pfuender.net blog

Syslog Monitoring

I just was recently looking for a method to monitor a syslog server. But as per design, syslog works using UDP, so there's no real indication that a simple syslog message has made it through successfully. As I wanted to have this service monitored by Nagios, I was looking for something, but seems like nobody cares about syslog :-D
On the syslog boxes, I have mysql databases keeping their content, so I can generate a syslog Message, wait a moment, and then check if the entry exists now in the mysql DB.
The result is the script below. It's rather messy, but works just fine :-D

You can call it like that:

./checksyslog.sh MYSQLUSER MYSQLPASSWORD SYSLOGSERVER

#########################################################
# Author:        Raphael Hoegger
# Source:        http://blog.pfuender.net/?p=410
# License:       This file is licensed under the GPL v2.
# Latest change: 2011.04.29 15:04:33
# Version:       1.00
#########################################################

## Server-Settings
SyslogServer=$3
SyslogPort=514
MysqlServer=$3
MysqlUser=$1
MysqlPassword=$2
MysqlDatabase=syslog
MysqlColumn=Message
MysqlTable=radius

## Syslogmessage settings
rand=$RANDOM
timestamp=$(date +%s)
date=$(date +"%b %d %k:%M:%S")
Hostname=$(hostname)
EventSource="check_logserver"
Message="Syslog UDP Monitoring"
MessageID="$rand-$timestamp"

## Nagios Exitcodes
ERROK=0
ERRWARNING=1
ERRCRITICAL=2
ERRUNKNOWN=3

## Generate a test syslogmessage
printf "<182>$date $hostname $EventSource[$$]: $Message $MessageID\n" | netcat -u -w 1 -p 5514 $SyslogServer $SyslogPort ## as a normal user we can't bind to 514..
if [ $? -ne 0 ] ; then
  printf "Syslog-Send failed\n"
  ErrorSyslog=1
fi

sleep 5 ## wait before checking mysql..

## Check for the mysql entry
SQLQuery="select count($MysqlColumn) as \"\" from $MysqlTable where Message=\"$Message $MessageID\""
EntryCount=$(mysql -N --batch -u $MysqlUser -p$MysqlPassword -h $MysqlServer -D $MysqlDatabase -e "$SQLQuery" 2>/dev/null)
if [ $? -ne 0 ] ; then
  printf "MySQL failed\n"
  ErrorMysql=1
fi

if [ "$EntryCount" -eq 1 -a "$ErrorMysql" -eq 0 -a "$ErrorSyslog" -eq 0  ] ; then echo "UP, RTT=${SECONDS}s" ; Errorcode=$ERROK
  else echo "DOWN" ; Errorcode=$ERRCRITICAL
fi

exit $Errorcode

If somebody wants to rewrite the code, feel free to do so! ;-)

Cheers,
Raphi