Archived community.zenoss.org | full text search
Skip navigation
1 2 Previous Next 3708 Views 16 Replies Latest reply: Apr 22, 2013 8:50 AM by jcurry RSS
heinds Rank: White Belt 16 posts since
Apr 10, 2013
Currently Being Moderated

Apr 12, 2013 5:20 PM

ZenSyslog Question-Please assist

Hi Guys,

 

Thank you for taking the time to read this.

 

I have taken two days to go through the forum and to search for solutions so this is my last resort.

 

Please note that my knowledge of Zenoss is limited and that I am actually a windows user but i'm willing to learn and find this very exiting!

 

I have installed Zenoss 4.2.3 on Centos and I am able to monitor a cisco switch and Zhone MXK without any problems.

 

I want to receive Syslog information from both devices to see when interfaces change state etc and have set them up to forward Syslog messages to the Zenoss server IP.

 

The Server is not receiving any syslog messages and nothing is being displayed in the "EVENTS" tab or "EVENTS HISTORY".

 

Is there anything I can check to verify what could be wrong?

 

ANY help will be greatly appreciated!

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    2. Apr 15, 2013 7:32 AM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    It looks like your zensyslog THINKS it is OK.  Several things to check:

     

    1) Do make sure that syslog on your Zenoss server is NOT configured to collect syslogs from other devices.  You should have the zensyslog process on port UDP/514 (which is what your zensyslog config is saying with the syslogport parameter).  If the Operating System syslog is also fighting for that port then it will probably win and zensyslog will not get data.  If you have it on your Zenoss server, I find the lsof command very useful to see what processes have control of what TCP/IP ports, eg:

     

    [zenoss@zen42 4.2]$ lsof -i -P | grep 514

    python  16370 zenoss   13u  IPv4  629745      0t0  UDP *:514

     

    This determines that a python process is connected to UDP/514.  To see which process, grep for the process number given in the second field:

     

    [zenoss@zen42 4.2]$ ps -ef | grep 16370

    zenoss    3858 20489  0 12:17 pts/4    00:00:00 grep 16370

    zenoss   16370     1  0 Apr12 ?        00:02:52 /opt/zenoss/bin/python /opt/zenoss/Products/ZenEvents/zensyslog.py --configfile /opt/zenoss/etc/zensyslog.conf --cycle --daemon --useFileDescriptor=4

    [zenoss@zen42 4.2]$

     

    The answer is zensyslog - oh frabjous day!

     

    2) The zensyslog daemon is fairly unique in that it can log the incoming syslog messages - change the logorig parameter from False to True and restart zensyslog.  I use this to prove that syslog events are actually arriving at Zenoss.  If there is nothing there, the problem is with the configuration in your syslog servers or it is a comms problem (like firewalls not permitting UDP/514).

     

    3) If you are getting syslog message into the logorig file then increase the logging on zensyslog.  You can either do this from the GUI or by hacking the file directly (as with all daemon config files).  You need to set logseverity to 10 (Debug if you do it through the GUI) and then restart zensyslog. 

     

    What is generating your original syslog messages?  The zensyslog code can recognise most variants of syslog files but it may be that you have something that it fails to recognise.

     

    You may find my paper, "Event Management for Zenoss Core 4" helpful - http://www.skills-1st.co.uk/papers/jane/zenoss4-events/ . Chapter 4 is on syslog processing. 

     

    I have also just announced dates for the 3-day Zenoss Event Management workshop on May 29-31 and June 11-13 - see  message/72840#72840   and http://www.skills-1st.co.uk/products/courses/zenoss-events.html .

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    4. Apr 15, 2013 11:00 AM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    Your second command you need to grep for 3159 as that is the process id of the python process. It is the second field that gives you the process id; the 13481 is apparently the "Device" field for lsof - not quite sure what this is.

     

    The problem with lsof as that it only gives the initial command (python) and all the zenoss daemon process lines start with python. 

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    6. Apr 15, 2013 1:04 PM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    So you should now have a file called origsyslog.log in $ZENHOME/log, in addition to your zensyslog.log??  Does that have any incoming syslog messages in it?

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    8. Apr 16, 2013 4:09 AM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    Hmm - sounds like there are no syslog events arriving.  If you change directory to $ZENHOME/log and do a ls -l on the file,  when was it last updated?  Might it have been  when you changed the logorig parameter?  For example:

     

    [zenoss@zen42 log]$ cd /opt/zenoss/log/

    [zenoss@zen42 log]$ ls -l origsyslog.log

    -rwxrwxr-x 1 zenoss zenoss 28613171 Apr 16 09:00 origsyslog.log

    [zenoss@zen42 log]$ less origsyslog.log

    [zenoss@zen42 log]$

     

    The date is the last time the file was updated. the big number (28613171) is the size (which should obviously increase whenever a syslog message is received).  less is a unix command to display the contents of a file (space gets the next page, carriage-return gets the next line, if you know some vi editor commands then they work too).

     

    If this file is virtually emptry and not updating when you believe it should be recieving events, then I would certainly focus attention on the syslog systems that are supposed to be forwarding events to Zenoss and at any fiewall that might be in between.

     

    One test I usually start with is to configure the Zenoss server so that his own syslog events are forwarded to Zenoss (have a look at the Event Management paper for an example).  If you can get those flowing then you know that zensyslog is capable of reading and interpreting events. and you can focus your attention on the delivery mechanism.

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    10. Apr 16, 2013 11:17 AM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    Good one isn't it?

     

    Are you running wireshark on your laptop?

     

    Is there a firewall running on your Zenoss server?  As root, run:

    iptables --list -v

     

    I have a line like:

    0 0 ACCEPT udp  --  anyany anywhere         anywhere        state NEW udp dpt:syslog

     

    The Zenoss server's firewall would block stuff before it gets to zensyslog.

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    12. Apr 16, 2013 6:34 PM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    I think that means that your firewall on your Zenoss server is rejecting incoming syslog messages on udp/514.

     

    Use the System -> Administration -> firewall menus.  Under "Other Ports" you may or may not have anything.  You need to ensure that UDP/514 is selected here; using the Add button gives you a scrolled list and you should be able to select what you want.  I attach a screenshot of my configs.

    centos_firewall_other_ports.jpg

    If you ever want your Zenoss to receive SNMP TRAPs, also add the two entries for TCP and UDP 162.

     

    I believe the first line of your current firewall config is permitting traffic in that is in response to a message from the Zenoss server, so things like SNMP get/set will be allowed in as the conversation starts from Zenoss but both syslog and SNMP TRAPs are messages unsolicited by Zenoss - hence the conversation starts from the outside and you have no firewall rules that allow these message types in.

     

    Cheers,

    Jane

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007
    Currently Being Moderated
    14. Apr 20, 2013 2:09 PM (in response to heinds)
    Re: ZenSyslog Question-Please assist

    Grin, I think Jane is a teacher.. 

     

    Dont forget to mark the question as answered

1 2 Previous Next

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points