So initially we built a monitoring stack with InfluxDB, Telegraf and Grafana manually to gather and visualise SNMP infor form the Arista cEOS switches.<\/p>\n\n\n\n
This time, we are going to send SYSLOG from the monitoring stack containers to a new Telegraf instance.<\/p>\n\n\n\n
Ideally, we would like to send Syslog from the cEOS devices but as Anton mentions, the syslog rfc3164<\/a> that most network kit implements, it is not supported (yet) by telegraf, that supports rfc5424<\/a>.<\/p>\n\n\n\n You can read more info about this in all these links:<\/p>\n\n\n\n https:\/\/github.com\/influxdata\/telegraf\/issues\/4593<\/a><\/p>\n\n\n\n https:\/\/github.com\/influxdata\/go-syslog\/pull\/27<\/a><\/p>\n\n\n\n https:\/\/github.com\/influxdata\/telegraf\/issues\/7023<\/a><\/p>\n\n\n\n https:\/\/github.com\/influxdata\/telegraf\/issues\/4687<\/a><\/p>\n\n\n\n https:\/\/medium.com\/@leodido\/from-logs-to-metrics-f38854e3441a<\/a><\/p>\n\n\n\n https:\/\/itnext.io\/metrics-from-kubernetes-logs-82cb1dcb3551<\/a><\/p>\n\n\n\n So the new ansible role for building influx-telegraf-grafana instances is “monitoring_stack”:<\/p>\n\n\n\n We will have four monitoring containers:<\/p>\n\n\n\n As the containers are running locally, we define them in the inventory<\/em> like this:<\/p>\n\n\n\n We define some variables too in group_vars<\/em> for the monitoring containers that will be used in the jinja2 templates and tasks<\/p>\n\n\n\n So we execute the playbook like this:<\/p>\n\n\n\n The very first time, if you pay attention to the ansible logging, everything should success. If for any reason you have to make changes or troubleshoot, and execute again the full playbook, some tasks will fail, but not the playbook (this is done with ignore_errors: yes<\/em> inside a task). For example, the docker network creation will fail as it is already there. The same if you try to create the user and dbs in a already running influx instance.<\/p>\n\n\n\n That playbook just calls the role “monitoring_stack<\/em>“. The main playbook in that role will create the docker network where all containers will be attached, all the containers and do something hacky with iptables.<\/p>\n\n\n\n As the cEOS lab is built (using docker-topo) independently of this playbook, there are already some iptables rules in place, and somehow, when executing the role, the rules change and it blocks the new network for any outbound connectivity.<\/p>\n\n\n\n Before the iptables change in the playbook:<\/p>\n\n\n\n I want to avoid DOCKER-ISOLATION-STAGE-2 so I want the “-A DOCKER-ISOLATION-STAGE-1 -j ACCEPT” on top of that chain. <\/p>\n\n\n\n This is not the first (neither last) time that this issue bites me. I need to review carefully the docker-topo file and really get me head around the networking expectations from docker.<\/p>\n\n\n\n Another thing about docker networking that bites me very often. In my head, each monitoring has an IP. For example influxdb is 172.18.0.2 and telegraf-syslog is 172.18.0.4. We have configured influxdb to send syslog to telegraf-syslog container so I would expect the influxdb container to use its 0.2 and everything is local (no forwarding, no firewall, etc0. But not, it uses the host ip, 172.18.0.1.<\/p>\n\n\n\n Apart from that, there are several things that I had to review while adapting the role to my environment regarding docker and ansible.<\/p>\n\n\n\n docker documentation:<\/strong><\/p>\n\n\n\n how to create network: https:\/\/docs.docker.com\/engine\/reference\/commandline\/network_create\/<\/p>\n\n\n\n how to configure container logs: https:\/\/docs.docker.com\/engine\/reference\/commandline\/container_logs\/<\/p>\n\n\n\n how to configure the logging driver in a container: https:\/\/docs.docker.com\/config\/containers\/logging\/configure\/<\/p>\n\n\n\n how to configure syslog in a container: https:\/\/docs.docker.com\/config\/containers\/logging\/syslog\/<\/p>\n\n\n\n how to run commands from a running container: https:\/\/docs.docker.com\/engine\/reference\/commandline\/exec\/ ansible documentation<\/strong>:<\/p>\n\n\n\n become – run comamnds with sudo in a playbook: https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/become.html (–ask-become-pass, -K)<\/p>\n\n\n\n docker container module: https:\/\/docs.ansible.com\/ansible\/latest\/modules\/docker_container_module.html<\/p>\n\n\n\n grafana data source module: https:\/\/docs.ansible.com\/ansible\/latest\/modules\/grafana_datasource_module.html<\/p>\n\n\n\n This is important because via ansible, I had to workout the meaning of become<\/strong>, how to add the syslog<\/strong> config in the containers and add grafana datasources<\/strong> via a module.<\/p>\n\n\n\n All my ansible code is here<\/a>.<\/p>\n\n\n\n Another thing I had to hardcode<\/strong> in the code, it is the IP for the telegraf-syslog container in each container playbook: <\/p>\n\n\n\n syslog-address: “udp:\/\/172.18.0.4:6514”<\/p>\n\n\n\n Once you have all containers running:<\/p>\n\n\n\n You should verify that syslog messages are stored in influxdb:<\/p>\n\n\n\n We can create the new queries in grafana for SYSLOG. The datasources are already created by ansible so we dont have to worry about that.<\/p>\n\n\n\n For creating a query about the number of syslog messages we receive. This is what I did:<\/p>\n\n\n\n Most of the entries come from “influxdb”.<\/p>\n\n\n\n For creating a query with the content of each syslog message:<\/p>\n\n\n\n Here I struggled a bit. I can’t really change much in the table view.<\/p>\n\n\n\n And this is the dashboard with the syslog queries and snmp from the last blog entry:<\/p>\n\n\n\n So at the end, I have an ansible role working!<\/p>\n\n\n\n Need to learn more about how to backup stuff from grafana. I have been playing with this:<\/p>\n\n\n\n https:\/\/github.com\/ysde\/grafana-backup-tool<\/a><\/p>\n\n\n\n\u251c\u2500\u2500 ansible.cfg\n\u251c\u2500\u2500 ansible-hosts\n\u251c\u2500\u2500 group_vars\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 ceoslab.yaml\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 monitoring.yaml\n\u2514\u2500\u2500 playbooks\n \u251c\u2500\u2500 monitoring.yaml\n \u2514\u2500\u2500 roles\n \u251c\u2500\u2500 monitoring_stack\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 tasks\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 container_grafana.yml\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 container_influxdb.yml\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 container_telegraf_snmp.yml\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 container_telegraf_syslog.yml\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 templates\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 telegraf_snmp_template.j2\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 telegraf_syslog_template.j2\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/blog.thomarite.uk\/wp-content\/uploads\/2020\/07\/Untitled-Diagram.png\")
<\/figure>\n\n\n\n$ cat ansible-hosts\n....\n[monitoring]\nlocalhost<\/pre>\n\n\n\n
$ cat group_vars\/monitoring.yaml\n# Defaults for Docker containers\ndocker_mon_net:\n name: monitoring\n subnet: 172.18.0.0\/16\n gateway: 172.18.0.1\n\npath_to_containers: \/PICK_YOUR_PATH\/monitoring-example\n\nvar_influxdb:\n username: xxx\n password: xxx123\n snmp_community: xxx123\n db_name:\n snmp: snmp\n syslog: syslog\n\nvar_grafana:\n username: admin\n password: xxx123\n\nvar_telegraf:\n\u2026<\/pre>\n\n\n\n
ansible master$ ansible-playbook playbooks\/monitoring.yaml -vvv --ask-become-pass<\/pre>\n\n\n\n
# iptables -t filter -S DOCKER-ISOLATION-STAGE-1\nWarning: iptables-legacy tables present, use iptables-legacy to see them\n-N DOCKER-ISOLATION-STAGE-1\n-A DOCKER-ISOLATION-STAGE-1 -i br-4bd17cfa19a8 ! -o br-4bd17cfa19a8 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j ACCEPT\n-A DOCKER-ISOLATION-STAGE-1 -i br-94c1e813ad6f ! -o br-94c1e813ad6f -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -i br-13ab2b6a0d1d ! -o br-13ab2b6a0d1d -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -i br-00db5844bbb0 ! -o br-00db5844bbb0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -i br-121978ca0282 ! -o br-121978ca0282 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j RETURN\n#\n# iptables -t filter -S DOCKER-ISOLATION-STAGE-2\nWarning: iptables-legacy tables present, use iptables-legacy to see them\n-N DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-2 -o br-4bd17cfa19a8 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o br-94c1e813ad6f -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o br-13ab2b6a0d1d -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o br-00db5844bbb0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o br-121978ca0282 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -j RETURN<\/pre>\n\n\n\n
<\/p>\n\n\n\n$ cat container_influxdb.yml \n---\n...\n- name: 4- CONTAINER INFLUXDB \/\/ LAUNCHING CONTAINER\n docker_container:\n name: influxdb\n image: influxdb\n state: started\n command: \"-config \/etc\/influxdb\/influxdb.conf\"\n networks:\n - name: \"{{ docker_mon_net.name }}\"\n purge_networks: yes\n ports:\n - \"8086:8086\"\n volumes:\n - \"{{ path_to_containers }}\/influxdb\/influxdb.conf:\/etc\/influxdb\/influxdb.conf:ro\"\n - \"{{ path_to_containers }}\/influxdb\/data:\/var\/lib\/influxdb\"\n log_driver: syslog\n log_options:\n syslog-address: \"udp:\/\/172.18.0.4:6514\"\n tag: influxdb\n syslog-format: rfc5424\n become: yes\n tags:\n - tag_influx\n...<\/code><\/pre>\n\n\n\n$ docker ps -a\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\ndd519ff01d6e telegraf \"\/entrypoint.sh -con\u2026\" 4 hours ago Up 4 hours 8092\/udp, 0.0.0.0:161->161\/udp, 8125\/udp, 8094\/tcp telegraf_snmp\n869f158046a6 grafana\/grafana \"\/run.sh\" 4 hours ago Up 4 hours 0.0.0.0:3000->3000\/tcp grafana\ndc68f261746b influxdb \"\/entrypoint.sh -con\u2026\" 4 hours ago Up 4 hours 0.0.0.0:8086->8086\/tcp influxdb\n3662c3c69b21 telegraf \"\/entrypoint.sh -con\u2026\" 6 hours ago Up 6 hours 8092\/udp, 0.0.0.0:6514->6514\/udp, 8125\/udp, 8094\/tcp telegraf_syslog\nada1f884f1b7 ceos-lab:4.23.3M \"\/sbin\/init systemd.\u2026\" 28 hours ago Up 4 hours 0.0.0.0:2002->22\/tcp, 0.0.0.0:9002->443\/tcp 3node_r03\n22d9c4ae9043 ceos-lab:4.23.3M \"\/sbin\/init systemd.\u2026\" 28 hours ago Up 4 hours 0.0.0.0:2001->22\/tcp, 0.0.0.0:9001->443\/tcp 3node_r02\nfe7046b1f425 ceos-lab:4.23.3M \"\/sbin\/init systemd.\u2026\" 28 hours ago Up 4 hours 0.0.0.0:2000->22\/tcp, 0.0.0.0:9000->443\/tcp 3node_r01\n<\/code><\/pre>\n\n\n\n$ curl -G 'https:\/\/localhost:8086\/query?db=syslog&pretty=true&u=xxx&p=xxx123' --data-urlencode \"q=SELECT * FROM syslog limit 2\" --insecure\n{\n \"results\": [\n {\n \"statement_id\": 0,\n \"series\": [\n {\n \"name\": \"syslog\",\n \"columns\": [\n \"time\",\n \"appname\",\n \"facility\",\n \"facility_code\",\n \"host\",\n \"hostname\",\n \"message\",\n \"msgid\",\n \"procid\",\n \"severity\",\n \"severity_code\",\n \"timestamp\",\n \"version\"\n ],\n \"values\": [\n [\n \"2020-07-21T12:08:16.216632823Z\",\n \"influxdb\",\n \"daemon\",\n 3,\n \"3662c3c69b21\",\n \"athens\",\n \"ts=2020-07-21T12:08:16.169711Z lvl=info msg=\\\"InfluxDB starting\\\" log_id=0O8KE_AG000 version=1.8.1 branch=1.8 commit=af0237819ab9c5997c1c0144862dc762b9d8fc25\",\n \"influxdb\",\n \"11254\",\n \"err\",\n 3,\n 1595333296000000000,\n 1\n ],\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/blog.thomarite.uk\/wp-content\/uploads\/2020\/07\/grafana-syslog-rate-query-1024x526.png\")
![\"\"](\"https:\/\/blog.thomarite.uk\/wp-content\/uploads\/2020\/07\/grafana-syslog-content-query-1024x547.png\")
![\"\"](\"https:\/\/blog.thomarite.uk\/wp-content\/uploads\/2020\/07\/grafana-syslog-snmp-dashboard-1024x602.png\")