Zabbix Syslog Integration (with rsyslog)
Scripts to get Syslog (protocol) messages into Zabbix from network devices, servers and others.
Features include:
As a bonus, script zabbix_syslog_create_urls.pl
can be used(and scheduled in cron for regular map link updates) to append a direct link into maps host menu for reading Syslog item values for each host that has syslog:
Script will do no rewriting of existing host links, only appending to a list. Also link only added to hosts that has item with key 'syslog'.
The script is written in Perl and you will need common modules in order to run it:
LWP
JSON::XS
Config::General
There are numerous ways to install them:
In Debian | In Centos | using CPAN | using cpanm |
---|---|---|---|
apt-get install libwww-perl libjson-xs-perl libconfig-general-perl |
yum install perl-JSON-XS perl-libwww-perl perl-LWP-Protocol-https perl-Config-General |
PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Bundle::LWP' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install JSON::XS' and PERL_MM_USE_DEFAULT=1 perl -MCPAN -e 'install Config::General' |
cpanm install LWP and cpanm install JSON::XS and cpanm install Config::General |
mkdir -p /etc/zabbix/scripts
cp zabbix_syslog_create_urls.pl /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_create_urls.pl
cp zabbix_syslog_lkp_host.pl /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
chmod +x /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
mkdir /etc/zabbix/scripts/lib
cp lib/ZabbixAPI.pm /etc/zabbix/scripts/lib
cp zabbix_syslog.cfg /etc/zabbix/zabbix_syslog.cfg
sudo chown zabbix:zabbix /etc/zabbix/zabbix_syslog.cfg
sudo chmod 700 /etc/zabbix/zabbix_syslog.cfg
edit /etc/zabbix/zabbix_syslog.cfg
Next file updates syslog map links once a day. Copy it into your zabbix-server
cp cron.d/zabbix_syslog_create_urls /etc/cron.d
add file /etc/rsyslog.d/zabbix_rsyslog.conf with contents:
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
#enables omrpog module
$ModLoad omprog
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
$template network-fmt,"%TIMESTAMP:::date-rfc3339% [%fromhost-ip%] %pri-text% %syslogtag%%msg%\n"
#exclude unwanted messages(examples):
:msg, contains, "Child connection from" stop
:msg, contains, "exit after auth (ubnt): Disconnect received" stop
:msg, contains, "password auth succeeded for 'ubnt' from" stop
:msg, contains, "exit before auth: Exited normally" stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omprog" binary="/etc/zabbix/scripts/zabbix_syslog_lkp_host.pl" template="network-fmt")
stop
}
(also check your firewall for UDP/514 btw)
...and restart rsyslog
service rsyslog restart
Import syslog template and attach it to hosts from which you expect syslog messages to come
NOTE: you can use your admin user for testing
It is recommended to create separate user in order to retreive hostnames and check syslog items existence via Zabbix API.
Simple user with READ permissions for each Host group should be enough.
If you use map context menu script zabbix_syslog_create_urls.pl
then also check for write permessions to maps.
Make sure that script /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
is exetuable under rsyslog system user.
Run it by hand to see that all perl modules are available under that user (probably root
).
Do the following test:
root
(or user that runs rsyslog):echo "2017-12-19T09:26:26.314936+03:00 [127.0.0.1] syslog.info SysLogTest[4616]Test syslog message" | /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl
then check that this message can be found in item with key = syslog
.rsyslogd -n
logger -n 192.168.56.15
.hello world
[root@zabbix-lab vagrant]# rsyslogd -n
rsyslogd: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http://www.rsyslog.com/e/2207 ]
Can't locate ZabbixAPI.pm in @INC (@INC contains: /etc/zabbix/scripts/lib /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
BEGIN failed--compilation aborted at /etc/zabbix/scripts/zabbix_syslog_lkp_host.pl line 11.
rsyslogd: Child 15334 has terminated, reaped by main-loop. [v8.24.0 try http://www.rsyslog.com/e/0
If this doesn't help, then try again this time running rsyslogd in the debug mode:
rsyslogd -dn