Table of Contents |
---|
Purpose:
...
This page will explain how to add a new node vendor in the event the default settings are not handling the syslog traps properly.
For this discussion well use the term 'newVendor' to be the variable the represents the new vendor we want opEvents to handle.
Steps:
- Choose a unique syslog facility for the newVendor.
- Provision rsyslog to handle the traps appropriately.
- Provision opEvents to parse and process the traps.
rsyslog Provisioning
Determine what facility level these syslog traps should be stampped stamped with. The syslog server will key on this facility level in order to route the syslog trap to the proper file. If the device syslog is very similar to Cisco then you may want to simply use the local7 facility and the syslog traps will be sent to /usr/local/nmis8/logs/cisco.log. Configure the nodes in question to send syslog to NMIS at the proper facility level. For example, you may choose this example we will use local6 for the newVendor switch.The syntax is vendor dependant. Typically facilities local0 through local7 are used for processing syslog from external nodes.
Ensure the syslog server is provisioned to received traps (udp & tcp). This configuration is below and can be done made on the /etc/syslogrsyslog.conf file. If the /etc/rsyslog.conf file contains:$IncludeConfig
Code Block |
---|
### /etc/rsyslog |
...
Then it can be made on any file in rsyslog.d/ with the .conf extention.
Code Block |
---|
.conf
# enable network sources
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp" MaxSessions="1000" MaxListeners="50")
input(type="imtcp" port="514"
# and handle inbound/slave NMIS syslogs
local7.* /usr/local/nmis8/logs/cisco.log
local1.* /usr/local/nmis8/logs/slave_event.log |
Typically facilities local0 through local7 are used for routing syslog from external nodes. For example local6 could be used for newVendor:
...
Next we'll tell rsyslog where to file messages that arrive with the facility local6.
Code Block |
---|
### /etc/rsyslog.conf
# and handle inbound/slave NMIS syslogs
local7.* /usr/local/nmis8/logs/cisco.log
local6.* /usr/local/nmis8/logs/newVendor.log
local1.* /usr/local/nmis8/logs/slave_event.log |
After modifying this file restart /etc/rsyslog.conf the syslog daemon must be restarted.
Code Block |
---|
[root@opmantek rsyslog.d]# /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] |
Now when syslog traps are received with facility level local6 we will see them in the /user/local/nmis8/logs/newVendor.log file. If this file does not exist it will be created automatically.
opEvents Provisioning
For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.nmis. We need to tell opEvents to use these parser rules on /usr/local/nmis8/logs/newVendor.log. This is done by modifying /usr/local/omk/conf/opCommon.nmis. Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.
Code Block |
---|
### /usr/local/omg/conf/opCommon.nmis #--Snip 'opevents_logs' => { 'cisco_alternate' => [ '<nmis_logs>/newVendor.log' ], 'cisco_syslog' => [ '<nmis_logs>/cisco.log' ], 'nmis_eventlog' => [ '<nmis_logs>/event.log' ], #--snip |
...
After modifying opCommon.nmis the opEvents daemon must be restarted.
Code Block |
---|
[root@opmantek ~]# /etc/init.d/opeventsd restart
Restarting opevents daemon opeventsd [ OK ]
[root@opmantek ~]# |
Create an event action policy as described here: Event Actions and Escalation