NSClient++ Help (#1) - Send scheduled passive checks via syslog (#954) - Message List

Send scheduled passive checks via syslog

Is it possible to send scheduled passive checks using a different protocol than NCSA? I'm particularly interested in using syslog, so that I can use a single syslog server to collect system's and application's logs and health data.

I didn't manage to make it work. Here is the configuration I used (only the relevant parts): 

[/modules]
; Event log Checker. - Check for errors and warnings in the event log. This is only supported through NRPE so if you plan to use only NSClient this wont help you at all.
CheckEventLog = 1
; Scheduler - A scheduler which schedules checks at regular intervals
Scheduler = 1
; SyslogClient - Passive check support via Syslog
SyslogClient = 1
; Undocumented key
allowed hosts = 172.20.23.79
; A set of options to configure the real time checks
[/settings/eventlog/real-time]
; DESTINATION - The destination for intercepted messages
destination = syslog1
; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true
; LOGS TO CHECK - Coma separated list of logs to check
log = Application,Security,System
; MAGIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age = 20s
; Section for configuring the log handling.
[/settings/log]
; LOG LEVEL - Log level to use. Avalible levels are error, warning, info, debug, trace
level = DEBUG
[/settings/syslog/client]
; CHANNEL - The channel to listen to.
channel = syslog1
; HOSTNAME - The host name of this host if set to blank (default) the windows name of the computer will be used.
hostname = nsclientTest
[/settings/syslog/client/targets/default]
; TARGET ALIAS - The alias for the target
alias = collector
; TODO -
critical severity = critical
; TODO -
facility = kernel
; TARGET HOST - The target server to report results to.
host = 172.20.23.79
; TODO -
message_syntax = %message%
; TODO -
ok severity = informational
; TODO -
tag_syntax = prueba
; TODO -
unknown severity = emergency
; TODO -
warning severity = warning
[/settings/scheduler/schedules/test1]
; SCHEDULE CHANNEL - Channel to send results on
channel = syslog1
; SCHEDULE COMMAND - Command to execute
command = check_ok
; SCHEDULE INTERAVAL - Time in seconds between each check
interval = 10s
; REPORT MODE - What to report to the server (any of the following: all, critical, warning, unknown, ok)
report = all
; Section for the Scheduler module.
[/settings/scheduler]
; Section for the Scheduler module.
[/settings/scheduler/schedules]
; Schedule definition for: default
[/settings/scheduler/schedules/default]
FoeHammer?
04/13/12 11:01:10 (14 months ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #2526

    Yes that is the entire point of the refactoring I did for 0.4.0... But (and this is a big but) it is very new highly experimental as you are threading in uncharted territories :)

    I had some slides on this on the presentation for OSMC 2011 I think. It is pretty straight forward to do for instance event-log to sys-log forwarding. The main "problem" (read snag) is that that the scenario I have tested so doing something else will most likely require some tuning.

    But (and this is also a big but) I am very very very interested in these kinds of scenarios so if you explain how you would expect it to work I will happily try to accommodate you :)

    A few questions I have for you are:

    1. which version of syslog protocol do you use? (I currently only support the udp one)
    2. how do you "transfer the result" ie ok/warn/crit/unknown = <what>?
    3. How do you want your message to look?

    I shall set up your scenario at home and see how it plays out tonight...

    Michael Medin

    mickem
    04/13/12 11:25:01 (14 months ago)
    • Message #2528

      I found the slides and thought it would fit perfectly with my scenario. Some details:

      • Test system is a Windows 2003 Server 64bits (same system but 32 bits would also be available for further trials).
      • I have a central syslog-ng collector which I use to resend, store and manipulate logs.
      • Collection is multiplexed: each technology is sent to a different port, but every device sends to the same ports. That is: all switches report to TCP/7814, but proxies send logs to TCP/23678
      • I mostly use TCP and vastly prefer it to UDP, but the collector can also listen in UDP, so it wouldn't be a problem.
      • I set up different priorities for checks results, but mostly I'm searching for a message as similar as possible to Nagios logs: "SERVICE_NAME OK|WARNING|CRITICAL|UNKNOWN: reason" (but without having to deploy and configure a NAgios server)
      FoeHammer
      04/13/12 15:27:52 (14 months ago)
      • Message #2531

        Yes, the tcp is better but this is more of a "proof of concept" so before I spent a lot of time implementing all the aspects of syslog I wanted to get a sense of it is was interesting...

        Regardless there are two problems:

        1. Your alias is wrong: 
          [/settings/syslog/client/targets/default]
...

        Creates a target with an alias called default. Default is magical so it should be used with care. The idea is if you do not specify a target "default will be used" in this case eventlog will not set a target so default will be used. But you also had: 

        alias = collector

        Which means you created a target called default which you renamed to collector. Hence it was not used as it had the wrong name...

        1. The other thing which was broken was I managed to mangle the port when I was refactoring the ports handling a few revisions ago this will be fixed in the next build (out in a bit).

        So remove alias and grab the latest build and you should be good to go.

        A few reflections though:

        1. You don't need the scheduler. Active eventlog monitoring is always "running" waiting for events so it is not scheduled.
        2. "maximum age = 20s" means ever 20 seconds you will send a message to the syslog saying "yeap, I'm all good" this is useful for NSCA but not really for syslog forwarding (or so I would assume).

        The config I used to test it is here: 

        [/modules]
; Event log Checker. - Check for errors and warnings in the event log. This is only supported through NRPE so if you plan to use only NSClient this wont help you at all.
CheckEventLog = 1
; Scheduler - A scheduler which schedules checks at regular intervals
SyslogClient = 1
; A set of options to configure the real time checks
[/settings/eventlog/real-time]
; DESTINATION - The destination for intercepted messages
destination = syslog
; REAL TIME CHECKING - Spawns a backgrounnd thread which detects issues and reports them back instantly.
enabled = true
; LOGS TO CHECK - Coma separated list of logs to check
log = Application
; MAGIMUM AGE - How long before reporting "ok" (if this is set to off no ok will be reported only errors)
maximum age = 20s
; Section for configuring the log handling.
[/settings/syslog/client]
; CHANNEL - The channel to listen to.
channel = syslog
[/settings/syslog/client/targets/default]
; TODO -
critical severity = critical
; TODO -
facility = kernel
; TARGET HOST - The target server to report results to.
address = 192.168.0.1
; TODO -
message_syntax = %message%
; TODO -
ok severity = informational
; TODO -
tag_syntax = prueba
; TODO -
unknown severity = emergency
; TODO -
warning severity = warning
        mickem
        04/13/12 23:00:41 (14 months ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions