We have multiple ways for associate syslog hosts with devices in observium.
It seems you should use hostnames (%hostname%) from each device, but need sure that devices report correct hostnames in syslog message.
You can enable (temporary) store all syslog messages from all hosts, in config.php add: $config['syslog']['debug'] = TRUE;
be sure that observium logs dir have permissions for write syslog user (simplest way: chmod 777 /opt/observium/logs).
restart rsyslog service.
After that you will get files in logs dir: debug.<host>.syslog
Mainly you should know <host> here. Now you can manually map this hosts with devices: $config['syslog']['host_map']['<host>'] = '<observium_host>'; $config['syslog']['host_map']['<host>'] = '<device_id>';
P.S. Disable syslog debug in config.php and restart rsyslog again for prevent full disk with this debugs.
mp--- via observium wrote on 25.01.2023 00:30:
That's what I've been trying to work out too, I think if the hostname could be used it would work which is why I tried changing the below template around so that the %fromhost% part was %hostname% instead as this is one of the variables from the rsyslog documentation and my understanding is that it should then use the device hostname from the message. I wasn't sure how observium would then pick it up as to whether it was looking at the position in the line and just taking the first part as to the host to match it to or if there was more to it.
# observium syslog template template(name="observium" type="string" string="%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%\n")
The below article shows how to store the messages by hostname in a different log file which I think is the standard rsyslog way however I've never tried this in the same scenario with multiple devices behind one public IP to be able to reliably say if this works or not.
https://www.rsyslog.com/storing-and-forwarding-remote-messages/
I was trying to run debug in observium to see what it picks up but after enabling it for syslog and also setting it to log unknown hosts I don't get any additional logging to see what the lines look like for these hosts.
I did run tcpdump instead and it looks like the hostname is sent ok in the syslog message so I think it's just a case of working out how to use that and get it into observium. _______________________________________________ observium mailing list -- observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org