Versions Compared

Old Version 2

changes.mady.by.user Christopher Gatlin

Saved on

compared with

New Version Current

changes.mady.by.user David Clark

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page will explain how to add a new node vendor in the event the default settings are not handling the syslog traps properly. 

For this discussion well we'll use the term 'newVendor' to be the variable that represents the new vendor we want opEvents to handle.

...

Code Block
### /etc/rsyslog.conf

# enable network sources
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp" MaxSessions="1000" MaxListeners="50")
input(type="imtcp" port="514"

# and handle inbound/slavepoller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local1.*                /usr/local/nmis8/logs/slavepoller_event.log

...


Next we'll tell rsyslog where to file messages that arrive with the facility local6.
 Code Block
### /etc/rsyslog.conf

# and handle inbound/slavepoller NMIS syslogs
local7.*                /usr/local/nmis8/logs/cisco.log
local6.*                /usr/local/nmis8/logs/newVendor.log
local1.*                /usr/local/nmis8/logs/slavepoller_event.log
...

After modifying /etc/rsyslog.conf the syslog daemon must be restarted.
 Code Block
[root@opmantek rsyslog.d]# /etc/init.d/service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
...
For the sake of this discussion let's assume the new vendor can be parsed with the existing cisco_alternate rules found in /usr/local/omk/conf/EventParserRules.nmis. 
       Here is a list of current vendor's in the EventParserRules.nmis
    • winlogd
    • junos
    • cisco_compatible
    • nxlog
    • JuniperSyslog
    • HuwaeiSylog

      If need additional parsers please open a support case, you will need a sample of the syslog in order to proceed

We need to tell opEvents which parser rules to use these parser rules on for the new device /usr/local/nmis8nmis9/logs/newVendor.log.  (or what log name that you entered in the rsyslog.conf for the new Device or new Vendor)
This is done by modifying /usr/local/omk/conf/opCommon.nmis. 
                    Find the 'opevents_logs section and add the 'cisco_alternate', '<nmis_logs>/newVendor' relationship.
                                       Just copy one of the examples:
                                               Add the following lines:
                                                         'cisco_alternate' => [ '<nmis_logs>/newVendor.log' ],
 Code Block
### /usr/local/omgomk/conf/opCommon.nmis

    'opevents_logs' => {
      'cisco_alternate' => [
        '<nmis_logs>/newVendor.log'
      ],
      'cisco_syslog' => [
        '<nmis_logs>/cisco.log'
      ],
      'nmis_eventlog' => [
        '<nmis_logs>/event.log'
      ],


...
 Code Block
[root@opmantek ~]# /etc/init.d/service opeventsd restart
Restarting opevents daemon opeventsd                       [  OK  ]
[root@opmantek ~]# 
At this point you should be able to go to the Gui > Raw Logs  This will allow you to verified you see the logs coming in

Create an event action policy as described here: Event Actions and Escalation
Once these actions are complete the syslog traps from newVendor should be seen in opEvents. 
Related Topics