Cant make syslog work

Simone_Spinelli · 1 May 2019 16:33

Hi all,

I cannot get syslog messages show up in LibreNMS web interface.
I am probably missing something very basic, but I cannot figure out what.
This is what I am doing:

Download the LibreNMS VM. (with only localhost as device)
disable the firewall
configure a client to send syslog to LibreNMS machine port 514
tcpdump the traffic on port 514 (Traffic is there)
configure syslog-ng to have multiple destinations:

########################
# Destinations
########################
destination d_librenms {
        program("/opt/librenms/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes));
};

destination catchall {
	 file("/var/log/catchall.log");
};

########################
# Log paths
########################
log {
        source(s_net);
        source(s_sys);
        destination(d_librenms);
        destination(catchall);
};

I see logs coming and being written in my catchall file, but nothing shows up on libre.
I have also de-commented the line in /opt/librenms/syslog.php but I do not see anything in librenms.log.

What am I doing wrong? Can anybody help to fix/debug?

Here my validate:

[librenms@localhost ~]$ ./validate.php 
====================================
Component | Version
--------- | -------
LibreNMS  | 1.50.1
DB Schema | 2019_02_10_220000_add_dates_to_fdb (132)
PHP       | 7.2.16
MySQL     | 5.5.60-MariaDB
RRDTool   | 1.4.8
SNMP      | NET-SNMP 5.7.2
====================================

Thanks a lot!

Chas · 2 May 2019 13:29

Does it work without multiple destination? Can you try to comment out your catchall and restart syslog-ng ?

log {
        source(s_net);
        source(s_sys);
        destination(d_librenms);
#        destination(catchall);
};

Does the hostame you receive in your capture match that in librenms?

Simone_Spinelli · 3 May 2019 05:07

Hi Chas,
thank you for your answer!

“localhost” is the only device configured, also logs are coming from localhost.
If I remove the catchall file, syslog-ng works, but still I do not see any log in the WebUI or in the table syslog.
This functionality should work out of the box right?

Chas · 3 May 2019 07:35

Try replace the syslog-ng config with the one in here:

https://docs.librenms.org/Extensions/Syslog/

and ensure the enable syslog line is in your librenms config.php

TheGreatDoc · 6 May 2019 07:18

I had the same issue with localhost and it was just that.

In LibreNMS I had localhost AS localhost, but the syslog-ng was sending data as the configured hostname in the machine itself.

So, localhost != host.domain.tld.

If your machine has librenms.domain.tld, change it in librenms to match that hostname.

Simone_Spinelli · 7 May 2019 08:03

Hi all,
thank you for your suggestions.
I double checked my syslog-ng configuration and it is the same as the one in the documentation.
(I am using the “official” LibreNMS VM for virtualbox. )
I confirm that syslog is enabled, in fact I see the syslog tab on the webUI.

[root@localhost librenms]# grep syslog /opt/librenms/config.php
$config["enable_syslog"] = 1;

About the hostnames:
Here are the logs from syslog:

May  7 07:35:01 localhost systemd[1]: Started Session 60 of user librenms.
May  7 07:35:01 localhost systemd[1]: Started Session 61 of user librenms.
May  7 07:35:01 localhost systemd[1]: Started Session 62 of user librenms.
May  7 07:35:01 localhost CROND[6430]: (librenms) CMD (   /opt/librenms/alerts.php >> /dev/null 2>&1)
May  7 07:35:01 localhost CROND[6431]: (librenms) CMD (   /opt/librenms/cronic /opt/librenms/poller-wrapper.py 4)
May  7 07:35:01 localhost CROND[6432]: (librenms) CMD (/opt/librenms/html/plugins/Weathermap/map-poller.php >> /dev/
May  7 07:35:01 localhost CROND[6434]: (librenms) CMD (   /opt/librenms/poll-billing.php >> /dev/null 2>&1)
May  7 07:35:01 localhost CROND[6435]: (librenms) CMD (   /opt/librenms/check-services.php >> /dev/null 2>&1)

here the configuration of the device:

MariaDB [librenms]> select device_id,hostname,sysName  from devices ;
+-----------+---------------+--------------------------+
| device_id | hostname      | sysName                  |
+-----------+---------------+--------------------------+
|         1 | localhost     | localhost.localdomain    |

I have also uncommented the following line in /opt/librenms/syslog.php:

[root@localhost librenms]# grep logfil syslog.php
    logfile($line);

Still, on the UI:
“No results found!”

Simone_Spinelli · 9 May 2019 04:39

Hi all,
in the end I discovered the “problem” was in SELinux. Once disabled (setenforce 0) everything started to work properly.
I found the evidence in /var/log/audit/audit.log
I will post a more detailed fix (using SELinux in Enforcing) asap.
Thank you all.

John_Shrader · 9 May 2019 12:24

I am having the same issue. Syslog was working fine for months on my Centos7 install then stopped. After much trial and error discovered it was SELinux. I am very interested in a permanent fix with SELinux enforced. Thanks!

Simone_Spinelli · 14 May 2019 09:45

Hi all,

sorry for the delay.
This seems to work for me:

#vi mycustom-librenms-rsyslog.te
  
  
module mycustom-librenms-rsyslog 1.0;

require {
        type syslogd_t;
        type httpd_sys_rw_content_t;
        type ping_exec_t;
        class process execmem;
        class dir { getattr search write };
        class file { append getattr execute open read };
}

#============= syslogd_t ==============
allow syslogd_t httpd_sys_rw_content_t:dir { getattr search write };
allow syslogd_t httpd_sys_rw_content_t:file { open read append getattr };
allow syslogd_t self:process execmem;
allow syslogd_t ping_exec_t:file execute;

  
  
  
  
#checkmodule -M -m -o mycustom-librenms-rsyslog.mod mycustom-librenms-rsyslog.te
#semodule_package -o mycustom-librenms-rsyslog.pp -m mycustom-librenms-rsyslog.mod
#semodule -i mycustom-librenms-rsyslog.pp



```

Hope it helps.

ataullahsaleem · 9 June 2021 07:07

Configuring LibreNMS Syslog with Rsyslog