satterly
commented
3 years ago Did you take a look at the README? https://github.com/alerta/alerta-contrib/blob/master/integrations/syslog/README.md If so, what settings have you made so far, and where?
Closed callahan22 closed 3 years ago
satterly
commented
3 years ago Did you take a look at the README? https://github.com/alerta/alerta-contrib/blob/master/integrations/syslog/README.md If so, what settings have you made so far, and where?
callahan22
commented
3 years ago Hi Nick,
I did, so perhaps I'm just being a bit dumb! I've got it installed, via pip in a custom docker build and confirmed it's installed by execing into it. The ports are mapped in the docker-compose file so 514 TCP & UDP are open.
Edit After some further playing....
My docker container is running on ports:
0.0.0.0:514->514/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:514->514/udp
alertad.conf
SYSLOG_TCP_PORT=514
SYSLOG_UDP_PORT=514alerta.conf
SYSLOG_TCP_PORT=514
SYSLOG_UDP_PORT=514I'm passing the following env variable in docker-compose:
environment:
- DEBUG=1I'm testing from the Linux host running the docker container:
logger -n 127.0.0.1 -P 514 "Test message"
I was expecting something to show up in the webGUI but I see nothing. The logs seems to suggest that it's receiving the test syslog:
****************************************
2020-12-23 11:35:05,609 DEBG 'uwsgi' stdout output:
[2020-12-23 11:35:05,609] DEBUG in base:
****************************************
INSERT INTO metrics ("group", name, title, description, count, total_time, type)
VALUES ('alerts', 'queries', 'Alert queries', 'Total time and number of alert queries', 1, 8, 'timer')
ON CONFLICT ("group", name, type) DO UPDATE
SET count=metrics.count + 1, total_time=metrics.total_time + 8
RETURNING *
****************************************I would guess alert-syslog is not even running. Did you start it? What's the log or debug output for it?
callahan22
commented
3 years ago I created a custom Dockerfile as follows:
#Pull base image from alerta-web
FROM alerta/alerta-web
#Switch to root
USER root
#Update base image
RUN apt-get update
RUN apt-get -y upgrade
RUN apt-get autoclean
RUN apt-get clean
RUN pip install --upgrade pip
USER 1001
#Install additional integrations
RUN /venv/bin/pip install git+https://github.com/alerta/alerta-contrib.git#subdirectory=integrations/mailer
RUN /venv/bin/pip install git+https://github.com/alerta/alerta-contrib.git#subdirectory=integrations/syslog
RUN /venv/bin/pip install python-ldap
Starting up alerta, from the logs, I see the following integrations loaded at startup:
MongoDB shell version v4.2.11
psql (PostgreSQL) 11.9 (Debian 11.9-0+deb10u1)
Python 3.7.9
Package Version
------------------------ ---------
aiohttp 3.7.3
alerta 8.3.0
alerta-alertops 1.0.0.1
alerta-amqp 5.4.1
alerta-cachet 5.0.1
alerta-ding 0.0.1
alerta-enhance 5.3.3
alerta-geoip 5.4.0
alerta-influxdb 5.4.3
alerta-logger 5.3.2
alerta-logstash 5.3.3
alerta-mailer 5.2.1
alerta-mattermost 1.1.3
alerta-msteams 5.2.1
alerta-normalise 5.3.1
alerta-op5 5.0.2
alerta-opsgenie 5.0.2
alerta-pagerduty 5.3.1
alerta-prometheus 5.4.0
alerta-pubsub 5.2.2
alerta-pushover 5.3.2
alerta-rocketchat 5.0.0
alerta-server 8.3.1
alerta-slack 5.5.1
alerta-sns 5.3.1
alerta-syslog 3.5.0
alerta-telegram 5.1.3
alerta-twilio 5.4.0
alerta-zabbix 5.1.2
amqp 5.0.2
async-timeout 3.0.1
attrs 20.3.0
bcrypt 3.2.0
blinker 1.4
boto 2.49.0
Brotli 1.0.9
cachetools 4.2.0
certifi 2020.12.5
cffi 1.14.4
chardet 3.0.4
click 7.1.2
cryptography 3.2.1
decorator 4.4.2
defusedxml 0.6.0
Flask 1.1.2
Flask-Compress 1.8.0
Flask-Cors 3.0.9
google-api-core 1.24.0
google-auth 1.24.0
google-cloud-pubsub 2.2.0
googleapis-common-protos 1.52.0
grpc-google-iam-v1 0.12.3
grpcio 1.34.0
httplib2 0.18.1
idna 2.10
importlib-metadata 3.3.0
influxdb 5.3.1
itsdangerous 1.1.0
Jinja2 2.11.2
kombu 5.0.2
libcst 0.3.15
lxml 4.6.2
MarkupSafe 1.1.1
matterhook 0.2
mohawk 1.1.0
msgpack 1.0.1
multidict 5.1.0
mypy-extensions 0.4.3
oauth2client 4.1.3
op5lib 1.0
pbr 5.5.1
pip 20.1.1
proto-plus 1.13.0
protobuf 3.14.0
psycopg2 2.8.6
pyasn1 0.4.8
pyasn1-modules 0.2.8
pycparser 2.20
PyJWT 1.7.1
pymongo 3.11.2
pymsteams 0.1.14
pyOpenSSL 20.0.1
pyparsing 2.4.7
pysaml2 6.3.1
python-cachetclient 0.2.5
python-dateutil 2.8.1
python-ldap 3.3.1
pytz 2020.4
PyYAML 5.3.1
pyzabbix 0.8.2
redis 3.5.3
requests 2.25.0
requests-hawk 1.0.1
rsa 4.6
sentry-sdk 0.19.4
setuptools 51.0.0
six 1.15.0
tabulate 0.8.7
telepot 12.7
termcolor 1.1.0
twilio 6.50.0
typing-extensions 3.7.4.3
typing-inspect 0.6.0
urllib3 1.26.2
uWSGI 2.0.19.1
vine 5.0.0
Werkzeug 1.0.1
yarl 1.6.3
zipp 3.4.0
Alerta init process complete; ready for start up.Log files from sudo docker logs -f alerta that seem to relate to the syslog test that I am running with:
logger -i -s -P 514 -n 127.0.0.1 -p 1 -t TEST "mail server is down"
Log:
2020-12-23 13:26:06,828 DEBG 'nginx' stdout output:
ip=\- [\23/Dec/2020:13:26:06 +0000] "\GET /api/alerts/count?group=Misc&status=open HTTP/1.1" \200 \108 "\http://192.168.100.11:8080/alerts" "\Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
/web | /api/alerts/count | > GET /api/alerts/count?group=Misc&status=open HTTP/1.1
2020-12-23 13:26:06,830 DEBG 'uwsgi' stdout output:
[2020-12-23 13:26:06,830] DEBUG in base: ****************************************
SELECT status, COUNT(*) FROM alerts
WHERE 1=1
AND "group"='Misc'
GROUP BY status
LIMIT 50 OFFSET 0
****************************************
2020-12-23 13:26:06,831 DEBG 'uwsgi' stdout output:
[2020-12-23 13:26:06,831] DEBUG in base: ****************************************
INSERT INTO metrics ("group", name, title, description, count, total_time, type)
VALUES ('alerts', 'counts', 'Count alerts', 'Total time and number of count queries', 1, 10, 'timer')
ON CONFLICT ("group", name, type) DO UPDATE
SET count=metrics.count + 1, total_time=metrics.total_time + 10
RETURNING *
****************************************
2020-12-23 13:26:06,833 DEBG 'uwsgi' stdout output:
[2020-12-23 13:26:06,833] INFO in logging: "GET /alerts/count HTTP/1.1" 200 108
2020-12-23 13:26:06,834 DEBG 'nginx' stdout output:
ip=\- [\23/Dec/2020:13:26:06 +0000] "\GET /api/alerts/count?group=Misc HTTP/1.1" \200 \108 "\http://192.168.100.11:8080/alerts" "\Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
/web | /api/alerts/count | > GET /api/alerts/count?group=Misc HTTP/1.1
2020-12-23 13:26:06,835 DEBG 'uwsgi' stdout output:
[pid: 39|app: 0|req: 17/106] 192.168.100.24 () {46 vars in 1292 bytes} [Wed Dec 23 13:26:06 2020] GET /api/alerts/count?group=Misc => generated 108 bytes in 14 msecs (HTTP/1.1 200) 5 headers in 185 bytes (1 switches on core 0)
There's nothing in the log that tells me that the Alerta API is receiving anything from alerta-syslog. And at no point do you actually start alerta-syslog. It's not a plugin or webhook so won't be auto-discovered and loaded by the API at startup. You need to explicitly start the syslog receiver. Probably by adding an entry to supervisord.conf would be easiest for you.
There seems to be little to no documentation to implement the syslog component. I've built a custom docker image with the syslog forwarder baked in. I've exposed port 514/udp and 514/tcp on my docker host.
Now what?
I can send syslogs to the docker host but nothing appears in Alerta. What do I need to configure? The alertad.conf file? If so, what options are available to me? Where do I put the community settings?
Happy to add the config I use to this post for others to benefit if I can get it working!