Czanik@BalaBit

Last week I learned, that using Cacti‘s syslog plugin with syslog-ng is not fully documented. While I’m not a Cacti user, I’m always in search of web interfaces to be used with syslog-ng. So I wanted to give Cacti and its syslog plugin a try and document it along the way. It all seemed to be simple task, just re-implement the published example configuration for syslog-ng and use it. In practice it was not this simple, and at the end I had to give it up due to lack of time. I still publish my results, as it might help others to get it running with syslog-ng. Please let me know, if you can get it to work and if my post was useful for you!

First of all, a quick overview, what the syslog plugin is and how it works. It is a Cacti plugin which can send alerts on certain conditions, and display log messages in the Cacti web interface. It expects to find log messages in a MySQL database. Usually this means, that there is a central syslog server, which collects logs from other devices on the network and pushes collected log messages into the mysql database. It can be the same database, which Cacti uses or a dedicated database for syslog messages.

The installation docs describe how to collect messages to a central location by syslog-ng, but there is no description, how to insert logs into the MySQL database using syslog-ng. So, here is an untested configuration example for syslog-ng:

destination d_mysql {
sql(type(mysql)
host("localhost") username("root") password("xxx")
database("cacti") table("syslog_incoming")
columns("facility", "priority", "date", "time", "host", "message")
values("$FACILITY_NUM","$LEVEL_NUM","$YEAR-$MONTH-$DAY", "$HOUR:$MIN:$SEC","$HOST","$MSGHDR$MSGONLY"));
};
log { source(s_src); destination(d_mysql); };

It needs syslog-ng with database (libdbi) support enabled, and sends logs to a destination called “d_mysql”, which is mysql server on the “localhost” accesed as user “root” with “xxx” as password. In this case it uses the “cacti” database and a table called “syslog_incoming”. If you get the syslog plugin working, you can refine the above config using the syslog-ng documentation about macros. You should replace the source in the log path with a source where logs from network sources arrive.

So, why did I write, that the above example is untested? Because I never got the syslog plugin running. First I tried to install Cacti on Fedora. Installation was quick, but the installed Cacti never ran, not even the base system. When I looked at the logs it complained about not enough memory, but even after raising PHP memory limits to the sky, it still asked for more. I stopped this game at around 1GB Of course, this was after disabling SELinux, which is the main suspect of most problems on Fedora.

Next I tried on Ubuntu Server. I had more luck here. Once I disabled AppArmor, I had the base system up and running providing nice graphs about localhost. Installation of the syslog plugin is simple, at least in theory. One just needs to extract the provided tgz into the plugins directory and configure it from Cacti. In practice the syslog plugin showed up in the web interface, but clicking on any of the related links ended up in blank pages. PHP logs were full with error messages. I managed to fix some, but not all of them.

Udate:

I received some help from the Cacti syslog plugin’s author, so the config example should be inserting the expected data in MySQL.