I’m looking for a tool to monitor syslog traffic.
I have tried graylog and many other but not really found one tool i was happy with. Then i thought about icinga which i was looking into once back in the day.
I also decided to go with docker because… well many reasons.
My problem with these decisions is the learning curve since im new to icinga and docker.
I got icinga up and running in docker faily easy, nice job on the documentation there.
then i snooped around a bit and finally decided to go about trying out syslog monitoring.
So it seams i need to add sysloger as a object type. But i’m a bit confused as how to use the documentation in a docker context? if i need to at all?
I can see lots of the client setups in icinga is done thought conf files in a txt editor much like nagios but should i also edit conf files when using docker? cause this seems a little more tricky for furture setups?
basicly im just going for a icinga setup that just eats up and processes ANY syslog input it may get on port 514 udp/tcp
could someone push me in the right direction? i would be graetfull cause now i seem a little stuck
Icinga itself is a monitoring tool and depends on plugins feeding in data and states.
The SyslogLogger object you’ve found is an Icinga specific log context, meaning to say, the daemon will log its lines to syslog having this feature enabled. This has nothing to do with general syslog monitoring.
I’m not sure why you’re using Docker here, especially since you’re saying that you’re new to both, Icinga and Docker. Anyhow, you’ll need something which aggregates syslog and log files in a reasonable way.
You can do so with different methods:
Actively grep the log files on hosts with check_logfiles
Have centralized logging collectors such as Elastic Stack or Graylog, define rules and forward alerts to Icinga
Or you use plugins to actively query ES or Graylog
Since you’re saying that you didn’t like Graylog, how about Elastic Stack then?
In combination with metrics, logs can be added to your monitoring analysis. I’d advise to watch this talk from @bsheqa to get a better understanding on combining all of them:
You can always use Logstash (or maybe even Graylog) to process your logs and feed them into Icinga.
That’s a proven way and works in several customer setups. The standard way ist having Logstash receive your logs and then forwarding them to Icinga. But you can also use an Icinga Web 2 Module to query Elasticsearch.
Keep in mind that you don’t want to have Logstash running as root (which you would need for it to open the right ports). Instead use a Firewall rule to redirect traffic from your syslog port to the Logstash receiveing port. Or first collect the data with a local syslog daemon and read this with filebeat. Don’t use the syslog input of Logstash - use udp and tcp inputs instead and use filters to disect the logevents.
If you want to monitor logfiles locally saved on hosts, you can use plugins like check_logfiles.
