Syslog-ng - only logs from LibreNMS itself are showing

phlll-f · 7 February 2019 10:49

Hi,

I have LibreNMS v1.48.1 running on a centos 7 VM, I just added syslog-ng support following the doc here:
https://docs.librenms.org/Extensions/Syslog/

I have pointed both a Cisco IOS switch and a Fortigate Firewall to send syslog messages to Libre and I can see them being received on the correct interface with tcpdump.

So far I have not been able to get them to appear in the Libre GUI, all I can see there are logs from LibreNMS itself.

Any ideas on how to solve this ?

PHP validates ok as does everything else.
This is my syslog.conf file:

@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
        chain_hostnames(off);
        flush_lines(0);
        use_dns(no);
        use_fqdn(no);
        owner("root");
        group("adm");
        perm(0640);
        stats_freq(0);
        bad_hostname("^gconfd$");
};


source s_sys {
    system();
    internal();

};

source s_net {
        tcp(port(514) flags(syslog-protocol));
        udp(port(514) flags(syslog-protocol));
};


########################
# Destinations
########################
destination d_librenms {
        program("/opt/librenms/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$R_YEAR-$R_MONTH-$R_DAY $R_HOUR:$R_MIN:$R_SEC||$MSG||$PROGRAM\n") template-escape(yes));
};

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

########################
# Log paths
########################
log {
        source(s_net);
        source(s_sys);
        destination(d_librenms);
};

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"


# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

Chas · 7 February 2019 14:24

Do you have

$config['enable_syslog'] = 1;

in your config.php ?

Did you confirm syslog-ng service is running?

Do you see Syslog in librenms GUI, or only Event logs

phlll-f · 7 February 2019 16:20

Hi Chas,

Yes I have the line in config.php and have restarted syslog-ng a number of times

I do see the Syslog option in the GUI along with event logs.

But the only syslogs I can see are from Librenms itself.

I can see logs arriving with tcpdump and the source IP is one that resolves to a host already in LibreNMS however the syslog messages are not showing.

Thanks,

Phil.

Chas · 7 February 2019 20:19

If rsyslog is on the same server, try disable and stop that, and restart syslog-ng and see if it starts working.

Also i seem to recall there is a way to check syslog-ng logs on the server to check the service is pulling the logs in. I think they might even output to /var/log/messages, but you could also check /var/log/syslog-ng

systemctl status syslog-ng all fine?

phlll-f · 8 February 2019 09:06

No rsyslog running on the server.

Looks like syslog-ng running ok:
sudo systemctl status syslog-ng
● syslog-ng.service - System Logger Daemon
Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-02-07 22:45:51 CET; 10h ago
Docs: man:syslog-ng(8)
Main PID: 862 (syslog-ng)
CGroup: /system.slice/syslog-ng.service
├─ 862 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid
└─1988 php /opt/librenms/syslog.php

Feb 07 22:45:51 librenmsr1.emv2.com systemd[1]: Starting System Logger Daemon…

I haven’t yet been able to track down any relevant logs.

However I have queried the Database directly and can confirm that no syslog messages other than from Librenms itself have been passed to the DB.

Chas · 8 February 2019 09:32

And when you tcpdump on the librenms box, you are seeing your cisco logs arrive on port 514?

514 is let through firewalls / iptables etc… Next step is finding out why syslog-ng service isn’t producing logs.

If syslog-ng isn’t seeing it then librenms won’t see it.

phlll-f · 8 February 2019 09:36

Yes the TCP dump confirms the logs are being received.

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
1549535772.292668 IP (tos 0x0, ttl 63, id 34907, offset 0, flags [none], proto UDP (17), length 519)
x.x.x.x > x.x.x.x.514: [udp sum ok] SYSLOG, length: 491
Facility local7 (23), Severity notice (5)

ataullahsaleem · 9 June 2021 10:46

how to enable syslog in librenms with syslog alert rules