you can install zabbix agent on syslog server and then create zabbix agent item to grab log info

What kind of syslog server would you recommend? Is there a Linux based one?

I recommend the syslog standard from IETF.
Listening on port 514 (configurable) for UDP packets.


https://en.wikipedia.org/wiki/List_o...P_port_numbers

Hello,

the most common syslog-server is rsyslog..

at the moment we use graylog to collect all the syslogmessages

If it's more than just a few switches, don't try to reinvent the wheel. Syslog will grow.

Look at logstash https://www.elastic.co/products/logstash

It has a zabbix plugin https://www.elastic.co/guide/en/logs...ts-zabbix.html

I would like to “open up” this syslog receiver topic again (cannot find how to do a new post…this is my first post!). I have tried without success many of the suggestions found on this forum (https://www.zabbix.com/integrations/rsyslog) and github (https://github.com/v-zhuravlev/zabbix-syslog ), but they all seem to be for earlier versions of Zabbix and I cannot get them to work. I am using Zabbix 5.0 LTS (experimenting with appliance and full UNBUNTU install)

I am a Linux “greenhorn” that is stumbling through the forest of knowledge.

Primary Objective: receive syslog messages from network switches of various brands,
Secondary Objective: if possible, store for a fixed period of days e.g. 30 or 90 or 360 days and discard after “expiry” date. So as not go waste disk space.

I do not want a separate syslog server, I am looking for a “one box solution” central harvester/collector of SNMP and SYSLOG, the devices sending syslog will already exist for as Zabbix monitored devices. If adding syslog means the VM disk has to become bigger and/or needs a little annual maintenance/cleaning, that is not a big issue. The Zabbix implementations I aim to deploy will be on small networks with perhaps 2-6 network switches and less than 100 servers (most of which would have the Zabbix) agent on them.

I have succeeded in making a Zabbix appliance receive syslog messages (also done this on a separate Ubuntu machine too) to into /var/log/messages, which is rotated weekly, but I am looking for a more refined solution that associates the messages with a device already being monitored.

If anyone has cracked this nugget, I would be very grateful for the recipe, as I have spent several weeks effort without success.

Imho zabbix is not a syslog server. It wasn't in 2015 and it isn't today. Those are two separate worlds.

Indeed, Zabbix is NOT a logging target except if you're only forwarding a few MBs per day, it's not meant for storing any real amount of log data other than reacting on patterns using triggers and then discarding data again (or keeping it for a few days). Your DB will fill up very fast and become unusable, plus there's no good options for properly searching through historical log data.

If your Zabbix agent agent collects syslog or windows eventlogs then based on a number of items only store those few events, you're fine, but don't bulk forward tons of log data.

Loki + Grafana
Graylog + Elasticsearch
Logstash + Kibana + Elasticsearch
Fluentd + some-supported-backend

.. are proper logging receivers and/or aggregators, Loki and Fluentd being the least complicated, Graylog and Logstash however require a fair amount of knowledge of Elasticsearch otherewise you're likely going to end up in a world of hurt at some point.

There are also a large number of feature rich SaaS solutions, some even have generous free-tiers like New Relic, Logz.io, Logtail.com and Loggly.com

Thanks for advice on the freemium solutions. As the target deployment for this system for is small networks there should only be a few MB per day of syslog, probably a lot less than the SNMP data. As mentioned in the earlier post the objective is for small, often self-contained systems, in some cases with no access to the outside world if deployed in sensitive environments. And the objective is also to keep it simple because often the user base has very limited IT capability, their skills lay elsewhere.

I can already make the OS collect the information, and rotate the logs if desired, I would just like simple allocation against the device IP address, no analysis is required, just collection and presentation within Zabbix. Otherwise, it needs a bit more wrangling to extract the collected data push it to another machine for import, presentation and filtering…. So, the disk space is going to be used either way. IMHO such simple extraction and presentation from a defined file would be a great addition to Zabbix, that would ease the disk space and DB size concerns. For the full featured syslog experience absolutely other products are required….. but then maybe the Zabbix agents would be a better tool than syslog….(but they don’t work in network switches). All we need the correct hammer(s) for the job.

I get the collection part, but what do you mean with presentation? What target are you aiming for. Even a few MB's on log/text data will make the current widgets within Zabbix useless. Of course you can filter within triggers, but presenting will be, IMHO, terrible. Maybe give us a visible clue on what you are trying to archive.

I have several Windows syslog collectors chugging away….KLOG (KLEVER) running on a Windows server for 90days months, it now has Approx. 6MB of data as 28,000 lines (when viewed in Notepad ++) another Windows (Visual Syslog server) program generate about 4MB per week with 20K entries but from more devices a that are “deliberately noisy” on syslog and an old KIWI SYLOG 8.3.7 that rotate a new file daily with approx. 3K entries and 500KB files. These just collect and need the text files to be imported into Excel (or similar) for filtering/sorting/review. That needs a little effort and can be done when chasing an issue, but anything I can do a computer can do, probably better, if given the correct instruction.

So If I could “point” Zabbix to trawl a file (e.g. /var/log/messages) with 7 days or 30days (depending on weekly rotate or monthly rotate worth of information (as I can collect now in Ubuntu or the Centos8 Appliance) and then present that against a matching IP host IP address ins Zabbix, than all the grunt work is done being the scenes. I could look at Host 10.11.12.13 and see that interface ten 1/1 is repeatedly reporting

Local7.Notice 10.11.12.13 95046: .Apr 3 00:12:18.567 UTC: %SFF8472-5-THRESHOLD_VIOLATION: Te1/1: Rx power low warning; Operating value: -10.8 dBm, Threshold value: -9.9 dBm.

Then have the ability to do something about it or ignore it…. but if I saw a duplicate IP address, I can jump on it.
2022-02-16 00:09:23 Local7.Warning 169.254.0.29 138340: 138340: Feb 16 00:09:22.456 GMT: %IP-4-DUPADDR: Duplicate address 10.11.104.153 on Vlan104, sourced by 0013.1602.69ab


Stretch goal… possibly even trigger an action…. But maybe that is too much like full syslog functionality.

If the file pointed too is rotated, the DB impact would be “contained” in if user want to go back further in time into the rotated files they have to do it manually…. And also have a quarterly/yearly clean out of all the gz files in /var/log too