Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-523

Can we have netscaler syslog parsed by syslog.php?

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • None
    • None
    • Web Interface

    Description

      So , Cisco devices get syslogged, but netscaler, they are not.

      It seems like it's related to how the netscaler are doing their syslog.

      This is a cisco log entry which gets parsed:

      Oct 3 23:58:55 10.32.10.18 417597: r1.ix5: Oct 3 23:58:54.336 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.32.10.20 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-md5' Succeeded

      This is an entry from a netscaler:

      Oct 3 23:58:39 10.70.66.249 10/03/2013:16:49:07 GMT dk-lb001a PPE-4 : UI CMD_EXECUTED 10367926 : User so_readonly - Remote_ip 10.70.66.56 - Command "stat lb vserver" - Status "Success"

      So, it seems they have the timestamps & device name switched.

      Should be easy to fix, right?

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. OBS-3614 syslog messages appear truncated for Citrix ADC

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            [OBS-523] Can we have netscaler syslog parsed by syslog.php?
            gp.gt.network@adevinta.com ADV added a comment -

            Hi Mike, just as an FYI.

            I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly.

            So, the data passed to Observium was not OK

            With kind regards,

            Yoleri

            gp.gt.network@adevinta.com ADV added a comment - Hi Mike, just as an FYI. I created a "breakout" in syslog-ng to see the exact string passed as parameter to syslog.php. I've found out that the syslog message sent from the device is completely assigned to $MSG and the date to $PROGRAM. This is fixed after creating a template function to parse it to match our needs and actually set $PROGRAM correctly. So, the data passed to Observium was not OK With kind regards, Yoleri
            landy Mike Stupalov added a comment -

            I not fully sure, but should be improved now in r10996.

            landy Mike Stupalov added a comment - I not fully sure, but should be improved now in r10996.
            landy Mike Stupalov added a comment - - edited

            maartenmoerman yah, I need more syslog examples for correct test this parsing.

            Probably this is should work, but I think currently incorrect parsed program and tag..

            Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.

            landy Mike Stupalov added a comment - - edited maartenmoerman yah, I need more syslog examples for correct test this parsing. Probably this is should work, but I think currently incorrect parsed program and tag.. Can you enable debugging for netscaller syslog.. or send partial syslog from an netscaller device to my dev syslog server (access opened): 77.222.50.30.
            adama Adam Armstrong added a comment -

            Does this now work?

            adama Adam Armstrong added a comment - Does this now work?
            maartenmoerman Maarten Moerman added a comment -

            I think it's related to the fact that the sysname is different then the name that observium uses, so it cannot match.

            Problem with our Netscalers is, since we run them in HA, the naming is different, we monitor the device on: dk-lb001, but there's actually 2 devices: dk-lb001a & dk-lb001b, so depending on which one is active, it shows a different name in syslog.

            Would it be possible to do an overwrite for this in the settings page?

            maartenmoerman Maarten Moerman added a comment - I think it's related to the fact that the sysname is different then the name that observium uses, so it cannot match. Problem with our Netscalers is, since we run them in HA, the naming is different, we monitor the device on: dk-lb001, but there's actually 2 devices: dk-lb001a & dk-lb001b, so depending on which one is active, it shows a different name in syslog. Would it be possible to do an overwrite for this in the settings page?
            landy Mike Stupalov added a comment -

            This issue actual?
            I see that should fixed, but perhaps not entirely correct.

            landy Mike Stupalov added a comment - This issue actual? I see that should fixed, but perhaps not entirely correct.

            People

              landy Mike Stupalov
              maartenmoerman Maarten Moerman
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: