Anonymous_User Absent Member.
Absent Member.
198 views

event sources creates automatically once syslog restarts


SLM 1.2.1
rhel collector version: 2011.1r1

event source: RedHat Enterprise Linux 5(rhel5)

whenever I stop the syslog service on rhel5 event source, sentinel
automagically creates an event source name 'exiting' and I can check the
'exiting' event source
in ESM LiveView as well as in Sentinel WebUI > Collection > Event
Sources. (plz check the screenshots http://susepaste.org/74070190 and
http://susepaste.org/29533905)

then when I (re)start the syslog service on rhel5 event source, another
event source name 'syslogd' creates .. plz check
http://susepaste.org/58773584

I delete the 'exiting' event source whenever I stop the syslog service
on rhel5, and delete the 'syslogd' event source whenever I (re)starts
the
syslog service rhel5 event source

opening 'raw data tap' never shows events/activity on unnecessarily &
automagically created 'exiting' and 'syslogd' event sources.


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=47792

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: event sources creates automatically once syslog restarts


Hi,

The event source isn't created automagically. If you don't want this go
to the event source server ('Syslog Server UDP' by default) right click
and select edit.
Go to the 'Auto-Configuration' tab and select 'deny' at 'Default
policy'.
Keep in mind that you have to create every additional event source by
hand now.

The fact that they appear means you get some syslog events that are a
bit misshapen. Instead of the hostname the text exiting or syslogd is
put there.
I have noticed that the first event from that event source is creating
the event source and is itself lost.
If you want to see what comes in leave the event source, open the raw
data tap and restart syslog on the event source a few times.

Hope this helps.
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=47792

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: event sources creates automatically once syslog restarts


>The fact that they appear means you get some syslog events that are a

bit misshapen
>


so its the event source(rhel5 syslog) which is faulty ? rhel6 uses
"rsyslog' rather plain/old 'syslog' which rhel 5 comes with... hope
rsyslog wont cause these type events.


>If you want to see what comes in leave the event source, open the raw
>data tap and restart syslog on the event source a few times.
>


I restart the syslog event source a couple of times, and here is the
syslog collector dump:

Code:
--------------------

{"s_AppId":"on","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"36","s_HostName":"exiting","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8D48-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A407-000C2959E8C5","i_Type":"2","i_Second":"29","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:20:29 exiting on signal 15","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"on signal 15","s_chainId":"1369289992974","i_milliseconds":"1369290029324","s_raw_message2":"<46>exiting on signal 15","s_MessageOriginatorPort":"514","i_Minute":"20","s_Date":"May 23 11:20:29","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"0","i_Year":"2013","s_sha256Hash":"e120e5315373e7cd658367ec51bb6fb155d90035056fd23823fb9cbc09d29c5c","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"exiting","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}
{"s_AppId":"1.4.1","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"39","s_HostName":"syslogd","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8D7A-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A392-000C2959E8C5","i_Type":"2","i_Second":"42","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:22:42 syslogd 1.4.1: restart.","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"1.4.1: restart.","s_chainId":"1369289994713","i_milliseconds":"1369290162011","s_raw_message2":"<46>syslogd 1.4.1: restart.","s_MessageOriginatorPort":"514","i_Minute":"22","s_Date":"May 23 11:22:42","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"0","i_Year":"2013","s_sha256Hash":"bc1317362cea68eab3fa14e67ac08fdfcac29b5400a3ed539d003008d5ec01f3","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"syslogd","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}
{"s_AppId":"on","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"36","s_HostName":"exiting","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8DF3-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A407-000C2959E8C5","i_Type":"2","i_Second":"3","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:24:03 exiting on signal 15","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"on signal 15","s_chainId":"1369289992974","i_milliseconds":"1369290243975","s_raw_message2":"<46>exiting on signal 15","s_MessageOriginatorPort":"514","i_Minute":"24","s_Date":"May 23 11:24:03","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"1","i_Year":"2013","s_sha256Hash":"e120e5315373e7cd658367ec51bb6fb155d90035056fd23823fb9cbc09d29c5c","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"exiting","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}
{"s_AppId":"1.4.1","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"39","s_HostName":"syslogd","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8DF7-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A392-000C2959E8C5","i_Type":"2","i_Second":"4","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:24:04 syslogd 1.4.1: restart.","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"1.4.1: restart.","s_chainId":"1369289994713","i_milliseconds":"1369290244074","s_raw_message2":"<46>syslogd 1.4.1: restart.","s_MessageOriginatorPort":"514","i_Minute":"24","s_Date":"May 23 11:24:04","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"1","i_Year":"2013","s_sha256Hash":"bc1317362cea68eab3fa14e67ac08fdfcac29b5400a3ed539d003008d5ec01f3","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"syslogd","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}
{"s_AppId":"on","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"36","s_HostName":"exiting","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8E15-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A407-000C2959E8C5","i_Type":"2","i_Second":"22","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:24:22 exiting on signal 15","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"on signal 15","s_chainId":"1369289992974","i_milliseconds":"1369290262052","s_raw_message2":"<46>exiting on signal 15","s_MessageOriginatorPort":"514","i_Minute":"24","s_Date":"May 23 11:24:22","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"2","i_Year":"2013","s_sha256Hash":"e120e5315373e7cd658367ec51bb6fb155d90035056fd23823fb9cbc09d29c5c","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"exiting","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}
{"s_AppId":"1.4.1","i_syslog_priority":"46","CONNECTION_METHOD":"SYSLOG","i_Hour":"11","i_RXBufferLength":"39","s_HostName":"syslogd","CONNECTION_MODE":"map","s_Process":null,"s_RV25":"32469840-A59C-1030-8E25-000C2959E8C5","s_RV24":"85F9F5F0-A433-1030-A392-000C2959E8C5","i_Type":"2","i_Second":"56","s_RV23":"85F9F5F0-A433-1030-A391-000C2959E8C5","s_RV22":"85F9F5F0-A433-1030-A390-000C2959E8C5","s_Version":"2011.1r2","s_RXBufferString":"May 23 11:24:56 syslogd 1.4.1: restart.","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"1.4.1: restart.","s_chainId":"1369289994713","i_milliseconds":"1369290296293","s_raw_message2":"<46>syslogd 1.4.1: restart.","s_MessageOriginatorPort":"514","i_Minute":"24","s_Date":"May 23 11:24:56","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_chainSequence":"2","i_Year":"2013","s_sha256Hash":"bc1317362cea68eab3fa14e67ac08fdfcac29b5400a3ed539d003008d5ec01f3","s_SyslogRelayIp":"172.16.241.148","s_MessageOriginatorHost":"syslogd","s_Pid":null,"i_Month":"4","i_syslog_facility":"5","i_syslog_severity":"6"}

--------------------


Thanks,
Regards


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=47792

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: event sources creates automatically once syslog restarts


Hi,

As you can see in the dump you get events as:
s_raw_message2: <46>exiting on signal 15
s_raw_message2: <46>syslogd 1.4.1: restart.

In these events the time code as well as the hostname/ip are missing. In
these cases sentinel takes the first thing that is not a time code after
<number> as the hostname.
Thats why it creates the exiting and syslogd event sources.
I have a few customers with redhat 6 and I am not aware that they send
these kind of messages, other servers do though 😉

Regards,
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=47792

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: event sources creates automatically once syslog restarts


Hi jcvader1,

its fixed now 😉

when sentinel was creating 'syslogd' and 'exiting' event sources
automagically, at that time rhel boxes was configured as:
Code:
--------------------

*.* @IP.of.Sentinel.Server:1514

--------------------


but now rhel boxes has following configuration in rsyslog.conf file:
Code:
--------------------

*.info;mail.none;cron.none;kern.none @IP.of.Sentinel.Server:1514

--------------------


and issue resolved 😉

Thanks a lot

Regards,


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=47792

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.