How to send logs to a syslog server on Observium using a Ubuntu Server as the syslog client

This is a detailed guide on how to send logs to a syslog server on Observium using a Ubuntu as the syslog client.

1.Configure rsyslogd for Observium

1.1 Check version of rsyslogd

Make sure you have rsyslog installed and the that it is current. This guide is for Rsyslog version 8 and later.

rsyslogd -v

1.2 Enable remote logging

Remove the comment (remove #) from the following lines: module(load=”imtcp”) and input(type=”imtcp” port=”514″)

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

1.3 Create directory /etc/rsyslog.d/30-observium.conf

Create directory /etc/rsyslog.d/30-observium.conf and add the following lines to the file.

#---------------------------------------------------------
# send remote logs to observium

# provides UDP syslog reception
module(load="imudp")

input(type="imudp"
      port="514"
      ruleset="observium")

## provides TCP syslog reception (uncomment if required)
#module(load="imptcp")
#
#input(type="imptcp"
#      port="514"
#      ruleset="observium")

module(load="omprog")

# observium syslog template
template(name="observium"
         type="string"
         string="%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%n")

# observium RuleSets
ruleset(name="observium") {
    action(type="omprog"
           binary="/opt/observium/syslog.php"
           template="observium")
    stop
}

#---------------------------------------------------------

1.4 Restart rsyslog

Restart rsyslog for the configuration to be applied.

service rsyslog restart

2. Install SNMP on Ubuntu Server

2.1 Install snmp and snmp-mibs-downloader

apt-get install snmp snmp-mibs-downloader

2.2 Install snmpd

apt-get install snmpd
apt-get update

2.3. Edit /etc/snmp/snmp.conf

nano /etc/snmp/snmp.conf

Comment out the mibs: line as per below

# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :

2.3. Edit /etc/snmp/snmpd.conf

nano /etc/snmp/snmpd.conf

2.4 Comment and uncomment (remove and the add #) for the following:

#  Listen for connections from the local system only
#agentAddress  udp:127.0.0.1:161
#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161

This means that the server will listen for external connections on all interfaces on port 161. “agentAddress udp:161,udp6:[::1]:16”

2.5 Uncomment the rocommunity, change the community string and add the IP or subnet of the Observium Server.

In this scenario the community string is SNMPString! and the server is 10.0.125.14 – I have added 10.0.125.0/24 to cover the subnet that the server resides in.

#rocommunity Public  default    -V all
                                                 #  rocommunity6 is for IPv6
#rocommunity6 Public  default   -V all

                                                 #  Full access from an example$
                                                 #     Adjust this network addr$
                                                 #     settings, change the com$
                                                 #     and check the 'agentAddr$
rocommunity SNMPString!  10.0.125.0/24

2.6 Restart snmpd

service snmpd restart

3. Add SNMP string and SNMP agent (Ubuntu IP) to Observium

Under devices click new device. Add the end-point IP address of the Server and the community string.

4. Configure the Ubuntu Server to send logs to the Observium server

4.1 Edit /etc/rsyslog.d/50-default.conf

nano /etc/rsyslog.d/50-default.conf

You will need to change the destination of where the logs are sent by changing the file location to @x.x..x.x:port or hostname:port

auth,authpriv.*                 @10.0.125.14:514
*.*;auth,authpriv.none          @10.0.125.14:514
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log
service rsyslog restart

5. Test

You will see syslog entries if successful.

6. Troubleshoot

6.1 Make sure all settings match as per above IP addresses and community strings.

6.2 Ensure traffic is being sent and reaching it’s destination using tcpdump

Syslog Server and Ubuntu Server

root@Syslog:~# tcpdump -i eth0 -port 514
root@Syslog:~# tcpdump -i eth0 -port 161

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s