syslog plugin is unable to collect data

[sachinkademane]

i loaded syslog plugin in centos 7....and my syslog deamon is running....when i start my syslog task to collect metrics to a file i can see null displaying in file....when i do snaptel task watch nothing is showing there....what might be the issue here?
my task file looks like below

---
  version: 1
  schedule:
    type: "simple"
    interval: "1s"
  max-failures: 10
  workflow:
    collect:
      config:
        /opsvision/syslog:
          port: 1514
          bufsize: 1024
      metrics:
        /opsvision/syslog/counter: {}
        /opsvision/syslog/event/*/summary: {}
        /opsvision/syslog/event/*/message: {}
      publish:
        - plugin_name: "file"
          config:
            file: "/tmp/syslog_metrics.log"

[dishmael]

@sachinkademane is there anything else in the /tmp/syslog_metrics.log file other than "null"? Tell me more about how your syslog daemon is configured. Are you sending syslog messages to the plugin on port 1514?

[sachinkademane]

my rsyslog.conf looks like below

# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#10.224.54.99:514
# ### end of the forwarding rule ###

[dishmael]

I don't see where you are forwarding to the plugin on port 1514. You should have an entry in your rsyslog.conf that looks like...

*.* 127.0.0.1:1514

Replacing the IP address to the address that the plugin is binding.

[sachinkademane]

In place of

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#10.224.54.99:514
# ### end of the forwarding rule ###

10.224.54.99:514 should i have an entry of *.* 127.0.0.1:514?

[dishmael]

I do not know where the snap-telemetry syslog plugin is installed. However, you have to tell rsyslog to send events to the plugin. The plugin configuration says it will listen on port 1514. Depending on where the plugin is installed, you need to configure rsyslog to send to the plugin. If the plugin is installed locally and listening on 127.0.0.1:1514, then yes, configure rsyslog to send to that and then restart the rsyslog daemon.

[dishmael]

@sachinkademane were you able to get things working by making the config changes to rsyslog?

[sachinkademane]

@dishmael No....still i am unable to get mtrics from syslog..i changed that 127.0.0.1:514 to 1514 but still it is unable to pull metrics...i think now my plugin config and rsyslog config matches properly...but still unable to pull metrics

[dishmael]

what does it say when you run netstat -an | grep 1514

[sachinkademane]

Since i uncommented UDP and TCP it is showing following

[root@AELAB110 ~]# netstat -an | grep 1514
tcp        0      0 0.0.0.0:1514             0.0.0.0:*               LISTEN
tcp6       0      0 :::1514                  :::*                    LISTEN
udp        0      0 0.0.0.0:1514             0.0.0.0:*
udp6       0      0 :::1514                  :::*

[dishmael]

change your rsyslog.conf to the local IP address (not localhost) and port 1514. Then restart rsyslog and the plugin.

[sachinkademane]

yea that also i did and i tried...but still the result is same

[dishmael]

I assume everything you are doing is on the same host. Try setting up a new line to log to a test file in your rsyslog.conf file to confirm it is working properly.

*.* /var/log/testing

When you restart rsyslog, confirm you have a log file /var/log/testing.