Solved

CactiEZ 0.8.8a Syslog Not Showing Remote Hosts

Posted on 2013-11-14
33
3,996 Views
Last Modified: 2014-01-13
OS: centOS
Software: CactiEZ 0.8.8a

Syslog plugin 1.22 not showing remote hosts, only shows messages from localhost. MySQL DB exists and does not contain remote host data either.
2013-11-14-09-52-57-Cacti.png
0
Comment
Question by:Lee Seeman
  • 23
  • 10
33 Comments
 

Author Comment

by:Lee Seeman
ID: 39648331
I confirmed that Cacti Syslog plugin is set to use Syslog DB and I can see the tables using webmin, BUT there is no data other than from the localhost...

Here is my config.php file properties for the syslog plugin:

if (!$use_cacti_db) {
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxx';
      $syslogdb_port     = 3306;
}else{
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxxxx';
      $syslogdb_port     = 3306;
0
 

Author Comment

by:Lee Seeman
ID: 39648855
I have not been able to find a solution or active thread in the Cacti forums to resolve or help me with this issue.

I prefer not to abandon my Cacti investment, but if I don't get it resolved within a week I will consider moving to OpsView, or another free solution.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39650120
Do you have any iptables running? What ports is the device listening?
service iptables status
netstat -ant

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39657067
Syslog is listening on port upd/514;


[root@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 13

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 14

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:514
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10000
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2055
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibite
0
 

Author Comment

by:Lee Seeman
ID: 39657078
OS: CentOS Linux 6.4
Cacti version: CactiEZ 0.8.8b

I disabled the Cacti Syslog plugin version 1.22 by Jimmy Conner and re-installed it, still no resolution.

I attached a screenshot of the mysql syslog host table only showing the localhost...
2013-11-18-12-49-43-Webmin-1.660.png
0
 

Author Comment

by:Lee Seeman
ID: 39657153
[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57654         ESTABLISHED
tcp        0      0 192.168.1.62:22             192.168.1.119:59208         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60523         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60513         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60525         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:60009         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60527         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60517         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60521         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60519         TIME_WAIT
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39657154
Have you tried disabling IP tables temporary?
0
 

Author Comment

by:Lee Seeman
ID: 39657158
No; also I don't see udp/514 listening in the results of 'netstat -ant'....
0
 

Author Comment

by:Lee Seeman
ID: 39657165
[root@localhost ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]#


....waiting to see if hosts populate in Syslog GUI (attached screenshot)
2013-11-18-13-04-06-Cacti.png
0
 

Author Comment

by:Lee Seeman
ID: 39657197
Disabled iptables at boo as well and rebooted. Post output still does not show udp/514 listening or waiting:

[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57457         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57440         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57452         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57448         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57430         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:57394         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57446         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57428         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57436         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57422         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57442         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57426         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57438         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57434         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57432         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57454         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57444         TIME_WAIT
[root@localhost ~]# service rsyslog start
Starting system logger:
[root@localhost ~]# service rsyslog
Usage: /etc/init.d/rsyslog {start|stop|restart|condrestart|try-restart|reload|force-reload|status}
[root@localhost ~]# service rsyslog status
rsyslogd (pid  1188) is running...
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39657256
if 514 is not listening then I doubt you will get any data. I am not sure reinstall will fix this but it doesn't hurt before further troubleshooting takes place??
0
 

Author Comment

by:Lee Seeman
ID: 39657273
I reinstalled it twice and no luck....

/etc/rsyslog.conf file:
*.* @@192.168.1.62:514

Open in new window


[root@localhost ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]#

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39657322
I enabled/added the following to the rsyslog.conf file:
$ModLoad imudp
$PrivDropToUser syslog
$PrivDropToGroup syslog

Open in new window

Then restarted rsyslog as root and I now see it listening:
[root@localhost ~]# sudo /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -alnp |grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               6702/rsyslogd
[root@localhost ~]#

Open in new window

But I still don't see any remote hosts populating in the Cacti Syslog GUI, just localhost messages....??
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39658317
Is there anything in <path_cacti>/log/cacti.log? What devices are pointing to cacti?
0
 

Author Comment

by:Lee Seeman
ID: 39659303
Yes; but all I see in the log referencing syslog is:
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0

Open in new window

I have a Sonicwall NSA 3500 firewall and Cisco 2960 pointing to the syslog server at this time.
0
 

Author Comment

by:Lee Seeman
ID: 39660144
Anyone have any ideas why my remote hosts logging to the syslog are not showing in the Cacti syslog GUI and database?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 21

Expert Comment

by:Mazdajai
ID: 39661444
Did you use hostname or ip address (192.168.1.62) on your remote device?

Can you telnet to 192.168.1.62 port 514 from the network that the 2960 sitting in?
0
 

Author Comment

by:Lee Seeman
ID: 39662872
Yes, the remote devices send syslog via IP to 192.168.1.62

I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39672862
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.
0
 

Author Comment

by:Lee Seeman
ID: 39674382
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.

As stated above, I tried this; its connects, but returns no response when hitting enter or other key. As for another port, it needs to remain on 514. Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39685912
I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
If it connects that's mean you have a solid good connection from the client to the cactiez server.

If the packets are dropped you would not been able to connect to 514 with telnet.
0
 

Author Comment

by:Lee Seeman
ID: 39736194
Anyone else have any ideas?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39737317
Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.

If the packet arrives at the host, but cactiez is unable see it to then is something wrong with the Cactiez not able to pick up the data. Have you try a different listening port?
0
 

Author Comment

by:Lee Seeman
ID: 39748334
I will try a different listening port and report back...
0
 

Author Comment

by:Lee Seeman
ID: 39748672
When rsyslog service is stopped, there is not listening udp/515 port. When it is started, it shows as listening on this port. I also turned off iptables to rule that out....

Still no incoming syslog messages in mysql db.
0
 

Author Comment

by:Lee Seeman
ID: 39748739
* Confirmed tcp/udp ports 514 are listening
* Confirmed iptables on w/exception and off make no difference

* There is NO records populating the mysql db

Here's my rsyslog.conf file db section:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.*:ommysql:127.0.0.1,syslog,cactiuser,<password>;syslog

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39748858
Latest, getting localhost messages in mysql db, but no remote hosts.

My current rsyslog.conf file:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.* >127.0.0.1,syslog,cactiuser,<password>;cacti_syslog

# Store all log files in MySQL DB
*.* :ommysql:127.0.0.1,cactiuser,<password>

$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39748866
Breakthrough....

I just stopped iptables again and disabled them at boot, NOW I see one of my remote hosts appear in the Cacti Syslog plugin tab; no messages for this host yet....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39749012
Nice. What changes have you made?  Sound like iptables is the issue, although you have mentioned it was off before.
0
 

Author Comment

by:Lee Seeman
ID: 39751174
Seeing remote hosts now appearing in Cacti Syslog plugin, but no messages/records. Remote hosts are currently a Cisco 2900 switch set to local7 and a Sonicwall NSA3500 at local7 (webtrends format)

see attached;
cacti-syslog.png
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39753081
Do you see the data in mysql?
0
 

Accepted Solution

by:
Lee Seeman earned 0 total points
ID: 39766582
due to a lack of support for this product, I went with LogAnalyzer on CentOS with rsyslog and I am very pleased.
0
 

Author Closing Comment

by:Lee Seeman
ID: 39776103
lack of community support; came up with a alternate solution.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now