Ad Widget

**kloczek** · 20-06-2018, 18:54

Originally posted by TheRiderU

Hey Community,

So i have a problem.(yes again

) i would to monitor all my remote host rsyslogs that sendet to my rsyslog server. but i dont want to do this for every logfile. so how can i do this with a discovery? with item prototype should i use or what tags need the key in the prototype?
i hope you can understand my problem.

the logfile should look like this:

/var/log/firewalls/firewall1.log
/firewall2.log
/firewall3.log

thx for your help.

Why you are wasting time and resources on produce logs and probably basing on frequency of some exact events organising come counters if you can straight organize counters in FW settings and just read those values (?)

**LenR** · 20-06-2018, 19:38

Syslog probably sends logs without ever writing them to disk. It writes some to disk, some it sends, some it does both. What do you really want to know about logging? If you need to assure that systems are logging, the only way to do that is to watch for signs of life on the logging server. A bad actor could add a firewall rule to drop outbound log traffic and monitoring on the server probably wouldn't notice.

# Send all to expermental logstash
*.* @@127.0.0.1:5514

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

**TheRiderU** · 21-06-2018, 09:49

Originally posted by kloczek

Why you are wasting time and resources on produce logs and probably basing on frequency of some exact events organising come counters if you can straight organize counters in FW settings and just read those values (?)

I cant follow you, what you mean with this "counters"?

**TheRiderU** · 21-06-2018, 09:51

Originally posted by LenR

Syslog probably sends logs without ever writing them to disk. It writes some to disk, some it sends, some it does both. What do you really want to know about logging? If you need to assure that systems are logging, the only way to do that is to watch for signs of life on the logging server. A bad actor could add a firewall rule to drop outbound log traffic and monitoring on the server probably wouldn't notice.

# Send all to expermental logstash
*.* @@127.0.0.1:5514

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

yeah i know this logging i configure my rsyslog.conf. but i dont know how i build a discovery in zabbix that get all of this logging files. so how can i build it up that Zabbix create foreach logfile a new item?

**kloczek** · 21-06-2018, 12:44

Originally posted by TheRiderU

yeah i know this logging i configure my rsyslog.conf. but i dont know how i build a discovery in zabbix that get all of this logging files. so how can i build it up that Zabbix create foreach logfile a new item?

Just suggestion ..
Please tell a bit more out of what kind of FW type those logs come out and what exactly you want to monitor (not what you are looking for in the logs but what kind of metrics/alarms you want to define)

**TheRiderU** · 21-06-2018, 15:07

Originally posted by kloczek

Just suggestion ..
Please tell a bit more out of what kind of FW type those logs come out and what exactly you want to monitor (not what you are looking for in the logs but what kind of metrics/alarms you want to define)

Just for a test i log everything and my FW type is a Juniper and Sophos. so i create a item for the Zabbix agent on the rsyslog server and make a logrt[.....] key item. in my trigger i define the key as logrt[].str(tag) and this work fine. but i dont want do create this items for all of my Firewalls

**kloczek** · 21-06-2018, 19:41

Originally posted by TheRiderU

Just for a test i log everything and my FW type is a Juniper and Sophos. so i create a item for the Zabbix agent on the rsyslog server and make a logrt[.....] key item. in my trigger i define the key as logrt[].str(tag) and this work fine. but i dont want do create this items for all of my Firewalls

You know .. you cannot just monitor <something>

If you have you can count for example number of rejected tcp connections, flow in/out of the data going over exact FW rules

What is usually logged in those logs and what kind of FW produces those logs?

**kernbug** · 22-06-2018, 06:44

Forgive me kloczek

, custom discovery is for you TheRiderU.

Creating custom LLD rules

P.S. Meanwhile logs could be collected with ELK stack from the hundred of network devices and the important key values could be exported to Zabbix.

Ad Widget

Discovery for logfiles

Discovery for logfiles

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment