Configuring Rsyslog with LibreNMS Syslogfor more settings to enable email settings see my video on youtube Rsyslog on Ubu. All the list.logs calls are aliased to listlogs. Retrieve all logs or logs for a specific device. Id or hostname is the specific device. Input: start: The page number to request. Limit: The limit of results to be returned. From: The date and time or the event id to search from. To: The data and time or the event id to search to. Log date-format iso // Required so syslog-ng/LibreNMS can correctly interpret the log message formatting. Log host x.x.x.x log host x.x.x.x level // Required. Example output: Mar 22 00:59:03 librenms.host.net librenms233: Critical network.device.net: Port Down - portid = 98939; ifDescr = xe-1/1/0; Each fault will be sent as a separate syslog.
We have simple integration for Graylog, you will be able to view anylogs from within LibreNMS that have been parsed by the syslog inputfrom within Graylog itself. This includes logs from devices whicharen't in LibreNMS still, you can also see logs for a specific deviceunder the logs section for the device.
Currently, LibreNMS does not associate shortnames from Graylog withfull FQDNS. If you have your devices in LibreNMS using full FQDNs,such as hostname.example.com, be aware that rsyslogd, by default,sends the shortname only. To fix this, add
$PreserveFQDN on
to your rsyslog config to send the full FQDN so device logs will beassociated correctly in LibreNMS. Also see near the bottom of thisdocument for tips on how to enable/suppress the domain part ofhostnames in syslog-messages for some platforms.
Graylog itself isn't included within LibreNMS, you will need toinstall this separately either on the same infrastructure as LibreNMSor as a totally standalone appliance.
Config is simple, here's an example based on Graylog 2.4:
Timezone
Graylog messages are stored using GMT timezone. You can displaygraylog messages in LibreNMS webui using your desired timezone bysetting the following option in config.php:
Timezone must be PHP supported timezones, available at:https://php.net/manual/en/timezones.php
Graylog Version
If you are running a version earlier than Graylog then please set
to the version number of your Grayloginstall. Earlier versions than 2.1 use the default port12900URI
If you have altered the default uri for your Graylog setup then youcan override the default of /api/ using
User Credentials
If you choose to use another user besides the admin user, please notethat currently you must give the user 'admin' permissions from withinGraylog, 'read' permissions alone are not sufficient.
TLS Certificate
If you have enabled TLS for the Graylog API and you are using aself-signed certificate, please make sure that the certificate istrusted by your LibreNMS host, otherwise the connection willfail. Additionally, the certificate's Common Name (CN) has to matchthe FQDN or IP address specified in
Match Any Address
If you want to match the source address of the log entries against anyIP address of a device instead of only against the primary address andthe host name to assign the log entries to a device, you can activatethis function using
Recent Devices
There are 2 configuration parameters to influence the behaviour of the'Recent Graylog' table on the overview page of thedevices.
Sets the maximum number of rows to be displayed (default: 10)
You can set which loglevels that should be displayed on the overview page. (default: 7, min:0, max: 7)
Shows only entries with a log level less than or equal to 4 (Emergency,Alert, Critical, Error, Warning).You can set a default Log Level Filter with
(applies to /graylog and /device/device=/tab=logs/section=graylog/ (min: 0, max: 7)Domain and hostname handling
Suppressing/enabling the domain part of a hostname for specific platforms
You should see if what you get in syslog/Graylog matches up with yourconfigured hosts first. If you need to modify the syslog messages fromspecific platforms, this may be of assistance:
IOS (Cisco)
or
JunOS (Juniper Networks)
PanOS (Palo Alto Networks)
or
Librenms Syslog Alerts
This document will explain how to send syslog data to LibreNMS.Please also refer to the file Graylog.md for an alternate way ofintegrating syslog with LibreNMS.
Syslog server installation
syslog-ng
Once syslog-ng is installed, edit the relevant config file (mostlikely /etc/syslog-ng/syslog-ng.conf) and paste the following:
Next start syslog-ng:
Add the following to your LibreNMS config.php file to enable the Syslog extension:
If no messages make it to the syslog tab in LibreNMS, chances are you experience an issue with SELinux. If so, create a file mycustom-librenms-rsyslog.te , with the following content:
Then, as root, execute the following commands:
rsyslog
If you prefer rsyslog, here are some hints on how to get it working.
Add the following to your rsyslog config somewhere (could be at thetop of the file in the step below, could be in rsyslog.conf if youare using remote logs for something else on this host)
Create a file called /etc/rsyslog.d/30-librenms.confand add the following depending on your version of rsyslog.
If your rsyslog server is recieving messages relayed by another syslogserver, you may try replacing %fromhost% with %hostname%, sincefromhost is the host the message was received from, not the hostthat generated the message. The fromhost property is preferred asit avoids problems caused by devices sending incorrect hostnames insyslog messages.
Add the following to your LibreNMS config.php file to enable the Syslog extension:
logstash
If you prefer logstash, and it is installed on the same server asLibreNMS, here are some hints on how to get it working.
First, install the output-exec plugin for logstash:
Next, create a logstash configuration file(ex. /etc/logstash/conf.d/logstash-simple.conf), and add thefollowing:
Replace 10.10.10.10 with your primary elasticsearch server IP, and setthe incoming syslog port. Alternatively, if you already have alogstash config file that works except for the LibreNMS export, takeonly the 'exec' section from output and add it.
Add the following to your LibreNMS config.php file to enable the Syslog extension:
Syslog Clean Up
Can be set inside of config.php
The cleanup is run by daily.sh and any entries over X days old areautomatically purged. Values are in days. See here for more Clean UpOptions Link
Client configuration
Below are sample configurations for a variety of clients. You shouldunderstand the config before using it as you may want to make someslight changes. Further configuration hints may be found in the file Graylog.md.
Replace librenms.ip with IP or hostname of your LibreNMS install.
Replace any variables in
syslog
rsyslog
Librenms Syslog Purge
Cisco ASA
Cisco IOS
Cisco NXOS
Juniper Junos
Huawei VRP
Huawei SmartAX (GPON OLT)
Allied Telesis Alliedware Plus
If you have permitted udp and tcp 514 through any firewall then thatshould be all you need. Logs should start appearing and displayedwithin the LibreNMS web UI.
Windows
By Default windows has no native way to send logs to a remote syslog server.
Using this how to you can download Datagram-Syslog Agent to send logsto a remote syslog server (LibreNMS).
Note
Keep in mind you can use any agent or program to send the logs. We arejust using this Datagram-Syslog Agent for this example.
You will need to download and install 'Datagram-Syslog Agent' for this how toLink to Download
External hooks
Trigger external scripts based on specific syslog patterns beingmatched with syslog hooks. Add the following to your LibreNMSconfig.php to enable hooks:
The below are some example hooks to call an external script in theevent of a configuration change on Cisco ASA, IOS, NX-OS and IOS-XRdevices. Add to your config.php file to enable.
Cisco ASA
Cisco IOS
Cisco NXOS
Cisco IOSXR
Librenms Syslog
Juniper Junos
Juniper ScreenOS
Allied Telesis Alliedware Plus
Note: At least software version 5.4.8-2.1 is required. log hostx.x.x.x level notices program imi may also be required depending onconfiguration. This is to ensure the syslog hook log message gets sentto the syslog server.
Configuration Options
Matching syslogs to hosts with different names
In some cases, you may get logs that aren't being associated with thedevice in LibreNMS. For example, in LibreNMS the device is known as'ne-core-01', and that's how DNS resolves. However, the receivedsyslogs are for 'loopback.core-nw'.
Librenms Syslog Server
To fix this issue, you can configure LibreNMS to translate theincoming syslog hostname into another hostname, so that the logs getassociated with the correct device.
Example: