kiwi syslog forwarding making me crazy

Answered Question
Mar 6th, 2007
User Badges:

hi -


I have a Kiwi syslog server set up in MARS as a generic syslog relay.


According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:


? Send with RFC 3164 header information ? Selected

? Retain the original source address of the message ? Cleared.


If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .


If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).


I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.


?????


what am I missing? What is MARS expecting to see from Kiwi?


thanks

-randy

Correct Answer by mhellman about 10 years 2 months ago

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mhellman Tue, 03/06/2007 - 09:58
User Badges:
  • Blue, 1500 points or more

I didn't read your message well enough. It's probably normal that when you don't include the header field that the events show up as coming from the kiwi server. It looks like the header field is used by csmars to determine which reporting device originated the message.


Use the settings outline in the guide:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008075038a.html#wp1275264


then start troubleshooting. make sure you "activate" any device changes (i.e. when modifying the kiwi reporting device or adding a router reporting device).

randytoni Tue, 03/06/2007 - 10:54
User Badges:

thanks - but that's the same doc I followed.


cannot seem to get MARS to accept / parse the events from Kiwi properly.






mhellman Tue, 03/06/2007 - 11:02
User Badges:
  • Blue, 1500 points or more

When you use the settings provided in the doc:


have you verified that the events are being forwarded? Log into the CSMARS via SSH and use tcpdump:

[pnadmin] tcpdump host and port 514


Do the events show up in an "unknown event report" query? What do they look like?

randytoni Tue, 03/06/2007 - 11:39
User Badges:

in the process of trying that now - thanks for the help....

randytoni Tue, 03/06/2007 - 12:15
User Badges:

got a couple events showing up with query on "unknown reporting device":


eg:


"unknown reporting IP: 172.22.0.49, <157>Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Ac?cess1, changed state to up"


so they are showing up at MARS as "unknowns" -- it appears that Kiwi adds the timestamp and hostname info e.g. "Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon" to the message.


So defining a reporting device based on the IP shown in the add'l header (the original source IP) should be all I need to do (tried this but will have to troubleshoot some more...)



Correct Answer
mhellman Tue, 03/06/2007 - 12:19
User Badges:
  • Blue, 1500 points or more

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

randytoni Tue, 03/06/2007 - 12:32
User Badges:

yeah not sure what's up with the add'l characters - hope that's not a symptom of some other weirdness on MARS


I'll try again to set up a source device and see what happens from there - I'll post the results here ASAP


many thanks for the help

randytoni Wed, 03/07/2007 - 08:58
User Badges:

I'm at the point where I have a single device (router) defined as the source - that router syslogs to Kiwi - Kiwi relays to MARS - MARS reports / alarms on the event with the origina source /reporting device info intact. Most excellent.


Last remaining issue is a bulk load of several (similar) source devices - this is now causing me grief - I started another thread hoping for some feedback.


thanks very much for your replies and your help with this one


-randy

randytoni Tue, 03/06/2007 - 13:56
User Badges:

we use snare to push event logs from a couple of windows boxes but not (yet?) for relaying.


is this the same snare agent in both scenarios?


thanks

-randy

mhellman Tue, 03/06/2007 - 14:09
User Badges:
  • Blue, 1500 points or more

I would recommend opening a service request with Cisco and really trying to get this working before going the Snare route. I'm not exactly sure how that would work but either way it adds [what should be] unnecessary complexity. Snare itself has plenty of problems.

mhellman Wed, 03/07/2007 - 06:23
User Badges:
  • Blue, 1500 points or more

We're not on the same page. I'm not even sure what you're talking about with respect to Snare. Snare is typically used to forward [via syslog] events from a single reporting device, like a windows box. The OP is talking about forwarding events from an already existing syslog server (one that receives events from many devices already). AFAICT, Cisco only supports syslog forwarding from syslog-ng and kiwi.

Actions

This Discussion