Languages:

English  • Deutsch

EventDB

Addon:EventDb Description: EventDB4Nagios Author: NETWAYS GmbH Developer: NETWAYS GmbH Released: August 2008 Latest release version: 0.0.1 OS: *** Genre: {{{Genre}}} Licence: *** Licence: {{{licence}}} Website: EventDB NagiosForge Project

The NETWAYS EventDB is a set of scripts used to store SNMP/Syslog/other event based information in a MySQL database, the package consists of:

• DB structure
• web frontend
• NAGIOS plugin
• syslog-ng configuration snippets

In this scenario only a logging via syslog is described.

How it works

The EventDB is a kind of middleware used to normalize received events and store them to the MySQL database. Events are collected through many different userland tools e.g. snmptrapd, snmptt, ... and logged to syslog-ng which does the whole connectivity to MySQL. Because the direct way from syslog-ng to the DB is not the fastest one a small perl daemon (syslog-ng2mysql.pl) was introduced. Syslog-ng2mysql.pl openens a unix-pipe on the one side and uses DBI on the other to write data into MySQL.

Installation

Requirements

• php-mysql
• php-mbstring
• php-mhash
• syslog-ng
• mysql-server
• a php enabled webserver
• perl-dbi
• perl-dbd-mysql

First of all you have to download the EventDB archive from [1] , after that extract the tar.gz

 $ tar zxvf <archive.tgz>

syslog-ng2mysql.pl

Syslog-ng2mysql.pl is located in the extracted archive path and should be copied to your local bin path, an init-script is also included.

 # mkdir /usr/local/nagios/contrib
 # cd <path to EventDB>
 # cp agenten/syslog-ng/syslog-ng2mysql.pl /usr/local/nagios/contrib/.
 # cp agenten/syslog-ng/syslog-ng2mysql /etc/init.d/.
 # chmod 0755 /usr/local/nagios/contrib/syslog-ng2mysql.pl /etc/init.d/syslog-ng2mysql

 # vi /usr/local/nagios/contrib/syslog-ng2mysql.pl
 # my $db      = "eventdb";
 # my $dbhost  = "localhost";
 # my $dbuser  = "eventdb";
 # my $dbpass  = "eventdb";
 # my $dbtable = "events";

 # /etc/init.d/syslog-ng2mysql start

MySQL configuration

the db schema and a MySQL user has to be created, so that syslog-ng2mysql.pl is able to write to the database.

create the user

 # mysql -u root -p
 mysql # create database eventdb;
 mysql # grant select,insert,update,delete on eventdb.* to 'eventdb'@'localhost' identified by 'eventdb';
 mysql # exit

import the db scheme

 # mysql -u root -p eventdb < <path to EventDB>/db/create_tables.sql

Syslog-NG

Some configuration changes have to be made in syslog-ng.conf, so that syslog-ng is writing all incoming data to the newly created MySQL database.

logging source

this is the setting to accept syslog messages over the network

 source src_eventdb { 
   unix-stream("/dev/log");
   udp(
     ip(0.0.0.0) port(514)
   ); 
 };

logging destination

create the new logging destination d_eventdb which is writing to the opened pipe from syslog-ng2mysql.pl with the specified template. template_escape is used to tell the syslog-ng _not_ to escape doublequotes.

 destination d_eventdb {
   pipe("/usr/local/nagios/var/rw/syslog-ng.pipe",
   template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
   template_escape(no)
   );
 };

logging filter

filter the incoming messages for the loglevel and forward all messages with a level from warning to emergency

 filter f_at_least_warn { 
   level(warn..emerg);
 };

bring all together

log all messages incoming via the source src_eventdb to the destination d_eventdb filtered by f_at_least_warn

 log {
   source(src_eventdb);
   filter(f_at_least_warn);
   destination(d_eventdb);
 };

Webinterface

a PHP based webinterface is also included in the archive this file, this file has to be copied in the nagios share directory

 # mkdir <path to NAGIOS installation>/share/eventdb
 # cp <path to EventDB>/webinterface/index.php <path to NAGIOS installation>/share/eventdb/.

the database credentials in index.php has to be changed to your needs

 # vi <path to NAGIOS installation>/share/eventdb/index.php
 # cset('db.user', 'eventdb');
 # cset('db.pass', 'eventdb');
 # cset('db.host', 'localhost');
 # cset('db.name', 'eventdb');

after setting the credentials the webinterface can be opened in your browser, the URL is http://<yourhostname>/nagios/eventdb/index.php

You can generate events on a remote machine via

echo '<0>eventdb test message' | netcat -w 1 -u sysloghost 514

Nagios Plugin

the job of checking the EventDB for entries is done by a nagios plugin. the perl script is included in the plugin directory of the extracted archive. the only thing you have to do is copy the plugin to your libexec directory of the NAGIOS installation.

 # cp <path to EventDB>/plugin/check_eventdb.pl <path to NAGIOS>/libexec/.
 # chmod 0755 <path to NAGIOS>/libexec/check_eventdb.pl

after installing the plugin a new checkcommand has to be defined in your NAGIOS configuration

 define command {
   command_name         check_eventdb
   command_line         $USER1$/check_eventdb.pl --dbuser=eventdb --dbpass=eventdb -H $HOSTNAME$ $ARG1$
 }

a servicecheck which is using the newly defined command could look like this:

 define service {
   use                  generic-service
   host_name            host1
   service_description  eventdb_error
   check_command        check_eventdb!--facility auth --priority err -m "%ssh%" -w 1 -c 2 --label=ssh errors
 }

this is checking the eventdb for messages witch have:

• facility = auth
• priority = error
• message text contains ssh (SQL like syntax)

if one message is appearing in the EventDB the check has state WARNING (-w 1)

if 2 or more messages are returned the check has state CRITICAL (-w 2)

the label is a prefix used in the serviceoutput.

Usage

the following parameters are available

    Usage: check_eventdb.pl [ -H host ] [ -p priority ] [ -t type ] [ -m msg ] 
           [ --db db ] [ --dbtabedbtable ] [ --dbuser dbuser ] [ --dbpassword dbpassword ] 
           [ --dbhost dbhost ] [ -l label ]  -w warn -c crit
 
    Options:
 
    -H --host
        Hostname as logged by syslog.
    -p --priority
        Priority as logged by syslog.
    -m --msg
        Message as logged by syslog.
    -t --type
        The logtype (e.g. syslog, snmptrap).
    --db STRING
        Database (default: eventdb)
    --dbtable STRING
        Tablename (default: events)
    --dbuser STRING
        Databaseuser (default: none)
    --dbpassword STRING
        Databasepassword (default: none)
    --dbpassword STRING
        Databasepassword (default: none)
    --dbhost STRING
        Databaseserver (default: localhost)
    -l --label STRING
        label for plugin output
    -w --warning INTEGER
        number matches to result in warning status
    -c --critical INTEGER
        number of matches to result in critical status

DB maintenance

Caused by the large number of events the EventDB could contain you should do a scheduled maintenance in the MySQL database. A shell script is included in the directory cleanup to do this task.

The script is writing out all the content of the EventDB older than a week into a file called /var/backups/syslog_save/<timestamp>.csv after that the content is deleted from the database.

 # vi /etc/crontab
 /etc/crontab
 30 2 * * *      root  <path to EventDB>/cleanup/rotate_eventdb.sh > /dev/null 2>&1

Maybe you have to change your db credentials in the rotate_eventdb.sh