Hi – you can check what syslog is passing on using this:

 

destination d_observium_debug {

        file("/var/log/observium.debug"

        template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n")

        template-escape(yes));

};

 

log {

        source(s_net);

        destination(d_observium);

        destination(d_observium_debug);

};

 

Generate basic events (like conf mode exiting) for both working and non-working devices and check that the formatting is coming out correct?

 

Also check that Observium does actually list the devices’ IP when you search for it. If it doesn’t have it then it cannot match the source and put it against the correct host. Sometimes your interface filters, like filtering out loopback* (been there, done that) may result in Observium not knowing the IP from whence it came…

 

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Markus Klock
Sent: 19 September 2014 14:40
To: Observium Network Observation System
Subject: Re: [Observium] syslog-ng implementation and Cisco ASR9K

 

Thanks for the replys,

thats strange. Using the default config for syslog I get syslog from my IOS-devices but not the IOS-XR ones, I have verified that they are received at the observium-box using tcpdump...

Is there any way to debug observium syslog parsing?

 

/Markus 

 

2014-09-19 15:28 GMT+02:00 Tim Calvin <tcalvin@tlsn.net>:

I can confirm working syslog integration between the latest Observium version and several ASR9K’s running various versions of IOS-XR. 

 

Didn’t need to do anything special. 

 

Here is excerpt from syslog-ng.conf

 

destination d_observium {

program("/opt/observium/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes));

};

log {

source(s_net);

destination(d_observium);

};

 

 

I guess Observium is doing an IP lookup as you mentioned to match the hostname I have in Observium. The configured hostnames in the routers do not match what I have in Observium.  I probably need to change that but it is currently working.  

 

I just need the following config in the ASR9K’s pointing to Observium

 

logging 192.168.1.1 vrf default

 

 

 

 

Robert Williams
Custodian Data Centre
Email: Robert@CustodianDC.com
http://www.CustodianDC.com

From: Markus Klock <markus@best-practice.se>
Reply-To: "observium@observium.org" <observium@observium.org>
Date: Friday, September 19, 2014 at 12:36 AM
To: "observium@observium.org" <observium@observium.org>
Subject: [Observium] syslog-ng implementation and Cisco ASR9K

 

Hey guys!

I´m setting up syslog-ng implementation and it works great for all my Cisco IOS-devices, however most of the devices in my network is Cisco ASR9K-routers running IOS-XR and it seems syslog from them wont go in to Observium.

I did a quick look in the syslog-messages from the ASR9Ks and it seems IOS-XR actrually don't use its hostname as hostname but instead use its active routeprocessors name (wtf cisco?!) making the syslog messages look something like this:

RP/0/RSP0/CPU0:Nov 28 23:56:53.826 : config[65710]: %SYS-5-CONFIG_I : Configured from console by console
Now there is a command that let you add a "hostname prefix" to the syslog messages, which means that I can type my own custom string as hostname for syslog, sadly it still just adds it before the RPS-id making the messages like this:
router1 RP/0/RSP0/CPU0:router:Nov 28 23:56:53.826 : config[65710]: %SYS-5-CONFIG_I : Configured from console by console
This of course makes it impossible for Observium to match the syslogged hostname to a hostname in the database. 
I took a look in the observium syslog-code and if I understand it correctly, if it fails to match the hostname it does a fallback and tries if maybe the IP-address is used as hostname and try to match it against a host in the database?
In that case maybe I could change the syslog-ng template that forwards the data to Observium to instead use source IP instead of hostname?
destination d_observium { 
    program("/opt/observium/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes)); 
I tried change $HOST to $HOST_FROM and $SOURCEIP but no luck so far.
Am I even on the right track here? Could something like this work to make my idiotic ASR9Ks show up in the Observium syslog?
Thanks in advance for any advice
/Markus


_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium