Archived community.zenoss.org | full text search
Skip navigation
Up to Discussions in zenoss-users
18416 Views 9 Replies Latest reply: May 21, 2010 8:59 AM by terrys RSS
tcaiazza Rank: White Belt
tcaiazza
90 posts since
Mar 19, 2009
Currently Being Moderated

May 18, 2010 2:57 PM

Forward/Relay Syslog messages

I have some devices that can only send to 1 syslog host, so I've set the device to point to the zenoss server but I also want these syslog messages sent to another syslog server.  I remember reading a doc on how to setup zenoss to recieve syslog messages and then relay them onto another syslog server, but I can't seem to find it now.  Does anyone know how to do this?

  • mwcotton Rank: Brown Belt
    mwcotton
    563 posts since
    Apr 23, 2008
    Currently Being Moderated
    1. May 18, 2010 4:52 PM (in response to tcaiazza)
    Re: Forward/Relay Syslog messages

    You should setup a syslog-ng install, send the syslog messages to it and then forward them to zenoss.

  • tcaiazza Rank: White Belt
    tcaiazza
    90 posts since
    Mar 19, 2009
    Currently Being Moderated
    2. May 19, 2010 6:57 AM (in response to mwcotton)
    Re: Forward/Relay Syslog messages

    These are network devices that do not support syslog-ng.  Is it possible to send regular syslog messages to the syslog-ng server and then have the syslog-ng server relay the messages to another regular syslog server?

  • terrys Rank: White Belt
    terrys
    62 posts since
    Nov 27, 2009
    Currently Being Moderated
    3. May 19, 2010 8:38 AM (in response to tcaiazza)
    Re: Forward/Relay Syslog messages

    If the devices are capable of sending syslog messages, then syslog-ng will work.  Syslog-ng is an open-source re-write of the original syslog daemon.  It features a good log filtering mechanism.  It is easy to learn how to build the filters.  I use it to accept log messgaes from network devices of all sorts and forward the messages to the appropriate NMS platforms.  It is in active development.

  • phonegi Rank: Brown Belt
    phonegi
    446 posts since
    Apr 15, 2009
    Currently Being Moderated
    4. May 19, 2010 9:15 AM (in response to tcaiazza)
    Re: Forward/Relay Syslog messages

    tc,

     

    What OS are you running your Zenoss system on? RHEL systems do not support syslog-ng, but do support rsyslog. Many other OS's do support syslog-ng. (Yes I know there are syslog-ng rpms out there, but some like to keep the OS free from unsupported applications.)

     

    I wrote this article HOWTO make syslog and zensyslog coexist on an RHEL machine but it doesn't cover setting up a relay. I know both rsyslog and syslog-ng do support relay mechanisms.

  • terrys Rank: White Belt
    terrys
    62 posts since
    Nov 27, 2009
    Currently Being Moderated
    5. May 19, 2010 9:31 AM (in response to phonegi)
    Re: Forward/Relay Syslog messages

    phonegi,  I'm running syslog-ng on RHEL3 and RHEL5 systems with no problems.  I'm not aware of any restriction that would prevent syslog-ng from running on RHEL.  In my environment, I have a dedicated system for syslog-ng, which forwards the events to Zenoss on a separate platform (also RHEL5).

     

    What would take some work, and is what you've probably done, is running Zenoss and syslog-ng on the same system.  The major work would be to determine port settings so that syslog-ng gets the syslog events and forwards them to Zenoss which would listen on a different port.

  • phonegi Rank: Brown Belt
    phonegi
    446 posts since
    Apr 15, 2009
    Currently Being Moderated
    6. May 19, 2010 2:54 PM (in response to terrys)
    Re: Forward/Relay Syslog messages

    I more correctly should have stated that syslog-ng is not available via the CentOS core repositories (base, updates, or extras). Obviously, most apps can be installed via manual compilation. Some admins are wary of installing "unofficial" applications that may at some point conflict with future updates.

  • terrys Rank: White Belt
    terrys
    62 posts since
    Nov 27, 2009
    Currently Being Moderated
    7. May 19, 2010 3:38 PM (in response to phonegi)
    Re: Forward/Relay Syslog messages

    I agree.  Thanks for the clarification.

  • mwcotton Rank: Brown Belt
    mwcotton
    563 posts since
    Apr 23, 2008
    Currently Being Moderated
    8. May 20, 2010 7:57 PM (in response to tcaiazza)
    Re: Forward/Relay Syslog messages

    yes, syslog-ng accepts regular syslog and forwards on to one or more syslog destinations, the syslog message when forwarded will still look like it came from the original destination.

  • terrys Rank: White Belt
    terrys
    62 posts since
    Nov 27, 2009
    Currently Being Moderated
    9. May 21, 2010 8:59 AM (in response to mwcotton)
    Re: Forward/Relay Syslog messages

    There is an option, spoof-source, in syslog-ng to have it forward the message and use the source address of the original system that generated the syslog message.  Some syslog systems require this.  I had to rebuild syslog-ng using '../configure --enable-spoof-source' to have it support this option, then the config file needs the destination configuration to specify that source spoofing should be used:

    destination d_zenoss { udp("10.9.9.9" spoof_source(yes)); };

     

    Even with this enabled in my syslog-ng, Zenoss worked best for me when I enabled the 'parsehost' option in the zensyslog daemon.

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points