Can't get syslog to work with certain devices

monkthecat · 24 October 2021 18:49

Hey everyone,

I have LibreNMS running on Ubuntu 20.04.3, and have been able to add devices to monitor via SNMP. However, I’ve not been able to get syslog to work from certain network devices, but it seems to be working for others.

I’ve followed all the steps here: Syslog - LibreNMS Docs (in my case, am using syslog-ng, not rsyslog).

I’m sending syslog info from other devices to port 514 on LibreNMS machine.

Ubuntu firewall is disabled (“sudo ufw status” shows “Status: inactive”)

Syslog is enabled in config.php (last line in file: $config[‘enable_syslog’] = 1;)

I’ve configured several network devices to send syslog info to port 514 on the LibreNMS machine, and there’s no log info showing up from those devices

However, I have a Windows server on my LAN that I’ve set up to be SNMP monitored by LibreNMS. If I run “telnet 192.168.1.248 514” from that server on my LAN, hit enter, and then type “Test,” and hit enter again, I see the “Test” alert show up in LibreNMS syslog. So I know LibreNMS is working.

Also, if I run “select device_id,hostname,sysName from devices ;” in MariaDB on my LibreNMS server, I see that “hostname” and “sysName” are identical for that server (servername.mydomain.com).

However, I see that “hostname” and “SysName” are not the same for the network devices that are NOT showing log info in LibreNMS. Is that a requirement that they match for this to work?

Many thanks in advance. Below is the output of validate.php:

====================================

Component	Version
LibreNMS	21.10.0-47-g5536c8bdc
DB Schema	2021_10_20_224207_increase_length_of_attrib_type_column (224)
PHP	7.4.3
Python	3.8.10
MySQL	10.3.31-MariaDB-0ubuntu0.20.04.1
RRDTool	1.7.2
SNMP	NET-SNMP 5.8

====================================

[OK] Composer Version: 2.1.9
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

DBMandrake · 25 October 2021 10:47

I also use Ubuntu Server 20 unfortunately I’m using rsyslog not not syslog-ng, so I can only offer more general advice.

I would check to see if syslog-ng also logs to a file of its own - on my rsyslog installation it is /var/log/syslog - try tailing that file with tail or less to see if syslog entries are at least being received by syslog-ng even if they aren’t showing up in LibreNMS.

I had an issue (discussed in another thread here a couple of weeks ago) where I deleted a switch from LibreNMS, replaced it with another switch on the same IP address and re-added this as a new device. Same IP address but different device ID in LibreNMS.

After doing that I was still receiving syslog from that switch to /var/log/syslog but nothing was showing up in LibreNMS, yet other devices were still logging in LibreNMS.

It was recommended by one of the developers to restart the rsyslog service however by that time I had rebooted the server and the problem was fixed.

So perhaps try restarting your syslog-ng service ?

Roger · 26 October 2021 15:08

Are the syslogs not even reaching the syslog server or are they just not showing up in LibreNMS?

Ie. if you for example “sudo tail -f /path/to/syslog” do you see syslogs coming from the devices?

monkthecat · 7 November 2021 02:14

Hey @Roger and @DBMandrake: thank you both for the suggestion to look in the syslog-ng file. Sure enough, I am seeing error messages like the following:

Nov 6 19:08:44 monitor syslog-ng[323840]: Error processing log message: <134>1>@< 1636250924.276738701 meraki_mx100_mycompany_com events dhcp lease of ip 192.168.128.125 for client mac 8C:85:90:6A:91:E4 from router 192.168.128.1 on subnet 255.255.255.0 with dns 192.168.128.1

The meraki MX100 (in the hostname, above) is one of the devices I’ve configured to send log messages to librenms. Any suggestions for sorting out what is throwing the error?

Roger · 8 November 2021 08:46

Unfortunately I’m in the same boat as @DBMandrake, who I now see asked basically the same question as I did which I missed, in that I’m using rsyslog not syslog-ng.

A quick search on your error-message seems to point to a problem with the timestamps from Meraki devices being “incompatible” with syslog-ng:

DBMandrake · 8 November 2021 10:58

Having a look at the Meraki link you’ve posted I agree it looks like Meraki devices are sending non-standard syslog messages that syslog-ng doesn’t like. This doesn’t surprise me.

We don’t have any MX100’s but we do have a lot of MR42 access points and I monitor them on LibreNMS, however they don’t seem to have any option to syslog, and their SNMP data is fairly limited - for example they provide interface traffic via SNMP but not an uptime!

It might be worth trying rsyslog instead of syslog-ng otherwise perhaps reach out to Meraki support. If it’s only Meraki devices that are not showing up in syslog in LibreNMS the problem may lie with Meraki.

monkthecat · 10 November 2021 20:00

Thank you all! Indeed looks like the issue is with Meraki. Appreciate the help.

system · 17 November 2021 20:01

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.