Syslog an Eventconsole funktioniert nicht

Troubleshooting
1

Hallo zusammen,

ich steh gerade etwas auf dem Schlauch. Ich möchte eintreffende Syslog-Meldungen in der Eventconsole “sehen”. In der config ist syslog aktiv (omd config ).

Die Meldung kommt am CMK-Server an (TCPDUMP):
Taucht dann aber in der Eventconsole nicht auf.

syslog01
syslog011017×208 9.81 KB

Wenn ich den Test mache der auch in der Online-Doku angegeben ist

echo 'This is no syslog message' | nc -w 0 -u localhost 514

Dann bekomme ich den Eintrag aber:

syslog02
syslog021158×156 7.67 KB

Ich hab auf dem CMK-Server keine spezielle Einstellung für rsyslog gemacht.

Grüße,

Josef

2

Ok, so if you did nothing on the webUI side, then please go to Setup → Event Console and add a rule. Just one rule to catch all messages, or you can filter to all warning, or critical messages, pre-tagged from your system.

3

Hi,

the “def_0000” rule is a “capture all” rule. If there would be no rule the test with nc would be droped too right?

Josef

4

Ok, so can you please try the following command on the sending hosts command line:
logger “This is a test”

Do you see the traffic in your tcpdump?

5

It’s closed system so I cant place the command on the sending system.
But the tcpdump output in the first post is a incoming syslog message from the sending system captured on the monitoring server.
Can the format of the message somehow be wrong?

Josef

6

My idea was, that the sending system does not send the messages via UDP, or something else is missconfigured. Can you trigger a syslog message in the sending system?

7

syslog02
syslog021384×281 14.5 KB

can it be possible, that the syslog server (rsyslog) doesn’t listen on that ethernet interface?

Josef

8

Checkmk should listen on 0.0.0.0:514 which you can check with ‘netstat -plun |grep 514’.
The fact, that you receive the packages in your tcpdump tells me, that the network part works well und the error should be on the way from local interface to web UI.

Can you please control /omd/sites/$SITE/var/log/mkeventd.log and /ome/sites/$SITE/var/mkeventd/history/*.log

9

Both files just show the normal SNMP-Traps and forwarded logs. The incoming message isn’t captured/forwarded by/to mkeventd :confused:

But this looks fine …

server:/ # netstat -plun |grep 514
udp        0      0 0.0.0.0:514             0.0.0.0:*                           8615/python
server:/ #
10

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.