...
Code Block |
---|
### /etc/rsyslog.conf # enable network sources module(load="imudp") input(type="imudp" port="514") module(load="imtcp" MaxSessions="1000" MaxListeners="50") input(type="imtcp" port="514" # and handle inbound/slavepoller NMIS syslogs local7.* /usr/local/nmis8/logs/cisco.log local1.* /usr/local/nmis8/logs/slavepoller_event.log |
...
Next we'll tell rsyslog where to file messages that arrive with the facility local6.
Code Block |
---|
### /etc/rsyslog.conf # and handle inbound/slavepoller NMIS syslogs local7.* /usr/local/nmis8/logs/cisco.log local6.* /usr/local/nmis8/logs/newVendor.log local1.* /usr/local/nmis8/logs/slavepoller_event.log |
After modifying /etc/rsyslog.conf the syslog daemon must be restarted.
Code Block |
---|
[root@opmantek rsyslog.d]# /etc/init.d/service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] |
...
For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.nmis.
Here is a list of current vendor's in the EventParserRules.nmis
- winlogd
- junos
- cisco_compatible
- nxlog
- JuniperSyslog
- HuwaeiSylog
If need additional parsers please open a support case, you will need a sample of the syslog in order to proceed
We need to tell opEvents which parser rules to use these parser rules on for the new device /usr/local/nmis8nmis9/logs/newVendor.log. (or what log name that you entered in the rsyslog.conf for the new Device or new Vendor)
This is done by modifying /usr/local/omk/conf/opCommon.nmis.
Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.
Just copy one of the examples:
Add the following lines:
'cisco_alternate' => [ '<nmis_logs>/newVendor.log' ],
Code Block |
---|
### /usr/local/omgomk/conf/opCommon.nmis 'opevents_logs' => { 'cisco_alternate' => [ '<nmis_logs>/newVendor.log' ], 'cisco_syslog' => [ '<nmis_logs>/cisco.log' ], 'nmis_eventlog' => [ '<nmis_logs>/event.log' ], |
...
Code Block |
---|
[root@opmantek ~]# /etc/init.d/ service opeventsd restart Restarting opevents daemon opeventsd [ OK ] [root@opmantek ~]# |
At this point you should be able to go to the Gui > Raw Logs This will allow you to verified you see the logs coming in
Create an event action policy as described here: Event Actions and Escalation
Once these actions are complete the syslog traps from newVendor should be seen in opEvents.
Related Topics
opEvents - Syslog Handling - Adding a New Format
opEvents - Centralized Logging Solution
SNMP Traps with Cisco and Other devices
High Volume SNMP Trap Processing