Hey,

So I’ve got a new installation of Observium pro up and running with 160+ devices, and everything is working as expected, with a minor exception: Syslog messages from Palo Alto boxes arrive successfully at the Centos 7 box, but are not added to the devices logging/syslog page in Observium. So far syslog messages for all other vendors are correctly added to the devices.

Is there anything you can advise me to do to further diagnose whats wrong? or is there a problem with the format of Palo messages ? This is not critical to me, but i have 6 PA’s all of which are in the audit, and having the syslog of all the config changes right in the web gui along with the events and stats is a nice simple way for the auditors to get the warm and fuzzys about me not just making it all up.. it’d be great to have.

I temporarily disabled the forward of syslog to Observium by commenting out “$IncludeConfig /etc/rsyslog.d/*.conf” and restarting rsyslog, at which point the below example messages successfully drop into /var/log/messages.

Mar 28 16:10:42 Location-PA-200.usa.neopost.com 1,2016/03/28 16:10:42,001606058055,SYSTEM,routing,0,2016/03/28 16:10:42,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,15787,0x0,0,0,0,0,,Location-PA-200

Mar 28 16:10:42 Location-PA-200.usa.neopost.com 1,2016/03/28 16:10:42,001606058055,SYSTEM,vpn,0,2016/03/28 16:10:42,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,15788,0x0,0,0,0,0,,Location-PA-200

Mar 28 16:10:42 Location-PA-200.usa.neopost.com 1,2016/03/28 16:10:42,001606058055,SYSTEM,ras,0,2016/03/28 16:10:42,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,15789,0x0,0,0,0,0,,Location-PA-200

Mar 28 16:10:42 Location-PA-200.usa.neopost.com 1,2016/03/28 16:10:42,001606058055,SYSTEM,satd,0,2016/03/28 16:10:42,,satd-config-p2-success,,0,0,general,informational,SATD daemon configuration load phase-2 succeeded.,15790,0x0,0,0,0,0,,Location-PA-200

Mar 28 16:10:42 Location-PA-200.usa.neopost.com 1,2016/03/28 16:10:42,001606058055,SYSTEM,sslmgr,0,2016/03/28 16:10:42,,sslmgr-config-p2-success,,0,0,general,informational,SSLMGR daemon configuration load phase-2 succeeded.,15791,0x0,0,0,0,0,,Location-PA-200

The only caveat i can think of, is that i don’t have all my devices names in DNS, instead i cheated and built them in /etc/hosts. This seems to work for everything else, so I’m not sure thats whats causing this. My hunch is that the Observium syslog parser doesn’t like the string from the Palo’s, is there a way to see logs for that (without breaking everything else) ?

[root@observium ~]# ping Location-PA-200.usa.neopost.com PING Location-PA-200.usa.neopost.com (10.10.10.2) 56(84) bytes of data. 64 bytes from Location-PA-200.usa.neopost.com (10.10.10.2): icmp_seq=1 ttl=52 time=44.3 ms 64 bytes from Location-PA-200.usa.neopost.com (10.10.10.2): icmp_seq=2 ttl=52 time=44.6 ms ^C --- Location-PA-200.usa.neopost.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 44.373/44.532/44.691/0.159 ms [root@observium ~]#

Appreciate your help, Thanks --

Jim Bradley

IT Network Engineer and Security Officer

Phone: +1 203 301 3749tel://+1%20203%20301%203749

Mobile: +1 203 308 3047tel://+1%20203%20308%203047

Neopost USA - 478 Wheelers Farms Rd - 06461 Milford CT - United States

www.neopost.comhttp://www.neopost.com/