Solved

CactiEZ 0.8.8a Syslog Not Showing Remote Hosts

Posted on 2013-11-14
33
3,914 Views
Last Modified: 2014-01-13
OS: centOS
Software: CactiEZ 0.8.8a

Syslog plugin 1.22 not showing remote hosts, only shows messages from localhost. MySQL DB exists and does not contain remote host data either.
2013-11-14-09-52-57-Cacti.png
0
Comment
Question by:Lee Seeman
  • 23
  • 10
33 Comments
 

Author Comment

by:Lee Seeman
Comment Utility
I confirmed that Cacti Syslog plugin is set to use Syslog DB and I can see the tables using webmin, BUT there is no data other than from the localhost...

Here is my config.php file properties for the syslog plugin:

if (!$use_cacti_db) {
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxx';
      $syslogdb_port     = 3306;
}else{
      $syslogdb_type     = 'mysql';
      $syslogdb_default  = 'syslog';
      $syslogdb_hostname = 'localhost';
      $syslogdb_username = 'cactiuser';
      $syslogdb_password = 'xxxxxxx';
      $syslogdb_port     = 3306;
0
 

Author Comment

by:Lee Seeman
Comment Utility
I have not been able to find a solution or active thread in the Cacti forums to resolve or help me with this issue.

I prefer not to abandon my Cacti investment, but if I don't get it resolved within a week I will consider moving to OpsView, or another free solution.
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Do you have any iptables running? What ports is the device listening?
service iptables status
netstat -ant

Open in new window

0
 

Author Comment

by:Lee Seeman
Comment Utility
Syslog is listening on port upd/514;


[root@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 13

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 14

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:514
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:10000
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2055
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibite
0
 

Author Comment

by:Lee Seeman
Comment Utility
OS: CentOS Linux 6.4
Cacti version: CactiEZ 0.8.8b

I disabled the Cacti Syslog plugin version 1.22 by Jimmy Conner and re-installed it, still no resolution.

I attached a screenshot of the mysql syslog host table only showing the localhost...
2013-11-18-12-49-43-Webmin-1.660.png
0
 

Author Comment

by:Lee Seeman
Comment Utility
[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57654         ESTABLISHED
tcp        0      0 192.168.1.62:22             192.168.1.119:59208         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60523         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60513         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60525         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:60009         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:60527         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60517         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60521         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:60519         TIME_WAIT
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Have you tried disabling IP tables temporary?
0
 

Author Comment

by:Lee Seeman
Comment Utility
No; also I don't see udp/514 listening in the results of 'netstat -ant'....
0
 

Author Comment

by:Lee Seeman
Comment Utility
[root@localhost ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]#


....waiting to see if hosts populate in Syslog GUI (attached screenshot)
2013-11-18-13-04-06-Cacti.png
0
 

Author Comment

by:Lee Seeman
Comment Utility
Disabled iptables at boo as well and rebooted. Post output still does not show udp/514 listening or waiting:

[root@localhost ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9050                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0     52 192.168.1.62:22             192.168.1.119:57457         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57440         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57452         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57448         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57430         TIME_WAIT
tcp        0      0 192.168.1.62:22             192.168.1.119:57394         ESTABLISHED
tcp        0      0 192.168.1.62:80             192.168.1.119:57446         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57428         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57436         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57422         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57442         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57426         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57438         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57434         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57432         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57454         TIME_WAIT
tcp        0      0 192.168.1.62:80             192.168.1.119:57444         TIME_WAIT
[root@localhost ~]# service rsyslog start
Starting system logger:
[root@localhost ~]# service rsyslog
Usage: /etc/init.d/rsyslog {start|stop|restart|condrestart|try-restart|reload|force-reload|status}
[root@localhost ~]# service rsyslog status
rsyslogd (pid  1188) is running...
[root@localhost ~]#
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
if 514 is not listening then I doubt you will get any data. I am not sure reinstall will fix this but it doesn't hurt before further troubleshooting takes place??
0
 

Author Comment

by:Lee Seeman
Comment Utility
I reinstalled it twice and no luck....

/etc/rsyslog.conf file:
*.* @@192.168.1.62:514

Open in new window


[root@localhost ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]# netstat -an | grep 514
[root@localhost ~]#

Open in new window

0
 

Author Comment

by:Lee Seeman
Comment Utility
I enabled/added the following to the rsyslog.conf file:
$ModLoad imudp
$PrivDropToUser syslog
$PrivDropToGroup syslog

Open in new window

Then restarted rsyslog as root and I now see it listening:
[root@localhost ~]# sudo /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@localhost ~]# netstat -alnp |grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               6702/rsyslogd
[root@localhost ~]#

Open in new window

But I still don't see any remote hosts populating in the Cacti Syslog GUI, just localhost messages....??
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Is there anything in <path_cacti>/log/cacti.log? What devices are pointing to cacti?
0
 

Author Comment

by:Lee Seeman
Comment Utility
Yes; but all I see in the log referencing syslog is:
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0
11/19/2013 08:07:21 AM - SYSTEM SYSLOG STATS:Time:0.18 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:0 Alarms:0 Reports:0

Open in new window

I have a Sonicwall NSA 3500 firewall and Cisco 2960 pointing to the syslog server at this time.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Anyone have any ideas why my remote hosts logging to the syslog are not showing in the Cacti syslog GUI and database?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Did you use hostname or ip address (192.168.1.62) on your remote device?

Can you telnet to 192.168.1.62 port 514 from the network that the 2960 sitting in?
0
 

Author Comment

by:Lee Seeman
Comment Utility
Yes, the remote devices send syslog via IP to 192.168.1.62

I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Telnet to the port is to ensure there is no communication problem between the client and server, you cannot do much afterward.

You can try using listening on a different port and see if it yields a different result or start a network capture on the syslog and trace the packets.

As stated above, I tried this; its connects, but returns no response when hitting enter or other key. As for another port, it needs to remain on 514. Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
I can connect when telneting to the syslog server on 192.168.1.62/514, BUT I do not any output when hitting Enter or space several times....?
If it connects that's mean you have a solid good connection from the client to the cactiez server.

If the packets are dropped you would not been able to connect to 514 with telnet.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Anyone else have any ideas?
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Regarding the capture, packets are arriving at syslog server, but get dropped for some reason.

If the packet arrives at the host, but cactiez is unable see it to then is something wrong with the Cactiez not able to pick up the data. Have you try a different listening port?
0
 

Author Comment

by:Lee Seeman
Comment Utility
I will try a different listening port and report back...
0
 

Author Comment

by:Lee Seeman
Comment Utility
When rsyslog service is stopped, there is not listening udp/515 port. When it is started, it shows as listening on this port. I also turned off iptables to rule that out....

Still no incoming syslog messages in mysql db.
0
 

Author Comment

by:Lee Seeman
Comment Utility
* Confirmed tcp/udp ports 514 are listening
* Confirmed iptables on w/exception and off make no difference

* There is NO records populating the mysql db

Here's my rsyslog.conf file db section:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.*:ommysql:127.0.0.1,syslog,cactiuser,<password>;syslog

Open in new window

0
 

Author Comment

by:Lee Seeman
Comment Utility
Latest, getting localhost messages in mysql db, but no remote hosts.

My current rsyslog.conf file:

$ModLoad ommysql
$template cacti_syslog,"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')", SQL
*.* >127.0.0.1,syslog,cactiuser,<password>;cacti_syslog

# Store all log files in MySQL DB
*.* :ommysql:127.0.0.1,cactiuser,<password>

$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Open in new window

0
 

Author Comment

by:Lee Seeman
Comment Utility
Breakthrough....

I just stopped iptables again and disabled them at boot, NOW I see one of my remote hosts appear in the Cacti Syslog plugin tab; no messages for this host yet....
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Nice. What changes have you made?  Sound like iptables is the issue, although you have mentioned it was off before.
0
 

Author Comment

by:Lee Seeman
Comment Utility
Seeing remote hosts now appearing in Cacti Syslog plugin, but no messages/records. Remote hosts are currently a Cisco 2900 switch set to local7 and a Sonicwall NSA3500 at local7 (webtrends format)

see attached;
cacti-syslog.png
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Do you see the data in mysql?
0
 

Accepted Solution

by:
Lee Seeman earned 0 total points
Comment Utility
due to a lack of support for this product, I went with LogAnalyzer on CentOS with rsyslog and I am very pleased.
0
 

Author Closing Comment

by:Lee Seeman
Comment Utility
lack of community support; came up with a alternate solution.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

So, you're experiencing issues on your network and you've decided that you need to perform some tests to determine whether your cabling is good.  You're likely thinking that you may need to spend money which you probably don't have on hiring/purchas…
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now