Details
-
Help
-
Resolution: Fixed
-
Major
-
None
-
Professional Edition
Description
Hello all,
Since moving to 13056 today, we detected that from a lot of EXOS devices their syslog is not been processed by observium, is like observium stopped collecting or writing, we can see old ones, but no new ones.
We can see the syslog packet arrives correctly to the server, the demon is listening in right port 514 and the rsyslog and observium syslog process are running, but in the GUI we can not see it:
root@observium:/opt/observium# tcpdump -i any port 514 and '(host 172.19.8.248 or host 192.168.130.250)' -n |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes |
13:43:12.969469 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 106 |
13:43:12.969469 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 106 |
13:43:12.970676 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 129 |
13:43:12.970676 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 129 |
13:43:12.971010 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 127 |
13:43:12.971010 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 127 |
13:43:13.141950 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.warning, length: 168 |
13:43:13.141950 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.warning, length: 168 |
13:43:13.183165 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.warning, length: 168 |
13:43:13.183165 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.warning, length: 168 |
13:43:14.745574 ethertype IPv4, IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 118 |
13:43:14.745574 IP 172.19.8.248.514 > 172.19.8.182.514: SYSLOG local4.info, length: 118 |
^C
|
12 packets captured |
50 packets received by filter |
0 packets dropped by kernel |
root@observium:/opt/observium# netstat -anp | grep 514 |
udp 0 0 0.0.0.0:514 0.0.0.0:* 674119/rsyslogd |
root@observium:/opt/observium# ps -edaf | grep syslog |
root 674119 1 0 13:19 ? 00:00:01 /usr/sbin/rsyslogd -n -iNONE |
root 674131 674119 0 13:19 ? 00:00:06 php /opt/observium/syslog.php |
|
root@observium:/opt/observium# service rsyslog status |
● rsyslog.service - System Logging Service
|
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
|
Active: active (running) since Fri 2023-10-13 13:19:33 CEST; 39min ago |
TriggeredBy: ● syslog.socket
|
Docs: man:rsyslogd(8) |
https://www.rsyslog.com/doc/ |
Main PID: 674119 (rsyslogd) |
Tasks: 6 (limit: 154018) |
Memory: 47.9M |
CGroup: /system.slice/rsyslog.service
|
├─674119 /usr/sbin/rsyslogd -n -iNONE |
└─674131 php /opt/observium/syslog.php |
Oct 13 13:19:33 observium systemd[1]: Starting System Logging Service... |
Oct 13 13:19:33 observium rsyslogd[674119]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2001.0] |
Oct 13 13:19:33 observium systemd[1]: Started System Logging Service. |
Oct 13 13:19:33 observium rsyslogd[674119]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="674119" x-info="https://www.rsyslog.com"] start |
How I can debug if is observium that is not processing the syslog, or if is something related to the linux server?
Thanks,
EM