ubuntusyslogopennmsasa

OpenNMS Syslogd Configuration


I am trying to configure OpenNMS to receive Syslog messages from an ASA. My syslogd-configuration file looks like so:

<configuration
    syslog-port="514"
    new-suspect-on-message="false"
    parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
    forwarding-regexp="((.+?) (.*))\r?\n?$"
    matching-group-host="2"
    matching-group-message="3"
    />

The syslog messages arrive in this format:

Sep 13 08:36:37 192.168.75.254 %ASA-4-106023: Deny tcp src outside:144.5.5.255/
56607 dst inside:192.168.75.102/23 by access-group "outside_access_in" [0x0, 0x0]

With this config, I can get syslog messages into Opennms but they come through as indeterminate. It seems as though this regex cannot parse. When I test this regex in other websites like regex101.com it clearly says that there is not a match. I have created a regex that does match how I need:

\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*([\s\S]*)

BUT when I add this to the config, I no longer get any Syslog Messages at all.

Does anyone have an idea of how I make this happen. I have spent wayyy too much time on this as is.


Solution

  • Ok so I seem to have figured this out. I am going to attempt to post a complete answer here hoping that it helps someone out. The docs are not the clearest on this.

    References I used for the configuration are Syslogd and TechTarget

    First you need to setup the $OPENNMS_HOME/etc/syslogd-configuration.xml to have the following:

    <configuration
        syslog-port="10514"
        new-suspect-on-message="false"
        parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
        forwarding-regexp="((.+?) (.*))\r?\n?$"
        matching-group-host="2"
        matching-group-message="3"
        />
    
    <ueiList>
        <ueiMatch>
            <match type="regex" expression="YOUR REGEX HERE"/>
            <uei>uei.opennms.org/foo1/foo2/foo3</uei>
        </ueiMatch>
    </ueiList>
    

    The ueiList element was my first problem. This is where you actually map the syslog message to a custom uei. The uei can be customized to create any unique identifier you wish to have.

    My second problem was with mapping the custom uei to have properties, such as an alert level. This is accomplished through the $OPENNMS_HOME/etc/eventconf.xml file. I inserted the following code right below the </global> tag to configure properties for my new custom uei.

    <event>00-custom.conf
        <uei>uei.opennms.org/foo1/foo2/foo3</uei>
        <event-label>Event Label Here</event-label>
        <descr>
               An event description here
        </descr>
        <logmsg dest='logndisplay'>Here is the Log: %parm[all]%</logmsg>
        <severity>Critical</severity>
    </event>
    

    With these in place syslog messages should come in with desired properties. NOTE: In my scenario I am using non-standard syslog messages which is why I have to use the parser="org.opennms.netmgt.syslogd.CustomSyslogParser" setting in my syslogd-confguration.xml file. If you are using Syslog-NG or a better formatted syslog there are other options.

    To help with troubleshooting you can go to $OPENNMS_HOME/etc or $OPENNMS_HOME/bin and run the following: opennms -v status this should show you every running process for NMS and their status.

    NOTE: After changing a config file you must run service opennms restart (debian systems) to reload the new configuration. If you get the JVM error or "couldn't connect to local host" error it is most likely because you broke one of these two configs. Even adding an extra space at the top of the xml file will create this problem. Use care when editing the files and I highly recommend creating backups.