Solved: kiwi syslog forwarding making me crazy

randytoni · ‎03-06-2007

hi -

I have a Kiwi syslog server set up in MARS as a generic syslog relay.

According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:

? Send with RFC 3164 header information ? Selected

? Retain the original source address of the message ? Cleared.

If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .

If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).

I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.

?????

what am I missing? What is MARS expecting to see from Kiwi?

thanks

-randy

mhellman · ‎03-06-2007

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

View solution in original post

mhellman · ‎03-06-2007

I didn't read your message well enough. It's probably normal that when you don't include the header field that the events show up as coming from the kiwi server. It looks like the header field is used by csmars to determine which reporting device originated the message.

Use the settings outline in the guide:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008075038a.html#wp1275264

then start troubleshooting. make sure you "activate" any device changes (i.e. when modifying the kiwi reporting device or adding a router reporting device).

randytoni · ‎03-06-2007

thanks - but that's the same doc I followed.

cannot seem to get MARS to accept / parse the events from Kiwi properly.

mhellman · ‎03-06-2007

When you use the settings provided in the doc:

have you verified that the events are being forwarded? Log into the CSMARS via SSH and use tcpdump:

[pnadmin] tcpdump host and port 514

Do the events show up in an "unknown event report" query? What do they look like?

randytoni · ‎03-06-2007

in the process of trying that now - thanks for the help....

randytoni · ‎03-06-2007

got a couple events showing up with query on "unknown reporting device":

eg:

"unknown reporting IP: 172.22.0.49, <157>Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Ac?cess1, changed state to up"

so they are showing up at MARS as "unknowns" -- it appears that Kiwi adds the timestamp and hostname info e.g. "Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon" to the message.

So defining a reporting device based on the IP shown in the add'l header (the original source IP) should be all I need to do (tried this but will have to troubleshoot some more...)

mhellman · ‎03-06-2007

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

randytoni · ‎03-06-2007

yeah not sure what's up with the add'l characters - hope that's not a symptom of some other weirdness on MARS

I'll try again to set up a source device and see what happens from there - I'll post the results here ASAP

many thanks for the help

randytoni · ‎03-07-2007

I'm at the point where I have a single device (router) defined as the source - that router syslogs to Kiwi - Kiwi relays to MARS - MARS reports / alarms on the event with the origina source /reporting device info intact. Most excellent.

Last remaining issue is a bulk load of several (similar) source devices - this is now causing me grief - I started another thread hoping for some feedback.

thanks very much for your replies and your help with this one

-randy

info · ‎03-06-2007

Yeah I pretty much the same issue, I switched to SNARE and forwarded the logs without a hitch.

randytoni · ‎03-06-2007

we use snare to push event logs from a couple of windows boxes but not (yet?) for relaying.

is this the same snare agent in both scenarios?

thanks

-randy

mhellman · ‎03-06-2007

I would recommend opening a service request with Cisco and really trying to get this working before going the Snare route. I'm not exactly sure how that would work but either way it adds [what should be] unnecessary complexity. Snare itself has plenty of problems.

info · ‎03-07-2007

So are saying that kiwi is the best option and not snare? Please elaborate on specifics, becasue if thats the case then I would not mind using kiwki if he can get it to work properly also.

mhellman · ‎03-07-2007

We're not on the same page. I'm not even sure what you're talking about with respect to Snare. Snare is typically used to forward [via syslog] events from a single reporting device, like a windows box. The OP is talking about forwarding events from an already existing syslog server (one that receives events from many devices already). AFAICT, Cisco only supports syslog forwarding from syslog-ng and kiwi.