Reply

Forwarding from rsyslog server to NetMRI not working

Expert
Posts: 127
7161     0

Hello Everyone!

 

I'm trying to use rsyslog to forward all of the notification level 5 and greater to NetMRI.  My problem is getting rsyslog configured so that it doesn't replace the originating ip address with it's own.  By the way forwarding the DHCP ACK's works great, triggers discovery if the device is not known.

 

Doesn anyone have experience setting up rsyslog to work with NetMRI and would be willing to share the secret sauce?

 

Thanks

Lon.

Re: Forwarding from rsyslog server to NetMRI not working

Adviser
Posts: 353
7161     0
I don’t have a direct answer for you. I will say that if you send the logs to NetMRI directly, we can forward them and preserve the IP. At the time, none of the ordinary syslog servers did this, so we had to write our own code for it. I don’t know if they do it now. We basically have to spoof the source IP in the header.

Re: Forwarding from rsyslog server to NetMRI not working

Expert
Posts: 127
7161     0

Thanks John for the near real-time response!

 

Our lab appliance works great where we directly send the syslogs from the devices.  We don't want to add more syslog recievers to our network at this time, so I need to get the rsyslog to work.  Looks like I'll need to become an expert at rsyslog now Smiley Happy

 

I'm still hopeful that someone else in the community will rescue me from my fate.  But until then I'll start google'ing away...

 

Thanks

Lon.

Re: Forwarding from rsyslog server to NetMRI not working

Member
Posts: 1
7161     0

This functionality is supported in the two most common "advanced" syslog servers, Syslog-NG and rsyslog.  Both have supported it for a long time, although not all distributions include the modules and/or options in their base install.  It's pretty easy to setup, though.

 

For both cases, you are basically configuring it to "spoof" the source IP of the syslog packet to match the original host you received the log from.  Also note, this will only work for UDP syslog, you can't use it for TCP.

 

For verification of effectiveness, we're using this today for our NetMRI setup.  All of our network devices send their logs to our central syslog collection infrastructure (we use Syslog-NG primarily, with a small amount of rsyslog), and we then filter for config change notifications to forward to NetMR, so we can trigger config captures.  It's been working effectrively for some years now.

 

For Syslog-NG:

 

You'd add a spoof flag to the log destination, which requires that Syslog-NG was compiled with the --enable-spoof-source option.  The config looks something like this:

 

# Log Destination with "spoofed" Source IP to match originating host
destination d_loghost { udp("192.168.1.1" port(1514) spoof_source(yes)); };

For rsyslog:

 

You need to use the omudpspoof module.

 

For the legacy configuration format, you'd do something like this to just rewrite the source IP for all forwarded logs:

 

$ModLoad omudpspoof $ActionOMUDPSpoofTargetHost server.example.com
*.*      :omudpspoof:

For the new configuration format, you'd do something like:

 

Action (
  type="omudpspoof"
  target="192.168.1.1"
)
--
Christopher

Re: Forwarding from rsyslog server to NetMRI not working

Expert
Posts: 244
7161     0

Lon,

 

I don't have an answer to your direct question but I thought I would mention that if you do add NetMRI as a syslog server, in IOS devices, you can greatly cut the chatter by using the "logging discriminator" feature.  Have it match on "CONFIG" and only send those messages to NetMRI.

 

And could you please explain what this means:

"forwarding the DHCP ACK's works great, triggers discovery if the device is not known"

 

Thanks,

- Marty

Re: Forwarding from rsyslog server to NetMRI not working

Expert
Posts: 127
7161     0

That's great Christopher!  Thanks for sharing.  We will give this a try.

 

-Lon.

Re: Forwarding from rsyslog server to NetMRI not working

Authority
Posts: 32
7161     0

 

Marty -- Lon is referring to a little-known NetMRI feature where, if NetMRI is registered to a NIOS Grid as Automation Change Manager (ACM), the Grid will automatically send DHCP ACK syslog messages to NetMRI, which triggers NetMRI's "Discover Now" function if the device is not already discovered.

 

-Marc-

Re: Forwarding from rsyslog server to NetMRI not working

Expert
Posts: 127
7161     0

Hi Marty - Sorry, I totally missed your question at the end of your comment.  So much to read in a day, so little time Smiley Happy

 

Marc is correct about the NIOS feature, but since we have so many NIOS appliances, it is easier for us to use the central logging collection point (rsyslog) and resend the filtered syslogs from there back to the NetMRI appliance.

 

So now, NetMRI is recieving the DHCPACK's (via rsyslog) and checks if the device is already known or not, and if not, it queues it up to be discovered straight away.  Just a quicker way to find new devices that pop-on the network.  It is documented in the admin guide, look for "Notes on DHCP Configuration for ACM Operation"

 

(btw, I still haven't completed the spoofing yet for the config changes, need to get more time in the lab Smiley Happy

 

Thanks for your help,

Lon.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You