/scripts/lib
cp zabbix_syslog.cfg /etc/zabbix/zabbix_syslog.cfg
sudo chown zabbix:zabbix /etc/zabbix/zabbix_syslog.cfg
sudo chmod 700 /etc/zabbix/zabbix_syslog.cfg
###########################################################
vi /etc/zabbix/zabbix_syslog.cfg
admin password set.
###########################################################
/etc/rsyslog.d/zabbix_rsyslog.conf
$template RFC3164fmt,» %TIMESTAMP% %HOSTNAME% %syslogtag%%msg%»
$template network-fmt,»%TIMESTAMP. date-rfc3339% [%fromhost-ip%] %pri-text% %syslogtag%%msg%n»
#exclude unwanted messages:
:msg, contains, «Child connection from»

:msg, contains, «exit after auth (ubnt): Disconnect received»

:msg, contains, «password auth succeeded for ‘ubnt’ from ::ffff:xx.xx.xx.xx»

:msg, contains, «password auth succeeded for ‘ubnt’ from»

:msg, contains, «exit before auth: Exited normally»

if $fromhost-ip != ‘127.0.0.1’ then ^/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl;network-fmt
if $fromhost-ip != ‘127.0.0.1’ then /var/log/network.log;network-fmt
&

###########################################################
vim /etc/rsyslog.conf
modify
$ModLoad imudp
$UDPServerRun 514
service rsyslog restart
###########################################################
Rsyslog is working. Data is coming
2016-12-22T16:22:34+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:34+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:35+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:35+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:36+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:36+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:37+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
###########################################################
I have installed the syslog-template.. assign computer and add snmp interface 161

Script not working

How can i find my mistake

The text was updated successfully, but these errors were encountered:

Источник

Name already in use

zabbix-syslog / README.md

  • Go to file T
  • Go to line L
  • Copy path
  • Copy permalink

Copy raw contents

Copy raw contents

Scripts to get Syslog (protocol) messages into Zabbix from network devices, servers and others.

  1. Configure network devices to route all Syslog messages to a your zabbix-server or zabbix-proxy host with rsyslog on board
  2. with rsyslog configuration altered it would run script (3) and determines from what zabbix-host this message comes from(using Zabbix API)
  3. zabbix-sender protocol is then used to put messages into Zabbix (using found host and item where key=syslog)
  • IP to host resolutions are cached to minimize the number of Zabbix API queries
  • zabbix_sender here is in a form of a perl function, so no cli zabbix_sender tool is required

Map context menu

As a bonus, script zabbix_syslog_create_urls.pl can be used(and scheduled in cron for regular map link updates) to append a direct link into maps host menu for reading Syslog item values for each host that has syslog:

Script will do no rewriting of existing host links, only appending to a list. Also link only added to hosts that has item with key ‘syslog’.

The script is written in Perl and you will need common modules in order to run it:

There are numerous ways to install them:

In Debian In Centos using CPAN using cpanm
apt-get install libwww-perl libjson-xs-perl libconfig-general-perl yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General PERL_MM_USE_DEFAULT=1 perl -MCPAN -e ‘install Bundle::LWP’ and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e ‘install JSON::XS’ and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e ‘install Config::General’ cpanm install LWP and cpanm install JSON::XS and cpanm install Config::General

Next file updates syslog map links once a day. Copy it into your zabbix-server

add file /etc/rsyslog.d/zabbix_rsyslog.conf with contents:

(also check your firewall for UDP/514 btw)

. and restart rsyslog

Import syslog template and attach it to hosts from which you expect syslog messages to come

Create user in Zabbix frontend for syslog

NOTE: you can use your admin user for testing
It is recommended to create separate user in order to retreive hostnames and check syslog items existence via Zabbix API. Simple user with READ permissions for each Host group should be enough. If you use map context menu script zabbix_syslog_create_urls.pl then also check for write permessions to maps.

Make sure that script /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl is exetuable under rsyslog system user.
Run it by hand to see that all perl modules are available under that user (probably root ).

Suggested Test 1

Do the following test:

  • In Zabbix create the test host with host interface of any type. Assign IP=127.0.0.1 to this host interface.
  • Attach Template Syslog to this host.
  • Under user root (or user that runs rsyslog):
    echo «2017-12-19T09:26:26.314936+03:00 [127.0.0.1] syslog.info SysLogTest[4616]Test syslog message» | /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl then check that this message can be found in item with key = syslog .

Suggested Test 2

  • Stop rsyslog daemon
  • run rsyslogd in the interactive mode: rsyslogd -n
  • open another terminal and send a test syslog message connecting to IP address other than 127.0.0.1:
    logger -n 192.168.56.15 .
  • then type some test message like so: hello world
  • observe what actually script returns when processing this test syslog message.
    For example:

If this doesn’t help, then try again this time running rsyslogd in the debug mode: rsyslogd -dn

Источник

How to Configure Remote Logging with Rsyslog on Ubuntu 18.04

In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04

Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.

Please enable JavaScript

Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.

Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.

Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.

Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.

Configure Remote Logging Server with Rsyslog on Ubuntu 18.04

Install Rsyslog on Ubuntu 18.04

Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.

If it is not installed, run the command below to install it.

apt install rsyslog -y

Once the installation is done, start and enable the rsyslog service.

Allow Rsyslog through Firewall

If firewall is running, open rsyslog through it.

Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;

Want to use NXLog to forward logs? Check out our article by following the link below;

Configure Ubuntu 18.04 as a Log Server

Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;

Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.

By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.

To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;

Verify that rsyslog is now listening on two ports;

You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.

Open the new port on UFW;

Define Allowed Senders

You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.

Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:

$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]

ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.

Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.

It is good to specify senders with high traffic volume before those with lower volume.

As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.

To allow specific hosts for either UDP or TCP logging, enter the following lines;

Configure Rsyslog Template

Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:

Thus, we can create our template like;

Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.

If all is well, proceed to restart rsyslog.

Rsyslogd is now ready to receive logs from remote hosts.

Configure Remote Client

Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.

Verify Remote Ports Connection

To verify connectivity to remote rsyslog server TCP port 50514, run the command below;

Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;

On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.

If all is good, edit the rsyslog configuration file as shown below;

To send authentication logs over port 514/UDP, add the following line at the end of the file.

To send all logs over port 50514/TCP, add the following line at the end of the file.

As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;

Restart the rsyslog service on the client.

You can now log out of the client and login again. The authentication logs should be available on rsyslog server.

Login to the server and verify the same.

In our case, we send only authentication logs to remote rsyslog server.

Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.

Источник

Источник

I use a raspberry pi for logging from all devices (loghost). Recently I’ve been getting the error:
error during parsing file /etc/rsyslog.conf, on or before line 91: STOP is followed by unreachable statements!

The problem is with my remote.conf file:

Code: Select all

$template RemoteLogs,"/syslogs/%HOSTNAME%/%PROGRAMNAME%.log"
*.*  ?RemoteLogs
& stop

As soon as rsyslog sees the stop directive it literally stops reading the rest of the config.conf file. The result is that nothing on the loghost is logged. If I remove the file everything from every device gets logged to the logs on loghost.. I’ve looked everywhere and this is how they tell me to set it up but it just does not work. I Tried moving the include around the rsyslog.conf file but the results are the same.

Any help would be appreciated. My rsyslog.conf file is below:

Code: Select all

[#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
module(load="immark")  # provides --MARK-- message capability
#
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

###############
#### RULES ####
###############

#
# Include all config files in /etc/rsyslog.d/  
#
$IncludeConfig /etc/rsyslog.d/*.conf    <<<<<<<<<<<<<<<<<This is where remote.conf is run (I've also tried running prior to global directives.

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#ail.warn			-/var/log/mail.warn
#ail.err			/var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;
	auth,authpriv.none;
	news.none;mail.none	-/var/log/debug
*.=info;*.=notice;*.=warn;
	auth,authpriv.none;
	cron,daemon.none;
	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg				:omusrmsg:*
./code]
Источник

In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04

Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.

Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.

Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.

Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.

Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.

Configure Remote Logging Server with Rsyslog on Ubuntu 18.04

Install Rsyslog on Ubuntu 18.04

Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.

rsyslogd -v

If it is not installed, run the command below to install it.

apt install rsyslog -y

Once the installation is done, start and enable the rsyslog service.

systemctl start rsyslog
systemctl enable rsyslog

Allow Rsyslog through Firewall

If firewall is running, open rsyslog through it.

ufw allow 514/udp

Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;

Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server

Configure Syslog on Solaris 11.4 for Remote Logging

Want to use NXLog to forward logs? Check out our article by following the link below;

Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04

Configure Ubuntu 18.04 as a Log Server

Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;

vim /etc/rsyslog.conf
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.

By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.

To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="50514")

Verify that rsyslog is now listening on two ports;

netstat -4altunp | grep 514
tcp        0      0 0.0.0.0:50514           0.0.0.0:*               LISTEN      10814/rsyslogd      
udp        0      0 0.0.0.0:514             0.0.0.0:*                           10814/rsyslogd

You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.

Open the new port on UFW;

ufw allow 50514/tcp

Define Allowed Senders

You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.

Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:

$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]

ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.

Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.

It is good to specify senders with high traffic volume before those with lower volume.

As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.

To allow specific hosts for either UDP or TCP logging, enter the following lines;

vim /etc/rsyslog.conf
...
###########################
#### GLOBAL DIRECTIVES ####
###########################
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
$AllowedSender UDP, 192.168.43.0/24, [::1]/128, *.example.net, servera.example.com
$AllowedSender TCP, 192.168.43.0/24, [::1]/128, *.example.net, servera.example.com

Configure Rsyslog Template

Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:

$template TEMPLATE_NAME,"text %PROPERTY% more text", [OPTION]

Thus, we can create our template like;

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="50514")

#Custom template to generate the log filename dynamically based on the client's IP address.
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
*.* ?RemInputLogs

Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.

rsyslogd -f /etc/rsyslog.conf -N1
rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

If all is well, proceed to restart rsyslog.

systemctl restart rsyslog

Rsyslogd is now ready to receive logs from remote hosts.

Configure Remote Client

Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.

Verify Remote Ports Connection

To verify connectivity to remote rsyslog server TCP port 50514, run the command below;

telnet 192.168.43.154 50514
Trying 192.168.43.154...
Connected to 192.168.43.154.
Escape character is '^]'.
^]

telnet>

Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;

nc -ul 514

On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.

nc -u 192.168.43.154 514

If all is good, edit the rsyslog configuration file as shown below;

vim /etc/rsyslog.conf

To send authentication logs over port 514/UDP, add the following line at the end of the file.

# Send logs to remote syslog server over UDP
auth,authpriv.* @192.168.43.154:514

To send all logs over port 50514/TCP, add the following line at the end of the file.

# Send logs to remote syslog server over TCP 50514
*.* @@192.168.43.154:50514

As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;

# Send logs to remote syslog server over UDP
auth,authpriv.* @192.168.43.154:514

# Define Disk Queue Buffer in case the server goes down
$ActionQueueFileName queue # define a file name for disk assistance.
$ActionQueueMaxDiskSpace 1g  # The maximum size that all queue files together will use on disk.
$ActionQueueSaveOnShutdown on  # specifies that data should be saved at shutdown
$ActionQueueType LinkedList  # holds enqueued messages in memory which makes the process very fast. 
$ActionResumeRetryCount -1  # prevents rsyslog from dropping messages when retrying to connect if server is not responding,

Restart the rsyslog service on the client.

systemctl restart rsyslog

You can now log out of the client and login again. The authentication logs should be available on rsyslog server.

Login to the server and verify the same.

ls /var/log/remotelogs/
127.0.0.1  192.168.43.214

In our case, we send only authentication logs to remote rsyslog server.

ls /var/log/remotelogs/192.168.43.214/
sshd.log  sudo.log  su.log  systemd-logind.log
tail -5 /var/log/remotelogs/192.168.43.214/sshd.log 
2018-10-21T11:01:33+03:00 mydevapp sshd[13430]: Disconnected from user amos 192.168.43.149 port 60808
2018-10-21T11:01:33+03:00 mydevapp sshd[13363]: pam_unix(sshd:session): session closed for user amos
2018-10-21T11:01:37+03:00 mydevapp sshd[13569]: pam_ecryptfs: Passphrase file wrapped
2018-10-21T11:01:37+03:00 mydevapp sshd[13567]: Accepted password for amos from 192.168.43.149 port 60854 ssh2
2018-10-21T11:01:37+03:00 mydevapp sshd[13567]: pam_unix(sshd:session): session opened for user amos by (uid=0)

Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.

Источник

v-zhuravlev / zabbix-syslog
Goto Github
PK

View Code? Open in Web Editor
NEW

46.0
13.0
14.0
41 KB

Zabbix Syslog Integration (with rsyslog)

License: GNU General Public License v3.0

Perl 100.00%
zabbix
syslog
rsyslog

zabbix-syslog’s Introduction

About

Scripts to get Syslog (protocol) messages into Zabbix from network devices, servers and others.

new

  1. Configure network devices to route all Syslog messages to a your zabbix-server or zabbix-proxy host with rsyslog on board
  2. with rsyslog configuration altered it would run script (3) and determines from what zabbix-host this message comes from(using Zabbix API)
  3. zabbix-sender protocol is then used to put messages into Zabbix (using found host and item where key=syslog)

Features include:

  • IP to host resolutions are cached to minimize the number of Zabbix API queries
  • zabbix_sender here is in a form of a perl function, so no cli zabbix_sender tool is required

Map context menu

As a bonus, script zabbix_syslog_create_urls.pl can be used(and scheduled in cron for regular map link updates) to append a direct link into maps host menu for reading Syslog item values for each host that has syslog:
2013-12-30_152557
Script will do no rewriting of existing host links, only appending to a list. Also link only added to hosts that has item with key ‘syslog’.

Setup

Dependencies

The script is written in Perl and you will need common modules in order to run it:

LWP
JSON::XS
Config::General

There are numerous ways to install them:

In Debian In Centos using CPAN using cpanm
apt-get install libwww-perl libjson-xs-perl libconfig-general-perl yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Bundle::LWP' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install JSON::XS' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Config::General' cpanm install LWP and cpanm install JSON::XS and cpanm install Config::General

Copy scripts

mkdir -p /etc/zabbix/scripts
cp zabbix_syslog_create_urls.pl /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_create_urls.pl

cp zabbix_syslog_lkp_host.pl /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl

mkdir /etc/zabbix/scripts/lib
cp lib/ZabbixAPI.pm /etc/zabbix/scripts/lib


cp zabbix_syslog.cfg /etc/zabbix/zabbix_syslog.cfg
sudo chown zabbix:zabbix /etc/zabbix/zabbix_syslog.cfg
sudo chmod 700 /etc/zabbix/zabbix_syslog.cfg

edit /etc/zabbix/zabbix_syslog.cfg

Copy crontab

Next file updates syslog map links once a day. Copy it into your zabbix-server

cp cron.d/zabbix_syslog_create_urls /etc/cron.d

rsyslog

add file /etc/rsyslog.d/zabbix_rsyslog.conf with contents:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

#enables omrpog module
$ModLoad omprog

$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
$template network-fmt,"%TIMESTAMP:::date-rfc3339% [%fromhost-ip%] %pri-text% %syslogtag%%msg%n"

#exclude unwanted messages(examples):
:msg, contains, "Child connection from" stop
:msg, contains, "exit after auth (ubnt): Disconnect received" stop
:msg, contains, "password auth succeeded for 'ubnt' from" stop
:msg, contains, "exit before auth: Exited normally" stop
if $fromhost-ip != '127.0.0.1' then {
        action(type="omprog" binary="/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl" template="network-fmt")
        stop
}

(also check your firewall for UDP/514 btw)

…and restart rsyslog

Import template

Import syslog template and attach it to hosts from which you expect syslog messages to come

Create user in Zabbix frontend for syslog

NOTE: you can use your admin user for testing
It is recommended to create separate user in order to retreive hostnames and check syslog items existence via Zabbix API.
Simple user with READ permissions for each Host group should be enough.
If you use map context menu script zabbix_syslog_create_urls.pl then also check for write permessions to maps.

Troubleshooting

Make sure that script /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl is exetuable under rsyslog system user.
Run it by hand to see that all perl modules are available under that user (probably root).

Suggested Test 1

Do the following test:

  • In Zabbix create the test host with host interface of any type. Assign IP=127.0.0.1 to this host interface.
  • Attach Template Syslog to this host.
  • Under user root (or user that runs rsyslog):
    echo "2017-12-19T09:26:26.314936+03:00 [127.0.0.1] syslog.info SysLogTest[4616]Test syslog message" | /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
    then check that this message can be found in item with key = syslog.

Suggested Test 2

  • Stop rsyslog daemon
  • run rsyslogd in the interactive mode: rsyslogd -n
  • open another terminal and send a test syslog message connecting to IP address other than 127.0.0.1:
    logger -n 192.168.56.15.
  • then type some test message like so: hello world
  • observe what actually script returns when processing this test syslog message.
    For example:
[[email protected] vagrant]# rsyslogd -n
rsyslogd: error during config processing: STOP is followed by unreachable statements!  [v8.24.0 try http://www.rsyslog.com/e/2207 ]
Can't locate ZabbixAPI.pm in @INC (@INC contains: /etc/zabbix/scripts/lib /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
BEGIN failed--compilation aborted at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
rsyslogd: Child 15334 has terminated, reaped by main-loop. [v8.24.0 try http://www.rsyslog.com/e/0

If this doesn’t help, then try again this time running rsyslogd in the debug mode:
rsyslogd -dn

More info:

https://habrahabr.ru/company/zabbix/blog/252915/ (RU)

zabbix-syslog’s People

Contributors

v-zhuravlev avatar

zabbix-syslog’s Issues

I did not receive any data

Hi,

My zabbix version 2.4.8

I made all the settings. I did not receive any data.

My steps,

###########################################################
yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General
###########################################################
cpanm install CHI
cp zabbix_syslog_create_urls.pl /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
cp zabbix_syslog_lkp_host.pl /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
mkdir /etc/zabbix/scripts/lib
cp lib/ZabbixAPI.pm /etc/zabbix/scripts/lib
cp zabbix_syslog.cfg /etc/zabbix/zabbix_syslog.cfg
sudo chown zabbix:zabbix /etc/zabbix/zabbix_syslog.cfg
sudo chmod 700 /etc/zabbix/zabbix_syslog.cfg
###########################################################
vi /etc/zabbix/zabbix_syslog.cfg
admin password set.
###########################################################
/etc/rsyslog.d/zabbix_rsyslog.conf
$template RFC3164fmt,»<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%»
$template network-fmt,»%TIMESTAMP:::date-rfc3339% [%fromhost-ip%] %pri-text% %syslogtag%%msg%n»
#exclude unwanted messages:
:msg, contains, «Child connection from» ~
:msg, contains, «exit after auth (ubnt): Disconnect received» ~
:msg, contains, «password auth succeeded for ‘ubnt’ from ::ffff:xx.xx.xx.xx» ~
:msg, contains, «password auth succeeded for ‘ubnt’ from» ~
:msg, contains, «exit before auth: Exited normally» ~
if $fromhost-ip != ‘127.0.0.1’ then ^/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl;network-fmt
if $fromhost-ip != ‘127.0.0.1’ then /var/log/network.log;network-fmt
& ~
###########################################################
vim /etc/rsyslog.conf
modify
$ModLoad imudp
$UDPServerRun 514
service rsyslog restart
###########################################################
Rsyslog is working. Data is coming
2016-12-22T16:22:34+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:34+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:35+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:35+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:36+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:36+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
2016-12-22T16:22:37+03:00 [101.10.100.3] kern.err v-zhuravlev/zabbix-syslog
###########################################################
I have installed the syslog-template.. assign computer and add snmp interface 161

Script not working

How can i find my mistake

please help me

ZabbixAPI.pm?

Hi — Can you tell me where ZabbixAPI.pm is located? I did not see it as part of the source code. Thanks !

3.4+ Zabbix API: Doesn’t create URLs on maps properly anymore

This is due to Zabbix API map.get changes

fix working with newer version of Rsyslog

Not working on all hosts.

I configured template as described in readme file.
I have two hosts, 192.168.1.10 and 192.168.1.20. On 192.168.1.10 host everything is working as it should, I am getting information in zabbix, but on the host 192.168.1.20 I am getting nothing.
Both hosts are forwarding theirs logs to rsyslogd (192.168.1.5) which is running on same server as zabbix server. I can see messages from both hosts is syslog file on rsyslog server.
If I try to manually run
echo "2017-12-19T09:26:26.314936+03:00 [192.168.1.20] syslog.info SysLogTest[4616]Test syslog message" | /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
I get information in zabbix.
Both hosts are configured exactly the same in zabbix.

Getting error saying zabbix_syslog.cfg doesn’t exist, but it does

The title pretty much says it. I’m doing the second test suggested on the site. I turned off «rsyslog.service» and «syslog.socket», and ran rsyslogd -n. On another computer on the same network I ran «logger -n [ip]», and typed a few things in. I checked to see if they showed up in the log itself, and they do, but in the output of rsyslogd -n I’m only getting the following error:

Please check that config file is available as /usr/local/etc/zabbix_syslog.cfg or /etc/zabbix/zabbix_syslog.cfg

I made sure the zabbix_syslog.cfg file was in the right spot and had the right username and password. I’m not sure what else to check.

Пустое поле

Здравствуйте.

Есть вопрос по проекту, установил, настроил, все классно. Логи с Dlink DGS-1510-52X/ME отрабатываются отлично, последние данные есть, но вот с Dlink DXS-3600-16S проблемы. В последние данные узел добавляется, но с пустым значением, логов нет. C виду логи у этих коммутаторов почти одинаковые, не могу понять в чем проблема. Буду благодарен если поможете в сложившейся ситуации. Спасибо за проект.

zabbix_syslog_lkp_host.pl

приветствую, возможно ли его переделать на использование DNS имен. у меня cisco оборудование к примеру в syslog пишет все с DNS именем. получается что скрипт не работает из-за того чт отам нет ip адреса я так полагаю….

Script broken in Zabbix 4.0

In Zabbix 4.0, plain text protocol support is dropped and header is mandatory.

In consequence, this script generates tons of logs like this:

 25712:20181114:093830.826 Message from 127.0.0.1 is missing header. Message ignored.
 25708:20181114:093830.827 Message from 127.0.0.1 is missing header. Message ignored.
 25712:20181114:093831.427 Message from 127.0.0.1 is missing header. Message ignored.

I hope to find a way to solve this, but i’m not a developer. Any help is welcome.

More information here: https://support.zabbix.com/browse/ZBXNEXT-3581

Zabbix 4.0

Здравствуйте!
Недавно установил Zabbix 4.0, настроил окружение для этого скрипта, но ничего не происходит, пробую через debug, получаю это:

[[email protected] scripts]# ./zabbix_syslog_lkp_host.pl
1 [192.168.1.160] 2
$VAR1 = [
          {
            'ip' => '192.168.1.160',
            'hostid' => '10260',
            'interfaceid' => '2'
          }
        ];
$VAR1 = [
          {
            'itemid' => '29343'
          }
        ];
$VAR1 = [
          {
            'proxy_hostid' => '0',
            'status' => '0',
            'hostid' => '10260',
            'host' => '192.168.1.160'
          }
        ];
host - 192.168.1.160, item - syslog, data - 1 [192.168.1.160] 2
answer from zabbix server zabbix:

И так бесконечно долго.
Пробую повторно отправить команду, получаю это:

[[email protected] scripts]# ./zabbix_syslog_lkp_host.pl
1 [192.168.1.160] 2
host - 192.168.1.160, item - syslog, data - 1 [192.168.1.160] 2
answer from zabbix server zabbix:

Либо параметры API изменились, либо ещё что-то, но данные не получаю в Zabbix.
Прошу помочь с решением.

Login name or password is incorrect

Hello.
I would like to use your method on the zabbix.
I did everything as written in the wiki.
But the data does not come in zabbix.
When I do so:
/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl '[xxx.xx.xx.xxx] kern.err /var/log/syslog'
I get
Login name or password is incorrect
I understand that the wrong credentials in the file
/usr/local/etc/zabbix_syslog.cfg
but they are correct. There is use the super administrator’s credentials.
What can be wrong?

Any Tests with Zabbix 5.2.X ?

Hey,

If there any test results with Zabbix Server 5.2.x available? We’re using 5.2. and didn’t get any data.

Thanks

configuration for proxy

specifically for /etc/zabbix/zabbix_syslog.cfg but also for other files, what differences should there be between the proxy and the server?

for my configuration my frontend and server are on the same system and the proxy in a dmz which can’t access the frontend url.

Log recieive by rsyslog but no process

Hi Guys, i’m testing your script but i can´t get it to work. Using zabbix 4.0.11.
I´m looking for sending mikrotik´s remote log to rsyslog on zabbix. I have test «Suggested Test 1» and is working great, but no when rsyslog recieve a remote log.
On rsyslogd -dn debug output i can see this:
parser.c: msg parser: flags 70, from '~NOTRESOLVED~', msg '<30>Aug 4 10:22:44
I suspect that the ip is not being recognized from where the log comes from
Thanks!

Getting syslog information from a seperate syslog server

Hello, apologies if this is a silly question. I guess it’s somewhat of a feature request?

How would I go about getting the syslog information from a syslog server that’s seperate from the Zabbix server, while still adding the devices & having them labeled by their own IPs (as opposed to adding an agent on the syslog server and monitoring that)?

I’m a little new to Zabbix in general, and while I’ve read a good chunk of the documentation some of it is still a tad confusing. I’m not opposed to modifying the scripts, although I don’t know perl very well.

Recommend Projects

  • React photo
    React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo
    Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo
    Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo
    TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo
    Django

    The Web framework for perfectionists with deadlines.

  • Laravel photo
    Laravel

    A PHP framework for web artisans

  • D3 photo
    D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Visualization

    Some thing interesting about visualization, use data art

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo
    Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo
    Microsoft

    Open source projects and samples from Microsoft.

  • Google photo
    Google

    Google ❤️ Open Source for everyone.

  • Alibaba photo
    Alibaba

    Alibaba Open Source for everyone

  • D3 photo
    D3

    Data-Driven Documents codes.

  • Tencent photo
    Tencent

    China tencent open source team.

Источник

About

Scripts to get Syslog (protocol) messages into Zabbix from network devices, servers and others.

new

  1. Configure network devices to route all Syslog messages to a your zabbix-server or zabbix-proxy host with rsyslog on board
  2. with rsyslog configuration altered it would run script (3) and determines from what zabbix-host this message comes from(using Zabbix API)
  3. zabbix-sender protocol is then used to put messages into Zabbix (using found host and item where key=syslog)

Features include:

  • IP to host resolutions are cached to minimize the number of Zabbix API queries
  • zabbix_sender here is in a form of a perl function, so no cli zabbix_sender tool is required

As a bonus, script zabbix_syslog_create_urls.pl can be used(and scheduled in cron for regular map link updates) to append a direct link into maps host menu for reading Syslog item values for each host that has syslog:
2013-12-30_152557
Script will do no rewriting of existing host links, only appending to a list. Also link only added to hosts that has item with key ‘syslog’.

Setup

Dependencies

The script is written in Perl and you will need common modules in order to run it:

LWP
JSON::XS
Config::General

There are numerous ways to install them:

In Debian In Centos using CPAN using cpanm
apt-get install libwww-perl libjson-xs-perl libconfig-general-perl yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Bundle::LWP' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install JSON::XS' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Config::General' cpanm install LWP and cpanm install JSON::XS and cpanm install Config::General

Copy scripts

mkdir -p /etc/zabbix/scripts
cp zabbix_syslog_create_urls.pl /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_create_urls.pl

cp zabbix_syslog_lkp_host.pl /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl

mkdir /etc/zabbix/scripts/lib
cp lib/ZabbixAPI.pm /etc/zabbix/scripts/lib


cp zabbix_syslog.cfg /etc/zabbix/zabbix_syslog.cfg
sudo chown zabbix:zabbix /etc/zabbix/zabbix_syslog.cfg
sudo chmod 700 /etc/zabbix/zabbix_syslog.cfg

edit /etc/zabbix/zabbix_syslog.cfg

Copy crontab

Next file updates syslog map links once a day. Copy it into your zabbix-server

cp cron.d/zabbix_syslog_create_urls /etc/cron.d

rsyslog

add file /etc/rsyslog.d/zabbix_rsyslog.conf with contents:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

#enables omrpog module
$ModLoad omprog

$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
$template network-fmt,"%TIMESTAMP:::date-rfc3339% [%fromhost-ip%] %pri-text% %syslogtag%%msg%n"

#exclude unwanted messages(examples):
:msg, contains, "Child connection from" stop
:msg, contains, "exit after auth (ubnt): Disconnect received" stop
:msg, contains, "password auth succeeded for 'ubnt' from" stop
:msg, contains, "exit before auth: Exited normally" stop
if $fromhost-ip != '127.0.0.1' then {
        action(type="omprog" binary="/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl" template="network-fmt")
        stop
}

(also check your firewall for UDP/514 btw)

…and restart rsyslog

service rsyslog restart

Import template

Import syslog template and attach it to hosts from which you expect syslog messages to come

Create user in Zabbix frontend for syslog

NOTE: you can use your admin user for testing
It is recommended to create separate user in order to retreive hostnames and check syslog items existence via Zabbix API.
Simple user with READ permissions for each Host group should be enough.
If you use map context menu script zabbix_syslog_create_urls.pl then also check for write permessions to maps.

Troubleshooting

Make sure that script /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl is exetuable under rsyslog system user.
Run it by hand to see that all perl modules are available under that user (probably root).

Suggested Test 1

Do the following test:

  • In Zabbix create the test host with host interface of any type. Assign IP=127.0.0.1 to this host interface.
  • Attach Template Syslog to this host.
  • Under user root (or user that runs rsyslog):
    echo "2017-12-19T09:26:26.314936+03:00 [127.0.0.1] syslog.info SysLogTest[4616]Test syslog message" | /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
    then check that this message can be found in item with key = syslog.

Suggested Test 2

  • Stop rsyslog daemon
  • run rsyslogd in the interactive mode: rsyslogd -n
  • open another terminal and send a test syslog message connecting to IP address other than 127.0.0.1:
    logger -n 192.168.56.15.
  • then type some test message like so: hello world
  • observe what actually script returns when processing this test syslog message.
    For example:
[[email protected] vagrant]# rsyslogd -n
rsyslogd: error during config processing: STOP is followed by unreachable statements!  [v8.24.0 try http://www.rsyslog.com/e/2207 ]
Can't locate ZabbixAPI.pm in @INC (@INC contains: /etc/zabbix/scripts/lib /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
BEGIN failed--compilation aborted at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
rsyslogd: Child 15334 has terminated, reaped by main-loop. [v8.24.0 try http://www.rsyslog.com/e/0

If this doesn’t help, then try again this time running rsyslogd in the debug mode:
rsyslogd -dn

More info:

https://habrahabr.ru/company/zabbix/blog/252915/ (RU)

Open Source Agenda is not affiliated with «Zabbix Syslog» Project. README Source: v-zhuravlev/zabbix-syslog

Источник

Понравилась статья? Поделить с друзьями:
  • Rsyslog open error permission denied
  • Rsyslog error 2207
  • Rsync unknown module error
  • Rsync syntax or usage error
  • Rsync sender write error broken pipe 32