Versions Compared

Old Version 3

changes.mady.by.user Christopher Gatlin

Saved on

compared with

New Version Current

changes.mady.by.user David Clark

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
### /etc/rsyslog.conf

# enable network sources
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp" MaxSessions="1000" MaxListeners="50")
input(type="imtcp" port="514"

# and handle inbound/slavepoller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local1.*                /usr/local/nmis8/logs/slavepoller_event.log

...


Next we'll tell rsyslog where to file messages that arrive with the facility local6.
 Code Block
### /etc/rsyslog.conf

# and handle inbound/slavepoller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local6.*                /usr/local/nmis8/logs/newVendor.log
local1.*                /usr/local/nmis8/logs/slavepoller_event.log
 

After modifying /etc/rsyslog.conf the syslog daemon must be restarted.
 Code Block
[root@opmantek rsyslog.d]# /etc/init.d/service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
...
For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.nmis
       Here is a list of current vendor's in the EventParserRules.nmis
    • winlogd
    • junos
    • cisco_compatible
    • nxlog
    • JuniperSyslog
    • HuwaeiSylog

      If need additional parsers please open a support case, you will need a sample of the syslog in order to proceed

We need to tell opEvents which parser rules to use these parser rules on for the new device /usr/local/nmis8nmis9/logs/newVendor.log.  (or what log name that you entered in the rsyslog.conf for the new Device or new Vendor)
This is done by modifying /usr/local/omk/conf/opCommon.nmis. 
                    Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.
                                       Just copy one of the examples:
                                               Add the following lines:
                                                         'cisco_alternate' => [ '<nmis_logs>/newVendor.log' ],
 Code Block
### /usr/local/omgomk/conf/opCommon.nmis

    'opevents_logs' => {
      'cisco_alternate' => [
        '<nmis_logs>/newVendor.log'
      ],
      'cisco_syslog' => [
        '<nmis_logs>/cisco.log'
      ],
      'nmis_eventlog' => [
        '<nmis_logs>/event.log'
      ],


...
 Code Block
[root@opmantek ~]# /etc/init.d/ service opeventsd restart
Restarting opevents daemon opeventsd                       [  OK  ]
[root@opmantek ~]# 
At this point you should be able to go to the Gui > Raw Logs  This will allow you to verified you see the logs coming in

Create an event action policy as described here: Event Actions and Escalation
Once these actions are complete the syslog traps from newVendor should be seen in opEvents. 
Related Topics