Syslog and the NMIS 8 Virtual Appliance

A couple of weeks ago I posted a query on the Packet Pushers Forum. This query was regarding recommendations for network management solutions that were well suited to the small to mid-sized networks. This forum post yielded many valuable recommendations. One possible solution that I wanted to evaluate was an open source product called NMIS by Opmantek.

Packet Pushers Forum — Network Management Platforms in the SMB Environment

Today’s article is in response to a struggle I had with the syslog integration with the NMIS 8 Virtual Appliance. After booting the virtual appliance and sending some syslog messages, it seemed like it wasn’t working properly. An easy way to test this is to configure a router for logging, then exiting out of global config mode. That should be enough to generate a syslog message.

 

PaulsRTR(config)#logging 192.168.1.198
PaulsRTR(config)#exit
PaulsRTR#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 1 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Trap logging: level informational, 1 message lines logged
        Logging to 192.168.1.199, 1 message lines logged
PaulsRTR#

After configuring logging and producing a log message, I still saw a blank output in the Router_Syslog section of NMIS. This is shown below.

 

The solution to this issue turned out to be quite simple. The problem was in the unmodified configuration of rsyslog. First, the daemon had to be configured to listen on UDP port 514. Second, there needed to be rules in place to steer the Cisco syslog entries to the appropriate log file.  To accomplish this, there are a couple of modifications that were needed in the rsyslog.conf file. The first change was uncommenting the second and third lines in the gray box below.

/etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

After the above lines were commented, it wass necessary to scroll on down into the file. To steer the traffic to the NMIS Cisco Syslog file, I had to add a line in the “Rules” section. I did  this by matching on the facility “local1”.

#### RULES ####

local1.*                 /usr/local/nmis8/logs/cisco.log

At this point, the only other action I had to take on the NMIS server was a restart of the rsyslog daemon.

[[email protected] cgi-bin]# /etc/init.d/rsyslog stop
Shutting down system logger:                               [  OK  ]
[[email protected] cgi-bin]# /etc/init.d/rsyslog start
Starting system logger:                                    [  OK  ]

Next from the router I modified the configuration to send its log messages as “local1” and generated another test message.

PaulsRTR(config)#logging facility local1
PaulsRTR(config)#exit

PaulsRTR#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 2 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Trap logging: level informational, 2 message lines logged
        Logging to 192.168.1.199, 2 message lines logged
PaulsRTR#

At this point, a log entry was written to /usr/local/nmis8/logs/cisco.log on the NMIS server. It was also visible in the log widget.

As seen in the image above, the error is was no longer displayed. Additionally, the “configuration” event is properly logged in the management console.

 

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

3 Responses to Syslog and the NMIS 8 Virtual Appliance

  1. Harsh says:

    Hello,

    I followed the steps but the messages are not stored in the log file and I am not able to see them on NMIS8. I ran tcpdump and see the syslog local1 messages coming in. Any help would be appreciated.

Comments are closed.