Check_mk as syslog server

I can not find how to set up check_mk as rsyslog server.
OMD is running and monitoring 6 servers. All of them also send rsyslog messages.
I used tcpdump to see that rsyslog messages appear on 514 udp.
I tried to set up rules for the event console but nothing appears there.
Is there a clean and straight forward documentation on this?

Thanks

Something like the “Setup” chapter in the documentation?

3 Likes

Yes I walked through this and created rules but still nothing in the event console.

When I use the event simulator with an appropriate log level, I see the green light that says rule matches. Meanwhile I see in tcpdump that messages arrive on the network. But when it arrives on the network, I get no rule matches notification.

Ok fixed it. I had rsyslogd running on the check_mk server. It ran on the same port as python3 (how ever that was possible, udp?) and thus was blocking the messages.

Thanks for providing the root cause info. I will remember to check the syslog port(514) usage status using netstat.

Hi,
keep in mind, that checkmk is not a “syslog” server like rsyslog.
The Event Console is meant to create Events/Notifications in checkmk through rules matching conditions in your Eventlog, syslog or snmp messages.
It is not meant as a syslog storage or analysis tool like ELK Stack, Graylog, Loki etc.

Andre

1 Like

Yes I figured as much. I also have to look for a solution of a “real” rsyslog server, since it gets quite flooded with warnings, infos and notices. Dont want to have that in the event console but might want to keep it stored elsewhere since info and notices can provide additional information about issues.

If you like top keep it open source have a look at Graylog or the Elastic Stack. Both do quite a good job, even if you are just looking for a place to dump all your logs.