Syslog severity in Netsight


My idea was to create severity alarm based on syslog messages i ECM. But I noticed that all syslog messages are logged and displayed with one severity INFO. Severity is coded in first 3 bits of every syslog message. But ECM is ignoring original severity.
Is there any explanation for such behavior?
Can ECM log syslog messages with original severity?

Thanks for your advices.

11 replies

Userlevel 1
Hi Marius,

This is a bug in the /etc/rsyslog.conf file which will be fixed in an upcoming release.

If you edit the /etc/rsyslog.conf file and find the line:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

and replace it with:

# Use precise instead
$template precise,"<%syslogpriority%>%timegenerated% %HOSTNAME% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate precise

and then run:

service rsyslog restart

your /var/log/syslog files should have the following format with the severity in the first 3 characters:

<6>Nov 23 14:17:01 netsight147-11 CRON[182011]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
<6>Nov 23 14:17:02 netsight147-11 CRON[182007]: (CRON) info (No MTA installed, discarding output)

Please let us know how it goes.

Thanks

Mike Butterfield
Userlevel 7
Hey Marius,

I've tried it and now I'd see the severity# in front of the message....



Could you also fix it that the facility information is used.

My WLAN controller has the following syslog settings.
i.e. Station Events should use facility local.1



Trace from a packet that is tx by the controller = local.1 for a station events



This is what I get in the EMC syslog...
<6>Nov 23 21:15:58 172.24.24.101 events: EventType[Registration] MAC[84:18:26:7C:1C:2B] AP[AP3825i] SSID[Home] BSSID[D8:84:66:02:DF:E8] Details: Radio[2]

It would be great to also have that information in EMC and be able to filter on it so i.e. I'd only see my station events = local.1

Thanks,
Ron
Userlevel 7
EMC is still showing all messages as severity info even I've some with <3> which should be Error.

<3>Nov 23 21:59:17 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [inactive], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1

<3>Nov 23 21:59:47 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [active], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1



I'm running EMC 7.0.6.27 and also tried it after a ./stopserver & ./startserver
Hello,
i tried to modify rsyslog.conf.
I got severity in 3 first characters of messages in syslog file. But unfortunately ECM doesn't show these messages in SYSLOG events.
ex. of syslog file:
<6>Nov 24 09:14:18 Fima-03 AAA: Login passed for user admin through xml (172.16.69.100)<6>Nov 24 09:14:20 Fima-03 AAA: User admin logout from xml (172.16.69.100)
<4>Nov 24 09:16:09 172.16.69.6 snmp: SNMP Security access violation from 172.16.100.69
Userlevel 4
Hi Marius,

can you let me know what is your netsight version ?

Thanks,
Suresh.B
Hi Suresh,

I am currently testing on ECM 7.0.4.29

Thanks,
Marius
I made two modifications and I get syslog severity in EMC syslog events:
1 . Changed symbol of separator from <> to space :
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatand replace it with:

# Use precise instead
$template precise,"%syslogpriority% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate precise

2. Modified pattern for Log Manager Parameters -SYSLOG (Event View Manager) - added field %sevint% with separators \w to standard Ubuntu pattern :
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%

It works.

If there would be a possibility to use different patterns for device groups it would be useful. How to manage this issue?
Userlevel 7
Marius Matijosius wrote:

I made two modifications and I get syslog severity in EMC syslog events:
1 . Changed symbol of separator from <> to space :
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatand replace it with:

# Use precise instead
$template precise,"%syslogpriority% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate precise

2. Modified pattern for Log Manager Parameters -SYSLOG (Event View Manager) - added field %sevint% with separators \w to standard Ubuntu pattern :
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%

It works.

If there would be a possibility to use different patterns for device groups it would be useful. How to manage this issue?

Could you explain where to add/change the line for 2. - I don't get it.

Thanks
Marius Matijosius wrote:

I made two modifications and I get syslog severity in EMC syslog events:
1 . Changed symbol of separator from <> to space :
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatand replace it with:

# Use precise instead
$template precise,"%syslogpriority% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate precise

2. Modified pattern for Log Manager Parameters -SYSLOG (Event View Manager) - added field %sevint% with separators \w to standard Ubuntu pattern :
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%

It works.

If there would be a possibility to use different patterns for device groups it would be useful. How to manage this issue?

Hello,
This is instruction for step 2:
Netsight Console
Tools tab /Alarm event/Event View Manager
Available log managers/Syslog -Edit
Pattern - Config
create new Custom pattern configuration - enter name and pattern:
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%
ok/apply.....
Userlevel 7
Marius Matijosius wrote:

I made two modifications and I get syslog severity in EMC syslog events:
1 . Changed symbol of separator from <> to space :
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatand replace it with:

# Use precise instead
$template precise,"%syslogpriority% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate precise

2. Modified pattern for Log Manager Parameters -SYSLOG (Event View Manager) - added field %sevint% with separators \w to standard Ubuntu pattern :
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%

It works.

If there would be a possibility to use different patterns for device groups it would be useful. How to manage this issue?

Thanks a lot... works like a charm.
Userlevel 7
Release Notes 7.0.8.34
All syslog messages were displaying with a severity of Info, regardlessof the severity with which they were configured. > 1144968

Thanks team !

Reply