Trobieshooting rsyslog traps on Spectrum
Article ID: 379664
Updated On:
Products
Issue/Introduction
I have configured syslog messages following the documentation but it does not work
Environment
Any Spectrum release on Linux running rsyslog server on the same host
Cause
Identify a root cause of traps not arriving / being processed by Spectrum
Resolution
1. Collect tcpdump to see if the syslog message arrives to syslog server:
tcpdump -envi any -s0 port 514 -w /tmp/syslog_traffic.pcap
2. Add additional logging to the Spectrum_RSyslog.conf to see if the syslog messages are matched by filters:
if (re_match($syslogtag,"Alarm")==1) then {
if ($syslogpriority<=2) then {
action(type="omsnmp" transport="udp" server="spectrum" trapoid="1.3.6.1.4.1.19406.1.2.1" port="162" version="1"
messageoid="1.3.6.1.4.1.19406.1.1.2.1" community="public" template="SNMPFormat_ALARM")
action(type="omfile" file="/var/log/networklog")
stop
}
}
3. Collect tcpdump to see if Syslog server sends a trap to Spectrum once the syslog message is matched:
tcpdump -envi any -s0 port 162 -w /tmp/traps.pcap
Note: Traps should be send by the Syslog hostname / IP and received on the Spectrum hostname / IP to match the RsyslogServer model in Spectrum
If you see communication on loopback address ( 127.0.0.1 ) it will not work.
*Optionally check /etc/hosts file to correct configuration.
Additional Information
Feedback
