source and destination IP

[rtty88]

Is your feature request related to a problem? Please describe. it not related to a problem

Describe the solution you'd like it will be a good idea to have two column for source IP and destination IP and the possibility to increase the list view for ex. 100 or more to see all the syslog in one page

Additional context

[arno-st]

When you mean list view, is it the number of message par page, (that the filters Messages) or the length of the message (that's the Trim inside the filter part) ?

As for the destination / source, it depends of the type of messages send by syslog, I have tons of message that dosen't have Src/dst information.

Inside Cacti there is no interpretation of the message, it's just a display, it will be hard if not impossible to define all type of message and display the column depending of the contend.

[rtty88]

Yes I mean the number of message par page to be increase if possible,

and yes agree with you for source and destination maybe it will be imposible to have separated

[arno-st]

For the number of message you can change the default view inside: Console ->Configuration -> Settings -> Syslog

It's the Filed name 'Max. report Records'

That is the max number of message you view by default, I think it's what you want.

And If you whan to change it just when you view your messages, select Messages on the first part of the screen:

[rtty88]

yes, I found it now thanks , one more question

is there any way to show me the host name without the IP

[arno-st]

Hmm, mine is displaying the hostname. But since it's what I have on the database, I think this part is done by rsyslog daemon, not by cacti itself.

Can you tel me what's is your template you have on Rsyslog.conf about the cacti_syslog ?

[rtty88]

/etc/rsyslog.d/cacti.conf

$ModLoad imudp $UDPServerRun 514 $ModLoad ommysql

$template cacti_syslog,"INSERT INTO syslog_incoming(facility_id, priority_id, program, logtime, host, message) \ values (%syslogfacility%, %syslogpriority%, '%programname%', '%timegenerated:::date-mysql%', '%HOSTNAME%', TRIM('%msg%'))"$

. >localhost,cacti,username,xxxxxxxx;cacti_syslog

/etc/rsyslog.conf

MODULES

module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket;

local messages are retrieved through imjournal now.

module(load="imjournal" # provides access to the systemd journal UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from StateFile="imjournal.state") # File to store the position in the journal

module(load="imklog") # reads kernel messages (the same are read from journald)

module(load="immark") # provides --MARK-- message capability

Provides UDP syslog reception

for parameters see http://www.rsyslog.com/doc/imudp.html

module(load="imudp") # needs to be done just once

input(type="imudp" port="514")

$ModLoad imudp

$UDPServerRun 514

Provides TCP syslog reception

for parameters see http://www.rsyslog.com/doc/imtcp.html

module(load="imtcp") # needs to be done just once

input(type="imtcp" port="514")

GLOBAL DIRECTIVES

Where to place auxiliary files

global(workDirectory="/var/lib/rsyslog")

Use default timestamp format

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

Include all config files in /etc/rsyslog.d/

include(file="/etc/rsyslog.d/*.conf" mode="optional")

RULES

Log all kernel messages to the console.

Logging much else clutters up the screen.

kern.* /dev/console

Log anything (except mail) of level info or higher.

Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages

The authpriv file has restricted access.

authpriv.* /var/log/secure

Log all the mail messages in one place.

mail.* -/var/log/maillog

Log cron stuff

cron.* /var/log/cron

Everybody gets emergency messages

.emerg :omusrmsg:

Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

Save boot messages also to boot.log

local7.* /var/log/boot.log

sample forwarding rule

action(type="omfwd"

An on-disk queue is created for this action. If the remote host is

down, messages are spooled to disk and sent when it is up again.

queue.filename="fwdRule1" # unique name prefix for spool files

queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)

queue.saveonshutdown="on" # save messages to disk on shutdown

queue.type="LinkedList" # run asynchronously

action.resumeRetryCount="-1" # infinite retries if host is down

Remote Logging (we use TCP for reliable delivery)

remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514

Target="remote_host" Port="XXX" Protocol="tcp")

[TheWitness]

It's a setting in Syslog to resolve IP to hostname. Syslog also maintains a cache.

[rtty88]

how can I fix it then when you close the issue while didn't explain clearly

[rtty88]

@TheWitness

[TheWitness]

Syslog only has an origin IP. There is no destination IP. If you have a message with source and destination amongst millions of different message classes, you would have to write a disector for it.

If that's the case, if I were you, I would sanction a developer to write a plugin that interprets and displays your messages from that syslog data as for now, in the current design, it does not belong in syslog directly.

It's a great idea, but my preference would be to do it that way. Splunk by the way does this exceptionally well.

[arno-st]

No I think the latest question is related to the syslog view, where it see the IP address of the source of the message, not the hostname. Not the iip source/dest inside the messages (I think that is clear for him now that cacti can't interpret messages).

[TheWitness]

There were multiple topics actually. So, dns resolution is broken?

[rtty88]

well yes Guys, Thanks , but is possible to see the hostname instead of ip address ? I have tried also to add devices on cacti itself in order to be shown as hostname but still get only IPs on syslog plugin