OpenNMS Syslogd Configuration

Question

I am trying to configure OpenNMS to receive Syslog messages from an ASA. My syslogd-configuration file looks like so:

<configuration
    syslog-port="514"
    new-suspect-on-message="false"
    parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
    forwarding-regexp="((.+?) (.*))\r?\n?$"
    matching-group-host="2"
    matching-group-message="3"
    />

The syslog messages arrive in this format:

Sep 13 08:36:37 192.168.75.254 %ASA-4-106023: Deny tcp src outside:144.5.5.255/
56607 dst inside:192.168.75.102/23 by access-group "outside_access_in" [0x0, 0x0]

With this config, I can get syslog messages into Opennms but they come through as indeterminate. It seems as though this regex cannot parse. When I test this regex in other websites like regex101.com it clearly says that there is not a match. I have created a regex that does match how I need:

\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*([\s\S]*)

BUT when I add this to the config, I no longer get any Syslog Messages at all.

Does anyone have an idea of how I make this happen. I have spent wayyy too much time on this as is.

Answer 1

Ok so I seem to have figured this out. I am going to attempt to post a complete answer here hoping that it helps someone out. The docs are not the clearest on this.

References I used for the configuration are Syslogd and TechTarget

First you need to setup the $OPENNMS_HOME/etc/syslogd-configuration.xml to have the following:

<configuration
    syslog-port="10514"
    new-suspect-on-message="false"
    parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
    forwarding-regexp="((.+?) (.*))\r?\n?$"
    matching-group-host="2"
    matching-group-message="3"
    />

<ueiList>
    <ueiMatch>
        <match type="regex" expression="YOUR REGEX HERE"/>
        <uei>uei.opennms.org/foo1/foo2/foo3</uei>
    </ueiMatch>
</ueiList>

The ueiList element was my first problem. This is where you actually map the syslog message to a custom uei. The uei can be customized to create any unique identifier you wish to have.

My second problem was with mapping the custom uei to have properties, such as an alert level. This is accomplished through the $OPENNMS_HOME/etc/eventconf.xml file. I inserted the following code right below the </global> tag to configure properties for my new custom uei.

<event>00-custom.conf
    <uei>uei.opennms.org/foo1/foo2/foo3</uei>
    <event-label>Event Label Here</event-label>
    <descr>
           An event description here
    </descr>
    <logmsg dest='logndisplay'>Here is the Log: %parm[all]%</logmsg>
    <severity>Critical</severity>
</event>

With these in place syslog messages should come in with desired properties. NOTE: In my scenario I am using non-standard syslog messages which is why I have to use the parser="org.opennms.netmgt.syslogd.CustomSyslogParser" setting in my syslogd-confguration.xml file. If you are using Syslog-NG or a better formatted syslog there are other options.

To help with troubleshooting you can go to $OPENNMS_HOME/etc or $OPENNMS_HOME/bin and run the following: opennms -v status this should show you every running process for NMS and their status.

NOTE: After changing a config file you must run service opennms restart (debian systems) to reload the new configuration. If you get the JVM error or "couldn't connect to local host" error it is most likely because you broke one of these two configs. Even adding an extra space at the top of the xml file will create this problem. Use care when editing the files and I highly recommend creating backups.

Answer 2

Just what I saw immediately, there is a typo in the parser attribute "CustonSyslogParser" vs. "CustomSyslogParser". Just to make sure you don't have another problem here :)

Otherwise, there are two components which come into play:

• An event definition which is the result the Syslog message is mapped into an OpenNMS Event
• The Syslog parsing rule which identifies the Syslog message and maps it to the given OpenNMS event definition

You should have a look at the Postfix Syslog implementation which comes with OpenNMS.

For example, in the file $OPENNMS_HOME/etc/syslog/Postfix.syslog.xml you will find a rule which looks at the incoming Syslog messages and will pick every Syslog message which contains "disabling TLS support" and will create a event with the OpenNMS Unique Event Identifier (UEI) uei.opennms.org/vendor/postfix/syslog/postfix/TLSDisabled.

The event with the UEI uei.opennms.org/vendor/postfix/syslog/postfix/TLSDisabled is defined with its severity in $OPENNMS_