Skip to end of banner
Go to start of banner

opEvents - Central Syslog Solution

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

There are situations when it's desirable to forward syslog to a central location. 

Example Topology

 

 

In the example above all syslog messages received with a facility of local7 will be forwarded to the master server at 10.215.1.5.  When this message is forwarded from the poller to the master, the poller will insert its own timestamp into the message.

 

### syslog message from the node to the poller server

02:23:37.250516 IP 10.10.1.1.58415 > 10.215.1.7.syslog: SYSLOG local7.notice, length: 100
E....Y.....+
..
..../...l./<189>90: *Feb  1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5)
^C

### syslog message from the poller server to the master server

11:23:37.273514 IP 10.215.1.7.35902 > 10.215.1.5.syslog: SYSLOG local7.notice, length: 126
E.....@.?.#.
...
....>.....j<189>Feb  1 02:23:37 10.10.1.1 90: *Feb  1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5)

If the servers/nodes are in differnt time zones or the clocks are not correct opEvents may not by default accept the syslog message.  Setting the opEvents debug option to '1' will show the following message in /usr/local/omk/log/opEvents.log if this is the case.

[Wed Feb  1 09:08:49 2017] [debug] worker[4697] event 1485875324 R1 Feb  1 00:08:44 10.10.1.1 66: *Feb  1 09:08:42.711: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.1.3 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached is older than opevents_max_event_age, skipping!

As of opEvents 2.2.1 we can provision opEvents to allow these wilding out of date syslog messages and replace the origin timestamp with its own.

### /usr/local/omk/config/opCommon.nmis

    'opevents_max_action_queue_age' => 3600,
    'opevents_max_event_age' => 7200,
    'opevents_max_time_delta' => 1800,
    'opevents_monthly_report_recipients' => [],
    'opevents_monthly_report_title' => 'Monthly Summary Report',

 

Setting the 'opevents_max_time_delta' to a value of 1800 seconds will instruct opEvents to do the following:

  • If the syslog message has a timestamp that is more than 1800 seconds off from the current server time:
    • Accept the syslog message
    • Remove and replace the timestamp with its own time stamp.

 

  • No labels