Hi all
I have a odd issue. Configured syslog and is working great for the majority of network switches (Nortel\Avaya\HP). I have a problem with Dell switches (N4000 series), and hope someone could shed some light on this.
The Syslog settings are fine on the switch, but does not display any syslog entries in LibreNMS. As a test, I’ve added a different syslog server (my Elasticsearch\Logstash cluster) to the switch config, and I’m able to see the logs just fine via Kibana. So seems to be an issue on the LibreNMS side.
Here is a snippet of the tcpdump:
10:01:41.724642 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 172)
<switch_ip>.58349 > <server_ip>.514: [udp sum ok] SYSLOG, length: 144
Facility local7 (23), Severity info (6)
Msg: May 23 09:01:41 R80SWT-C60-RACK1-1 CLI_WEB[emWeb]: cmd_logger_api.c(260) 2230 %% [CLI:admin:<server_ip>] User has succesfully logged in\0x00
0x0000: 3c31 3930 3e20 4d61 7920 3233 2030 393a
0x0010: 3031 3a34 3120 5238 3053 5754 2d43 3630
0x0020: 2d52 4143 4b31 2d31 2043 4c49 5f57 4542
0x0030: 5b65 6d57 6562 5d3a 2063 6d64 5f6c 6f67
0x0040: 6765 725f 6170 692e 6328 3236 3029 2032
0x0050: 3233 3020 2525 205b 434c 493a 6164 6d69
0x0060: 6e3a 3133 302e 3234 362e 3338 2e32 335d
0x0070: 2055 7365 7220 6861 7320 7375 6363 6573
0x0080: 6675 6c6c 7920 6c6f 6767 6564 2069 6e00
I have done some research, and think it is due to the ‘%%’ in the message (don’t quote me, might be a red herring). Any tips or advise would be appreciated.
Cheers
Leon
I’ve had problems with some devices not showing up in LibreNMS although they where sending their messages to syslog on the monitoring box. All of them turned out to be related to DNS/rDNS (hostnames) not syncing up with what’s in LibreNMS’ device database.
You can enable logging in the syslog script (inception? ;)) and then see what’s actually being done for each device.
Thanks for the input @floriansbeer.
I have all my switches IPs added to the /etc/hosts file, so not relying on DNS to resolve host names. I’ll have a trawl through the logs.
Leon
But did you make sure, that they appear in syslog under the exact same hostname as they are configured in LibreNMS at?
We don’t lookup hostnames via hosts file. You can run this to see:
SELECTdevice_idFROMipv4_addressesAS A,portsAS I WHERE A.ipv4_address = $IP AND I.port_id = A.port_id;
Replace $IP with the devices IP from the syslog message and see if you get a result.
Thanks @florianbeer turns out that the host name is not exactly the same as specified in the hosts file. In my Elasticsearch cluster, I notice that there is either a ‘-1’ or ‘-2’ appended to the host name in the syslogs:
Not sure why this is, and why only my Dell switches produce these slightly odd results. First I thought it might be due to the switches being stacked, but get the same appenditure to single Dell switches (i.e. not stacked).
@laf, thanks for the advise. Unfortunately, this is out management subnet/s and don’t have DNS for it, hence hosts file. I can confirm that I don’t get any results from your suggested command, indicating that syslog is not imported into the database.
