How to enable the syslog monitoring-Zabbix

-

Steps need to be performed:

 On the Syslog server side: 

1. Install the rsyslog

sudo yum install rsyslog

2. Enable rsyslog service: Start and enable the rsyslog service if it’s not already running:

sudo systemctl start rsyslog
sudo systemctl enable rsyslog

3. Configure rsyslog to accept remote logs: Open the rsyslog configuration file:

vi /etc/rsyslog.conf

Uncomment or add the following lines to enable UDP or TCP log reception:

# Provides UDP syslog reception

module(load="imudp")

input(type="imudp" port="514")


# Provides TCP syslog reception

module(load="imtcp")

input(type="imtcp" port="514")


4. Restart the rsyslog service: After saving the configuration file, restart rsyslog to apply the changes:

sudo systemctl restart rsyslog


5. Ensure the firewall is configured to allow the TCP/UDP port 514 or disable the firewall service.


6. Ensure that SELinux is disable if not disable it

Check the status of SELinux

sestatus

Disable it

sudo setenforce 0

Note: you can permanently disable it from selinux conf file.


7. Ensure that zabbix agent is running on syslogserver, if not install the zabbix-agent

rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-6.0-5.el8.noarch.rpm
dnf clean all

dnf install zabbix-agent

systemctl restart zabbix-agent
systemctl enable zabbix-agent


8. Edit the zabbix agent config file and provide the zabbix server ip
vi /etc/zabbix/zabbix-agentd.conf

Server= zabbix_server_ip

ServerActive= zabbix_server_ip


9. Restart the zabbix-agent

systemctl restart zabbix-agent


10. Provide the sufficient permission to Zabbix_agent to read the file /var/log/messages

Change Group Ownership of /var/log/messages to a group that Zabbix belongs to:

sudo chgrp zabbix /var/log/messages

Set Group Read Permissions: Allow the Zabbix group to read the log file:

sudo chmod 640 /var/log/messages


11. Verify Logs on the Syslog Server: You can verify if the syslog server is receiving logs from clients by checking the logs:

tail -f /var/log/messages



On the Client server side: 

1. Configure Syslog Clients (other hosts) to Forward Logs: On the client machines (hosts sending logs to your syslog server), open the rsyslog configuration file:

sudo vi /etc/rsyslog.conf

Add the following lines to forward logs to the syslog server:

*.* @Syslog_Server_IP:514   # For UDP

*.* @@Syslog_Server_IP:514  # For TCP


2. Then, restart rsyslog on the client machines:

sudo systemctl restart rsyslog


3. Ensure the firewall is configured to allow the required port or disable the firewall service.


4. Ensure that SELinux is disable if not disable it

Check the status of SELinux

sestatus

Disable it

sudo setenforce 0

Note: you can permanently disable it from selinux conf file.


5. Now you can create a Test Log Entry on the client server:

sudo logger "Test log entry from client server"

and now you can go on Syslog server side and verify whether it is reflected or not


6. If there is any issue to forward the log on syslog server, you can check the logs on the client server:

sudo tail -f /var/log/syslog



On the monitoring Side:(Zabbix frontend)

To monitor the log,

Step 1: Add the Syslog server in Zabbix frontend.


Step2: Now we need to add the UserParameter in the Zabbix-agent conf file of Syslog server

1. Edit the Zabbix agent configuration file on the syslog server:

sudo nano /etc/zabbix/zabbix_agentd.conf

2. Define a UserParameter for log monitoring: Add the following line to monitor the /var/log/messages file. The Zabbix agent will use this custom key to read the log file:

UserParameter=syslog.log,/usr/bin/tail -n 100 /var/log/messages

This will allow Zabbix to read the last 100 lines of /var/log/messages when the item key syslog.log is used.

Restart the Zabbix agent to apply the changes:

sudo systemctl restart zabbix-agent


Step 3: Create a New Item in Zabbix Frontend

  1. Go to the Zabbix frontend → Configuration → Hosts.

  2. Select the syslog server host.

  3. Click Items → Create Item.

  4. Configure the item as follows:

    • Name: Monitor Syslog
    • Type: Zabbix agent
    • Key: syslog.log
    • Type of information: Log
    • Update interval: Set the desired interval (e.g., 60s).
    • Log time format: Default.

  5. Click Add to save the item.

Step 4: Now you can check the latest data.







Comments

Post a Comment

Popular posts from this blog

Zabbix installation: Distribution setup

-
  On Zabbix core server: Step1:   Install Zabbix repository rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-latest-6.0.el8.noarch.rpm dnf clean all Step2: Install Zabbix server, frontend, agent dnf install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-selinux-policy zabbix-agent Step3:   Configure the database for Zabbix server Edit file /etc/zabbix/zabbix_server.conf DBHost= DBserver_ip DBName= DBUser= DBPassword= DBPort=3306 Step4:  Start Zabbix server and agent processes systemctl restart zabbix-server zabbix-agent httpd php-fpm systemctl enable zabbix-server zabbix-agent httpd php-fpm On Zabbix Database Server: Step1:   Install Zabbix repository rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-latest-6.0.el8.noarch.rpm dnf clean all Step2: Install the sql script, zabbix agent  dnf install zabbix-sql-scripts zabbix-selinux-policy zabbix-agent Step3: Install the mysql server yum install my...
Read more

Zabbix built-in HA Vs Pacemaker/corosync

-
 Built-in HA in Zabbix Since Zabbix 7.0, Zabbix Server has built-in high availability (HA) support. This means: You can run multiple Zabbix server nodes. Only one is active at a time. The others are standby and can take over if the active one fails. Failover is handled internally by Zabbix, using database coordination (it stores node status in the DB). So why Pacemaker and Corosync then? You don’t need Pacemaker + Corosync for the Zabbix Server itself anymore if you’re using built-in HA. However, there are still scenarios where Pacemaker/Corosync may be useful: When to Use Pacemaker/Corosync Database Failover: Zabbix’s built-in HA does not handle database HA. Pacemaker/Corosync can manage MySQL/MariaDB/PostgreSQL clusters with automatic failover.        2. Frontend High Availability: Zabbix frontend (Apache/Nginx + PHP) does not have built-in HA. You can use Pacemaker/Corosync (or HAProxy/Keepalived) to manage failover of frontend nodes and virtual IPs.   ...
Read more