Solved

CactiEZ 0.8.8a Syslog Not Showing Remote Hosts

Posted on 2013-11-14
33
4,095 Views
Last Modified: 2014-01-13
OS: centOS
Software: CactiEZ 0.8.8a

Syslog plugin 1.22 not showing remote hosts, only shows messages from localhost. MySQL DB exists and does not contain remote host data either.
2013-11-14-09-52-57-Cacti.png
0
Comment
Question by:Lee Seeman
  • 23
  • 10
33 Comments
 

Author Comment

by:Lee Seeman
ID: 39648331
I confirmed that Cacti Syslog plugin is set to use Syslog DB and I can see the tables using webmin, BUT there is no data other than from the localhost...

Here is my config.php file properties for the syslog plugin:

if (!$use_cacti_db) {
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxx';
      $syslogdb_port     = 3306;
}else{
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxxxx';
      $syslogdb_port     = 3306;
0
 

Author Comment

by:Lee Seeman
ID: 39648855
I have not been able to find a solution or active thread in the Cacti forums to resolve or help me with this issue.

I prefer not to abandon my Cacti investment, but if I don't get it resolved within a week I will consider moving to OpsView, or another free solution.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39650120
Do you have any iptables running? What ports is the device listening?
service iptables status
netstat -ant

Open in new window

0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:Lee Seeman
ID: 39657067
Syslog is listening on port upd/514;


[root@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 13

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 14

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:514
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10000
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2055
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibite
0
 

Author Comment

by:Lee Seeman
ID: 39657078
OS: CentOS Linux 6.4
Cacti version: CactiEZ 0.8.8b

I disabled the Cacti Syslog plugin version 1.22 by Jimmy Conner and re-installed it, still no resolution.

I attached a screenshot of the mysql syslog host table only showing the localhost...
2013-11-18-12-49-43-Webmin-1.660.png
0
 

Author Comment

by:Lee Seeman
ID: 39657153
[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57654         ESTABLISHED
tcp        0      0 192.168.1.62:22             192.168.1.119:59208         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60523         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60513         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60525         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:60009         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60527         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60517         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60521         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60519         TIME_WAIT
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39657154
Have you tried disabling IP tables temporary?
0
 

Author Comment

by:Lee Seeman
ID: 39657158
No; also I don't see udp/514 listening in the results of 'netstat -ant'....
0
 

Author Comment

by:Lee Seeman
ID: 39657165
[root@localhost ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]#


....waiting to see if hosts populate in Syslog GUI (attached screenshot)
2013-11-18-13-04-06-Cacti.png
0
 

Author Comment

by:Lee Seeman
ID: 39657197
Disabled iptables at boo as well and rebooted. Post output still does not show udp/514 listening or waiting:

[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57457         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57440         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57452         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57448         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57430         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:57394         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57446         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57428         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57436         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57422         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57442         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57426         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57438         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57434         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57432         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57454         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57444         TIME_WAIT
[root@localhost ~]# service rsyslog start
Starting system logger:
[root@localhost ~]# service rsyslog
Usage: /etc/init.d/rsyslog {start|stop|restart|condrestart|try-restart|reload|force-reload|status}
[root@localhost ~]# service rsyslog status
rsyslogd (pid  1188) is running...
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39657256
if 514 is not listening then I doubt you will get any data. I am not sure reinstall will fix this but it doesn't hurt before further troubleshooting takes place??
0
 

Author Comment

by:Lee Seeman
ID: 39657273
I reinstalled it twice and no luck....

/etc/rsyslog.conf file:
*.* @@192.168.1.62:514

Open in new window


[root@localhost ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]#

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39657322
I enabled/added the following to the rsyslog.conf file:
$ModLoad imudp
$PrivDropToUser syslog
$PrivDropToGroup syslog

Open in new window

Then restarted rsyslog as root and I now see it listening:
[root@localhost ~]# sudo /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -alnp |grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               6702/rsyslogd
[root@localhost ~]#

Open in new window

But I still don't see any remote hosts populating in the Cacti Syslog GUI, just localhost messages....??
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39658317
Is there anything in <path_cacti>/log/cacti.log? What devices are pointing to cacti?
0
 

Author Comment

by:Lee Seeman
ID: 39659303
Yes; but all I see in the log referencing syslog is:
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0

Open in new window

I have a Sonicwall NSA 3500 firewall and Cisco 2960 pointing to the syslog server at this time.
0
 

Author Comment

by:Lee Seeman
ID: 39660144
Anyone have any ideas why my remote hosts logging to the syslog are not showing in the Cacti syslog GUI and database?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39661444
Did you use hostname or ip address (192.168.1.62) on your remote device?

Can you telnet to 192.168.1.62 port 514 from the network that the 2960 sitting in?
0
 

Author Comment

by:Lee Seeman
ID: 39662872
Yes, the remote devices send syslog via IP to 192.168.1.62

I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39672862
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.
0
 

Author Comment

by:Lee Seeman
ID: 39674382
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.

As stated above, I tried this; its connects, but returns no response when hitting enter or other key. As for another port, it needs to remain on 514. Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39685912
I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
If it connects that's mean you have a solid good connection from the client to the cactiez server.

If the packets are dropped you would not been able to connect to 514 with telnet.
0
 

Author Comment

by:Lee Seeman
ID: 39736194
Anyone else have any ideas?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39737317
Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.

If the packet arrives at the host, but cactiez is unable see it to then is something wrong with the Cactiez not able to pick up the data. Have you try a different listening port?
0
 

Author Comment

by:Lee Seeman
ID: 39748334
I will try a different listening port and report back...
0
 

Author Comment

by:Lee Seeman
ID: 39748672
When rsyslog service is stopped, there is not listening udp/515 port. When it is started, it shows as listening on this port. I also turned off iptables to rule that out....

Still no incoming syslog messages in mysql db.
0
 

Author Comment

by:Lee Seeman
ID: 39748739
* Confirmed tcp/udp ports 514 are listening
* Confirmed iptables on w/exception and off make no difference

* There is NO records populating the mysql db

Here's my rsyslog.conf file db section:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.*:ommysql:127.0.0.1,syslog,cactiuser,<password>;syslog

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39748858
Latest, getting localhost messages in mysql db, but no remote hosts.

My current rsyslog.conf file:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.* >127.0.0.1,syslog,cactiuser,<password>;cacti_syslog

# Store all log files in MySQL DB
*.* :ommysql:127.0.0.1,cactiuser,<password>

$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Open in new window

0
 

Author Comment

by:Lee Seeman
ID: 39748866
Breakthrough....

I just stopped iptables again and disabled them at boot, NOW I see one of my remote hosts appear in the Cacti Syslog plugin tab; no messages for this host yet....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39749012
Nice. What changes have you made?  Sound like iptables is the issue, although you have mentioned it was off before.
0
 

Author Comment

by:Lee Seeman
ID: 39751174
Seeing remote hosts now appearing in Cacti Syslog plugin, but no messages/records. Remote hosts are currently a Cisco 2900 switch set to local7 and a Sonicwall NSA3500 at local7 (webtrends format)

see attached;
cacti-syslog.png
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39753081
Do you see the data in mysql?
0
 

Accepted Solution

by:
Lee Seeman earned 0 total points
ID: 39766582
due to a lack of support for this product, I went with LogAnalyzer on CentOS with rsyslog and I am very pleased.
0
 

Author Closing Comment

by:Lee Seeman
ID: 39776103
lack of community support; came up with a alternate solution.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Is your computer hacked? learn how to detect and delete malware in your PC
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question