• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4712
  • Last Modified:

CactiEZ 0.8.8a Syslog Not Showing Remote Hosts

OS: centOS
Software: CactiEZ 0.8.8a

Syslog plugin 1.22 not showing remote hosts, only shows messages from localhost. MySQL DB exists and does not contain remote host data either.
2013-11-14-09-52-57-Cacti.png
0
Freda Driscoll-Sbar
Asked:
Freda Driscoll-Sbar
  • 23
  • 10
1 Solution
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
I confirmed that Cacti Syslog plugin is set to use Syslog DB and I can see the tables using webmin, BUT there is no data other than from the localhost...

Here is my config.php file properties for the syslog plugin:

if (!$use_cacti_db) {
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxx';
      $syslogdb_port     = 3306;
}else{
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxxxx';
      $syslogdb_port     = 3306;
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
I have not been able to find a solution or active thread in the Cacti forums to resolve or help me with this issue.

I prefer not to abandon my Cacti investment, but if I don't get it resolved within a week I will consider moving to OpsView, or another free solution.
0
 
MazdajaiCommented:
Do you have any iptables running? What ports is the device listening?
service iptables status
netstat -ant

Open in new window

0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Syslog is listening on port upd/514;


[root@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 13

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 14

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:514
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10000
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2055
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibite
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
OS: CentOS Linux 6.4
Cacti version: CactiEZ 0.8.8b

I disabled the Cacti Syslog plugin version 1.22 by Jimmy Conner and re-installed it, still no resolution.

I attached a screenshot of the mysql syslog host table only showing the localhost...
2013-11-18-12-49-43-Webmin-1.660.png
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57654         ESTABLISHED
tcp        0      0 192.168.1.62:22             192.168.1.119:59208         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60523         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60513         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60525         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:60009         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60527         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60517         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60521         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60519         TIME_WAIT
[root@localhost ~]#
0
 
MazdajaiCommented:
Have you tried disabling IP tables temporary?
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
No; also I don't see udp/514 listening in the results of 'netstat -ant'....
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
[root@localhost ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]#


....waiting to see if hosts populate in Syslog GUI (attached screenshot)
2013-11-18-13-04-06-Cacti.png
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Disabled iptables at boo as well and rebooted. Post output still does not show udp/514 listening or waiting:

[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57457         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57440         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57452         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57448         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57430         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:57394         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57446         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57428         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57436         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57422         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57442         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57426         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57438         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57434         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57432         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57454         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57444         TIME_WAIT
[root@localhost ~]# service rsyslog start
Starting system logger:
[root@localhost ~]# service rsyslog
Usage: /etc/init.d/rsyslog {start|stop|restart|condrestart|try-restart|reload|force-reload|status}
[root@localhost ~]# service rsyslog status
rsyslogd (pid  1188) is running...
[root@localhost ~]#
0
 
MazdajaiCommented:
if 514 is not listening then I doubt you will get any data. I am not sure reinstall will fix this but it doesn't hurt before further troubleshooting takes place??
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
I reinstalled it twice and no luck....

/etc/rsyslog.conf file:
*.* @@192.168.1.62:514

Open in new window


[root@localhost ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]#

Open in new window

0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
I enabled/added the following to the rsyslog.conf file:
$ModLoad imudp
$PrivDropToUser syslog
$PrivDropToGroup syslog

Open in new window

Then restarted rsyslog as root and I now see it listening:
[root@localhost ~]# sudo /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -alnp |grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               6702/rsyslogd
[root@localhost ~]#

Open in new window

But I still don't see any remote hosts populating in the Cacti Syslog GUI, just localhost messages....??
0
 
MazdajaiCommented:
Is there anything in <path_cacti>/log/cacti.log? What devices are pointing to cacti?
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Yes; but all I see in the log referencing syslog is:
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0

Open in new window

I have a Sonicwall NSA 3500 firewall and Cisco 2960 pointing to the syslog server at this time.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Anyone have any ideas why my remote hosts logging to the syslog are not showing in the Cacti syslog GUI and database?
0
 
MazdajaiCommented:
Did you use hostname or ip address (192.168.1.62) on your remote device?

Can you telnet to 192.168.1.62 port 514 from the network that the 2960 sitting in?
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Yes, the remote devices send syslog via IP to 192.168.1.62

I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
0
 
MazdajaiCommented:
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.

As stated above, I tried this; its connects, but returns no response when hitting enter or other key. As for another port, it needs to remain on 514. Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.
0
 
MazdajaiCommented:
I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
If it connects that's mean you have a solid good connection from the client to the cactiez server.

If the packets are dropped you would not been able to connect to 514 with telnet.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Anyone else have any ideas?
0
 
MazdajaiCommented:
Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.

If the packet arrives at the host, but cactiez is unable see it to then is something wrong with the Cactiez not able to pick up the data. Have you try a different listening port?
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
I will try a different listening port and report back...
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
When rsyslog service is stopped, there is not listening udp/515 port. When it is started, it shows as listening on this port. I also turned off iptables to rule that out....

Still no incoming syslog messages in mysql db.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
* Confirmed tcp/udp ports 514 are listening
* Confirmed iptables on w/exception and off make no difference

* There is NO records populating the mysql db

Here's my rsyslog.conf file db section:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.*:ommysql:127.0.0.1,syslog,cactiuser,<password>;syslog

Open in new window

0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Latest, getting localhost messages in mysql db, but no remote hosts.

My current rsyslog.conf file:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.* >127.0.0.1,syslog,cactiuser,<password>;cacti_syslog

# Store all log files in MySQL DB
*.* :ommysql:127.0.0.1,cactiuser,<password>

$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Open in new window

0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Breakthrough....

I just stopped iptables again and disabled them at boot, NOW I see one of my remote hosts appear in the Cacti Syslog plugin tab; no messages for this host yet....
0
 
MazdajaiCommented:
Nice. What changes have you made?  Sound like iptables is the issue, although you have mentioned it was off before.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
Seeing remote hosts now appearing in Cacti Syslog plugin, but no messages/records. Remote hosts are currently a Cisco 2900 switch set to local7 and a Sonicwall NSA3500 at local7 (webtrends format)

see attached;
cacti-syslog.png
0
 
MazdajaiCommented:
Do you see the data in mysql?
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
due to a lack of support for this product, I went with LogAnalyzer on CentOS with rsyslog and I am very pleased.
0
 
Freda Driscoll-SbarDirector of System OperationsAuthor Commented:
lack of community support; came up with a alternate solution.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 23
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now