The Integrated Syslog Server
Last updated: December 06. 2012
1. The Integrated Syslog Server
As of version 1.2.1i4 the Check_MK Event Console has an integrated syslog server. If that is enabled then the EC listens on UDP port 514 for incoming syslog messages. These messages are handled exactly like those being read from the pipe.
This feature simplifies the setup a bit. Instead of directing syslog messages to a local syslog server that then writes the messages into the EC's pipe, messages are directly received by the EC. Why would you want to do that? Here are some reasons:
Note: the integrated syslog server is not a replacement for a central syslog archive! The Event Console is designed just to pick out a view relevant messages out of the message stream - based on your rules. While it is theoretically possible that all incoming messages are processed and created events for, you would soon run into performance and handling problems.
2. Enabling the Integrated Syslog Server (manual setup)
Activating the syslog server would be fairly simple - if there would not be the problem of priviledged ports. Opening UDP port 514 for listening requires priviledges that usually only root hat. If you intend to run the mkeventd as root than this is not a problem. Simply call it with the additional option --syslog:
root@linux# mkeventd --syslog ..other options...
When you want to run the EC without root priviledges then you need to use the helper program mkeventd_open514. This is shipped together with mkevent in the directory src/ and need to be compiled with make:
root@linux# cd mkeventd-1.2.1i4/src root@linux# make make diet gcc -O2 -s -o mkevent mkevent.c || \ gcc -O2 -o mkevent mkevent.c gcc -O2 -o mkeventd_open514 mkeventd_open514.c
Now install the resulting binary mkeventd_open514 into the same directory as mkeventd and make it SUID root (this example assumes that mkeventd is installed in /usr/local/bin/:
root@linux# cp mkeventd_open514 /usr/local/bin root@linux# chown root.root /usr/local/bin/mkeventd_open514 root@linux# chmod 4755 /usr/local/bin/mkeventd_open514
For starting the mkeventd with syslog enabled as a normal user, call this helper program instead and supply the options --syslog and --syslog-fd 3:
root@linux# /usr/local/bin/mkeventd_open514 --syslog --syslog-fd 3 ...other options...
For your information: the helper program mkeventd_open514 opens UDP port 514 as filedescriptor 3 and then start the "real" mkeventd. The open socket is inherited in filedescriptor 3. The event daemon reuses that instead of opening the port itself.
As of version 1.2.3i2 you can additionally use the parameters --syslog-tcp and --syslog-tcp-fd 4 to also open TCP port 514 to receive syslog messages over TCP.
3. Enabling the Integrated UDP Syslog Server (OMD)
All you have to do is to enable the new omd config options MKEVENTD_SYSLOG. You can do this interactively with omd config or also with one single command:
OMD[mysite]:~$ omd config set MKEVENTD_SYSLOG on
4. Enabling the Integrated TCP Syslog Server (OMD)
As of version 1.2.3i2 the Event Console is also able to listen for incoming syslog messages via TCP. When using OMD you can enable this option on the same way as the UDP syslog server. The option is named MKEVENTD_SYSLOG_TCP.