Realtime Notification in NCM (RTN or Realtime Change Notification)

I have RTN working ok via the helpfile example, but I have an issue with syslogs. (forwarded syslogs)
It works ok if the device send syslongs to my ncm server (with syslog server running)
However due to the number of devices we have and traffic - they are all already setup to send to a central syslog server (unix, running syslog-ng)

We'd like to have the unix syslog server forward syslog messages to the ncm syslog server (so the 2 servers just talk, not hundreds of devices duplicating syslog messages to 2 servers)

Our Problem:

The first example below is how ncm syslog server sees a syslog message sent directly from a device
The second 2 examples below is how ncm syslog server sees a syslog message forwarded from the unix central syslog server (one by IP and one by hostname)

below that is the action (from the helpfile example) that executes on a config change. It uses the ${IP} variable from syslog to use to go get the current config to compare to the last downloaded config.

Problem is as you see, the forwarded syslog message from unix server sends the messages with its own hostname and IP appended, which the action script tries to use to go get the current config (from the unix server, not the device that sent the message)

We've researched this with syslog-ng and there are 2 options, keep_hostname (set in the syslog.conf file) and --spoof source (which has to be compiled into syslog-ng) that we thought would allow the forwarded message to retain the originating device hostname and IP. I think the --spoof source WOULD work, BUT:

The keep_hostname option did not work, and the Unix team is reluctant to recompile syslog-ng with the spoof source switch enabled. (due to other functions of that syslog server with other equipment)

As you can also see, the hostname of the originating device is the first "word" in the syslog message before the first "space" or ":" in the message.

Is there a way for the action script - rather than using ${IP} - to parse the {$message} string up to the first space OR ":" and use that to connect to to retrieve the latest config?
The help file only lists a handful of variables that are all preset so Im not sure if this is possible, if it is, it would help a lot for us and others with similar issues with syslog forwarding.

Examples below: from our ncm syslog server messages received
10.10.10.200 is the device switch1.domain.com
10.10.5.5 is the unix syslog-ng server (unixsyslog) that is forwarding syslog messages to our ncm syslog server

time/hostname/ip/severity/message
8/4/2011 1:29:52 PM            10.10.10.200        Notice    68: UTC: Configured from console by user1 on vty0 (x.x.x.x)
8/4/2011 1:33:45 PM    unixsyslog    10.10.5.5        Notice    10.10.10.200: Aug 4 18:33:49 UTC: Configured from console by user1 on vty0 (x.x.x.x)
8/12/2011 10:56:59 AM    unixsyslog    10.10.5.5        Debug    switch1.domain.com /kernel: vlan MAC filter: xx:xx:xx:xx:xx:xx from port ge-3/0/17 rejected

action:
"D:\Program Files\SolarWinds\Configuration Management\ConfigAutoDownload.exe" ${IP},RealtimeNotification,${DateTime},${Message}

so in the first line above - it works correctly as the script autodownloads from 10.10.10.200 (value of {IP$}
but
in the second 2 examples, the script is trying to download from 10.10.5.5 or unixsyslog and thats wrong, but it WOULD work if the script could parse the message for the correct host or IP which IS included in the message itself

so I'd like to have the action do something like ConfigAutoDownload.exe (parse {$message} for first "word" up to the first occurrence of a "space" or ":" character) instead of {$IP}
do you have an example of how that could be done that I can use as my action script?

Im not sure if a regex would work or is allowed in the action script or not, and an example would be great - my regex skills are lacking

Thanks!

Find more posts tagged with

syslog_server

ncm_rtcd_alerts

ncm_6.1

ncm_realtime_syslog_snmp

real_time_change_detection

ncm

syslog_message

ncm_syslog

Accepted answers

All comments

docwhite

Hi,

Action scripts on alerts do support regex. I'm sorry I can't provide a ready-made script, though, for your purposes.

Doug

clanger

Thanks!

I'm still looking for a way to parse $message for what I need, also I'm not sure if the device shows as hostname would I need to convert to IP first or not. At least I know I can use regex to do it though once I figure out how to get info parsed properly...

FormerMember

Dont know if this would work for you, but have used it in other environments.

Send the syslog to a UDP reflector which is configured to send to the UNIX syslog server as well as Orion syslog collector.

Cisco device -----> UDP reflector

---------------> UNIX syslog collector

---------------> Orion syslog collector

Then create some syslog rules to decide what you want to keep and what you want to drop.

The UDP reflector will keep the source IP address of the Cisco device or any device for that matter. I have used the UDP reflector to also reflect Netflow, SYSLOG, SNMP traps. So it can become you centrilized UDP reflection tool, very good if you are changing systems downstream, but dont want to reconfigure device configs as all you need todo is change the UDp reflector configuration.

The one I have used a tested is samplicator (http://code.google.com/p/samplicator/downloads/list)

I have tested from a Netflow perspective about 3 million packets per minute with no drops to test the samplicator functionality and created a PERL web frontend to administer the config file, as it is text based by default.

So you could deploy two of these in your network for peace of mind, so if you loose one you have another to forward your UDP traffic, they can be complied on Linux or Solaris and have a very small footprint.

There are also appliances that do this http://www.lancope.com/products/stealthwatch-flowreplicator/

Cheers

James

clanger

Thanks Jawells!

I'll give that a look - maybe it can be our solution.