E-mail
The syslog-ng.conf file has changed in version 6.x, and may confuse some log file checks. This bulletin should be applied if you check log files with plugins.
Background
The syslog-ng facility in GroundWork is used to capture log files from remote hosts, and place them into individual files by host.
This is done with the Host Splitter definition in the syslog-ng.conf file.
Beginning with 6.0, the syslog-ng.conf file contains many additional optional parameters, designed to make the feeding of data to the event consle faster in large installations. Along with these changes, a change was made to the Host Splitter config so that each individual host log file would be placed in a separate directory.
Problem
If you are using the check_syslog_gw.pl or similar plugins to look through the log files for strings to match and alert on, they will not find the file in the same location as before the upgrade to 6.x and will report errors.
Solution
You can either adjust the syslog-ng.conf file or the commands to call the plugins.
If you prefer to adjust the syslog-ng.conf file, do this:
edit /usr/local/groundwork/common/etc/syslog-ng.conf and change the following line(s):
destination host_splitter { file( "/usr/local/groundwork/common/var/log/syslog-ng/$HOST/$HOST.$YEAR-$MONTH-$DAY"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)); };
to:
destination host_splitter {
file(
"/usr/local/groundwork/common/var/log/syslog-ng/$HOST.log"
owner(root)
group(nagios)
perm(0644)
dir_perm(0755)
create_dirs(yes)
);
};
Alternatively, you may change the command line for the service checks, like the following:
$USER1$/check_syslog_gw.pl -l /usr/local/groundwork/common/var/log/syslog-ng/$HOSTNAME$/$HOSTNAME$.$DATE$ -s /tmp/$HOSTNAME$.tmp -x /usr/local/groundwork/common/etc/regex/$HOSTNAME$.regex -a $HOSTADDRESS$
Be advised that some customers have reported a bug in Nagios where the timestamp (e.g. 2009-11-24 09:39:28) is reported along with the date in the $DATE macro result. If you encounter this issue, you may need to use the syslog-ng.conf method above, or to modify the plugin to filter out the additional timestamp data. We have been able to confirm this bug in Nagios 3.0.6.