opEvents - Syslog Handling - Adding a New Format

Purpose

This page will explain how to add a new syslog format in the event the default settings are not handling the syslog messages properly.  Consider a situation where a new type of device has been added to the network.

For this discussion well use the term 'newVendor' to be the variable that represents the new format we want opEvents to handle.

Steps

  • Choose a unique syslog facility for the newVendor.
  • Provision rsyslog to handle the syslog messages appropriately.
  • Provision opEvents to parse and process the syslog messages.

rsyslog Provisioning- nmis8

Determine what facility level these syslog messages should be stamped with.  The syslog server will key on this facility level in order to send the syslog message to the proper file.  If the device syslog is very similar to Cisco then you may want to simply use the local7 facility and the syslog messages will be sent to /usr/local/nmis8/logs/cisco.log.  Configure the nodes in question to send syslog to NMIS at the proper facility level.  For this  example we will use local6 for newVendor.  Typically facilities local0 through local7 are used for processing syslog from external nodes.

Ensure the syslog server is provisioned to received messages (udp & tcp).  This configuration is below and can be made on the /etc/rsyslog.conf file.

### /etc/rsyslog.conf

# enable network sources
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp" MaxSessions="1000" MaxListeners="50")
input(type="imtcp" port="514"

# and handle inbound/poller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local1.*                /usr/local/nmis8/logs/poller_event.log


Next we'll tell rsyslog where to file messages that arrive with the facility local6.  (rsyslog can route messages based on many different attributes and has several other configuration options such as inserting a local timestamp.  There is also the ability to place custom rsyslog configuration in any file with a .conf extension within the /etc/rsyslog.d/ directory.  More information regarding rsyslog may be found here:  http://www.rsyslog.com/doc/master/index.html)

### /etc/rsyslog.conf

# and handle inbound/poller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local6.*                /usr/local/nmis8/logs/newVendor.log
local1.*                /usr/local/nmis8/logs/poller_event.log


After modifying /etc/rsyslog.conf the syslog daemon must be restarted.

[root@opmantek ~]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

Now when syslog messages are received with facility level local6 we will see them in the /user/local/nmis8/logs/newVendor.log file.  If this file does not exist it will be created automatically.

rsyslog Provisioning- nmis9

Determine what facility level these syslog messages should be stamped with.  The syslog server will key on this facility level in order to send the syslog message to the proper file.  If the device syslog is very similar to Cisco then you may want to simply use the local7 facility and the syslog messages will be sent to /usr/local/nmis9/logs/cisco.log by default.  Configure the nodes in question to send syslog to NMIS at the proper facility level.  For this  example we will use local6 for newVendor.  Typically facilities local0 through local7 are used for processing syslog from external nodes.

Ensure the syslog server is provisioned to received messages (udp & tcp).  This configuration is below and can be made on the /etc/rsyslog.conf file.

### /etc/rsyslog.conf

# enable network sources
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp" MaxSessions="1000" MaxListeners="50")
input(type="imtcp" port="514"

# and handle inbound/poller NMIS syslogs
local7.*                /usr/local/nmis9/logs/cisco.log
local1.*                /usr/local/nmis9/logs/poller_event.log


Next we'll tell rsyslog where to file messages that arrive with the facility local6.  (rsyslog can route messages based on many different attributes and has several other configuration options such as inserting a local timestamp.  There is also the ability to place custom rsyslog configuration in any file with a .conf extension within the /etc/rsyslog.d/ directory.  More information regarding rsyslog may be found here:  http://www.rsyslog.com/doc/master/index.html)

### /etc/rsyslog.conf

# and handle inbound/poller NMIS syslogs
local7.*                /usr/local/nmis9/logs/cisco.log
local6.*                /usr/local/nmis9/logs/newVendor.log
local1.*                /usr/local/nmis9/logs/poller_event.log


After modifying /etc/rsyslog.conf the syslog daemon must be restarted.

[root@opmantek ~]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

Now when syslog messages are received with facility level local6 we will see them in the /user/local/nmis9/logs/newVendor.log file.  If this file does not exist it will be created automatically.

opEvents3 Provisioning

For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.nmis.  We need to tell opEvents to use these parser rules on /usr/local/nmis8/logs/newVendor.log.  This is done by modifying /usr/local/omk/conf/opCommon.nmis.  Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.

### /usr/local/omk/conf/opCommon.nmis

    'opevents_logs' => {
      'cisco_alternate' => [
        '<nmis_logs>/newVendor.log'
      ],
      'cisco_syslog' => [
        '<nmis_logs>/cisco.log'
      ],
      'nmis_eventlog' => [
        '<nmis_logs>/event.log'
      ],

After modifying opCommon.json the opEvents daemon must be restarted.

[root@opmantek ~]# service opeventsd restart
Restarting opevents daemon opeventsd                       [  OK  ]
[root@opmantek ~]# 

Create an event action policy as described here: Event Actions and Escalation (opEvents 4)

Once these actions are complete the syslog messages from newVendor should be seen in opEvents.

opEvents4 Provisioning

For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.json.  We need to tell opEvents to use these parser rules on /usr/local/nmis9/logs/newVendor.log.  This is done by modifying /usr/local/omk/conf/opCommon.json.  Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.

### /usr/local/omk/conf/opCommon.json

    'opevents_logs' => {
      'cisco_alternate' => [
        '<nmis_logs>/newVendor.log'
      ],
      'cisco_syslog' => [
        '<nmis_logs>/cisco.log'
      ],
      'nmis_eventlog' => [
        '<nmis_logs>/event.log'
      ],

After modifying opCommon.json the opEvents daemon must be restarted.

[root@opmantek ~]# service opeventsd restart
Restarting opevents daemon opeventsd                       [  OK  ]
[root@opmantek ~]# service omkd restart

Create an event action policy as described here: Event Actions and Escalation (opEvents 4) or Event Actions and Escalation (opEvents 3)

Once these actions are complete the syslog messages from newVendor should be seen in opEvents.

 Related Topics