Syslog Integration

Observium supports collection of syslog from devices using rsyslogd or syslog-ng. Syslog capture is achieved by directing the syslog daemon to run Observium's syslog.php script and send syslog messages to it via stdin.

Rsyslogd

Check rsyslogd version:

rsyslogd -v

To enable remote logging in rsyslog uncomment or add these two lines in /etc/rsyslog.conf:

$ModLoad imudp
$UDPServerRun 514

For redirect logs from rsyslog to Observium:

  • create file (as root):
    sudo touch /etc/rsyslog.d/30-observium.conf
  • add this content to /etc/rsyslog.d/30-observium.conf:

Rsyslog v8 and later

This config example was written for Rsyslog version 8.x and later. There is another config for Rsyslog 7.x.

#---------------------------------------------------------
#send remote logs to observium

template(name="observium"
         type="string"
         string="%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%\n")

$ModLoad omprog

# rsyslog Input Modules
input(type="imudp"
      port="514"
      ruleset="observium")

# rsyslog RuleSets
ruleset(name="observium") {
    action(type="omprog"
           binary="/opt/observium/syslog.php"
           template="observium")
}

*.* stop
#---------------------------------------------------------

Rsyslog v7 and earlier

This config example was written for Rsyslog version 7.x and earlier. There is another config for Rsyslog 8.x.

 #---------------------------------------------------------
 #send remote logs to observium

 $template observium,"%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%\n"
 $ModLoad omprog
 $ActionOMProgBinary /opt/observium/syslog.php

 :inputname, isequal, "imudp" :omprog:;observium

 & ~
 # & stop
 #---------------------------------------------------------

This enables module omprog, sets the $template like syslog-ng and redirect output to observium's syslog.php.

NOTE, for rsyslog version v7 you can see warning:

rsyslogd: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]

than replace '& ~' with stop action:

    & stop
  • Then restart rsyslog:
    sudo service rsyslog restart
  • Don't forget to enable syslog in Observium's config.php:
    $config['enable_syslog']                = 1; // Enable Syslog

Match syslog hostname/ip with device

  • FQDN hostname

NOTE, by default rsyslog uses non-FQDN hostnames, but observium requires FQDN names. For enable FQND hostnames add in main rsyslog config /etc/rsyslog.conf:

 # Always use full names with domain part
 $PreserveFQDN on
  • Match by IP

In case you DNS PTR records doesn't match actual hostname, or you want associate devices by IP, you may want to replace in $template %fromhost% to %fromhost-ip%. For the correct IP matching device, make sure that IPs discovered exist for device on page: device -> Ports -> IPv4 (or IPv6) addresses.

  • Mapping unknown hosts

For map unknown syslog hosts with devices, add host_map into your config as in example. Where key is syslog unknown host, value is device_id or known by observium hostname.

// Mapping (unknown) syslog hosts to device (id or hostname)
$config['syslog']['host_map']['localhost'] = 'my.device.name'; // device hostname/sysname
$config['syslog']['host_map']['127.0.0.1'] = 1;                // or device id

Warning

After changing any rsyslog configs or syslog related configs in Observium you must reload (or restart) the rsyslog service to apply the changes.

sudo service rsyslog reload

Syslog-ng

Make sure these options are set :

 options {
    chain_hostnames(0);
    keep_hostname(1);
    use_dns(no);
 };

Use this as destination in syslog-ng.conf, change syslog.php path to match yours

 source s_net {
    udp();
 };

 destination d_observium { 
    program("/opt/observium/syslog.php" template ("$HOST||$FACILITY||$LEVEL_NUM||$LEVEL||$TAG||$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC||$MSG||$PROGRAM\n") template-escape(yes));  
 };
 log {
    source(s_net);
    destination(d_observium);
 };

Don't forget to enable syslog in observium config.php:

$config['enable_syslog']                = 1; // Enable Syslog

Restart your syslog-ng server

sudo service syslog-ng restart