topic RE: Syslog severity in Netsight in ExtremeCloud IQ- Site Engine Management Center

Syslog severity in Netsight

Marius_Matijosi — Wed, 23 Nov 2016 14:53:00 GMT

My idea was to create severity alarm based on syslog messages i ECM. But I noticed that all syslog messages are logged and displayed with one severity INFO. Severity is coded in first 3 bits of every syslog message. But ECM is ignoring original severity.
Is there any explanation for such behavior?
Can ECM log syslog messages with original severity?

Thanks for your advices.

RE: Syslog severity in Netsight

Michael_Butterf — Thu, 24 Nov 2016 02:33:00 GMT

Hi Marius,

This is a bug in the /etc/rsyslog.conf file which will be fixed in an upcoming release.

If you edit the /etc/rsyslog.conf file and find the line:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

and replace it with:

# Use precise instead
$template precise,"<%syslogpriority%>%timegenerated% %HOSTNAME% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate precise

and then run:

service rsyslog restart

your /var/log/syslog files should have the following format with the severity in the first 3 characters:

<6>Nov 23 14:17:01 netsight147-11 CRON[182011]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
<6>Nov 23 14:17:02 netsight147-11 CRON[182007]: (CRON) info (No MTA installed, discarding output)

Please let us know how it goes.

Thanks

Mike Butterfield

RE: Syslog severity in Netsight

Ronald_Dvorak — Thu, 24 Nov 2016 03:31:00 GMT

Hey Marius,

I've tried it and now I'd see the severity# in front of the message....

Could you also fix it that the facility information is used.

My WLAN controller has the following syslog settings.
i.e. Station Events should use facility local.1

Trace from a packet that is tx by the controller = local.1 for a station events

This is what I get in the EMC syslog...
<6>Nov 23 21:15:58 172.24.24.101 events: EventType[Registration] MAC[84:18:26:7C:1C:2B] AP[AP3825i] SSID[Home] BSSID[D8:84:66:02:DF:E8] Details: Radio[2]

It would be great to also have that information in EMC and be able to filter on it so i.e. I'd only see my station events = local.1

Thanks,
Ron

RE: Syslog severity in Netsight

Ronald_Dvorak — Thu, 24 Nov 2016 04:07:00 GMT

EMC is still showing all messages as severity info even I've some with <3> which should be Error.

<3>Nov 23 21:59:17 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [inactive], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1

<3>Nov 23 21:59:47 172.24.24.101 events: Radar Analysis Engine Security threat [Unauthorized Bridging] detected by AP [AP3935-2], SN [1628Y-1033100000]. Details: state [active], location [Home], channel [6], frequency [2437MHz], associated MAC [A4:B1:E9:43:C3:1F], RSS [-85], description [Potential unauthorized AP active - WPS-enabled AP operating in vicinity] 1

I'm running EMC 7.0.6.27 and also tried it after a ./stopserver & ./startserver

RE: Syslog severity in Netsight

Marius_Matijosi — Thu, 24 Nov 2016 14:31:00 GMT

Hello,
i tried to modify rsyslog.conf.
I got severity in 3 first characters of messages in syslog file. But unfortunately ECM doesn't show these messages in SYSLOG events.
ex. of syslog file:
<6>Nov 24 09:14:18 Fima-03 AAA: Login passed for user admin through xml (172.16.69.100)<6>Nov 24 09:14:20 Fima-03 AAA: User admin logout from xml (172.16.69.100)
<4>Nov 24 09:16:09 172.16.69.6 snmp: SNMP Security access violation from 172.16.100.69

RE: Syslog severity in Netsight

Bharathiraja__S — Thu, 24 Nov 2016 14:48:00 GMT

Hi Marius,

can you let me know what is your netsight version ?

Thanks,
Suresh.B

RE: Syslog severity in Netsight

Marius_Matijosi — Thu, 24 Nov 2016 17:57:00 GMT

Hi Suresh,

I am currently testing on ECM 7.0.4.29

Thanks,
Marius

RE: Syslog severity in Netsight

Marius_Matijosi — Thu, 24 Nov 2016 19:50:00 GMT

I made two modifications and I get syslog severity in EMC syslog events:
1 . Changed symbol of separator from <> to space :
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatand replace it with:

# Use precise instead
$template precise,"%syslogpriority% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate precise

2. Modified pattern for Log Manager Parameters -SYSLOG (Event View Manager) - added field %sevint% with separators \w to standard Ubuntu pattern :
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%

It works.

If there would be a possibility to use different patterns for device groups it would be useful. How to manage this issue?

RE: Syslog severity in Netsight

Ronald_Dvorak — Thu, 24 Nov 2016 19:50:00 GMT

Could you explain where to add/change the line for 2. - I don't get it.

Thanks

RE: Syslog severity in Netsight

Marius_Matijosi — Thu, 24 Nov 2016 19:50:00 GMT

Hello,
This is instruction for step 2:
Netsight Console
Tools tab /Alarm event/Event View Manager
Available log managers/Syslog -Edit
Pattern - Config
create new Custom pattern configuration - enter name and pattern:
%sevint%\w%month%\w%day%\w%time%\w%src%\w%info%
ok/apply.....

RE: Syslog severity in Netsight

Ronald_Dvorak — Thu, 24 Nov 2016 19:50:00 GMT

Thanks a lot... works like a charm.

RE: Syslog severity in Netsight

Ronald_Dvorak — Tue, 20 Dec 2016 01:24:00 GMT

Release Notes 7.0.8.34
All syslog messages were displaying with a severity of Info, regardlessof the severity with which they were configured. > 1144968

Thanks team !