How to forward alarms to a SysLog server (dispite blogpost I do not manage :( )

I am running the latest Axigen mail-server for private use and I try to understand some problems. Looking into the alarms as generated by the involved systems is of course very helpfull. One ^little^ problem I do not manage to forward Axigen alarms/warnings to my syslog server (Graylog).

I did try a couple of things and did read the blog post ^https://www.axigen.com/articles/email-security-axigen-graylog_81.html^ but I simply do not manage.

Since it is not even clear to me if the alarm forwarding is based on snmp2 (udp) or 3 (tcp), I did define two listening ports on Graylog:

  • port 5144 tcp & port 5144 udp

I made sure that:

  • the firewall (pfSense) is passing 5144 udp/tcp between the Axigen VLAN and the GrayLog VLAN
  • I did stop the linux ufw firewall on the ubuntu VM (the host for Axigen)
  • I did make sure that the Axigen ‘Log server’ and the may be related ‘reporting service’ where started
  • did set the Log: Use remote log IP custom <my port 5144>
  • checked those values in the config file
  • did restart axigen
  • did try to de file GrayLog as extra listener in the same Log Server Settings (I have no idea what the intention is, just to try). However that option is refused !
  • when trying to enable the message is ^An error has occurred: Cannot assign requested^
  • I did a protocol capture on the Axigen VLAN and did not see any graylog related message

I do not know how to simply force an alarm, but I assume there are some given the highest (lowest possible) setting.

So bottom line ^I am lost^ …
Need some help :poop:

Despite a lots of reading and trails I did not manage to send messages from Axigen to Graylog. So I decided to try another root.

As written in my case Axigen is hosted by an Ubuntu system. The ^syslog server^ used by Ubuntu is ^rsyslog^ and the option I did choose, as alternative, is to have rsyslog monitoring Axigens alarm file. rsyslog takes care of sending the alarms to Graylog using syslog udp or tcp, what ever you prefer.

I took the following actions:

  • created a listener on my Graylog system (port 5144 udp)
  • allowed my network to forward the messages fro Axigen to Graylog
  • opened the required Ubuntu ufw firewall ports to send udp messages via port 5144
  • decided that '/var/opt/axigen/log/everything.txt should be monitored
  • to make that file accessible for syslog I made syslog member of the axigen group
  • sudo adduser syslog axigen
  • since the log file will be monitored by module ‘imfile’ I had to load that module
  • /etc/rsyslog.conf add module(load=“imfile”)
  • now I had to define the syslog config file /etc/rsyslog.d/22-axigen.conf (or another name)

Here my version of that config file
GNU nano 6.2 /etc/rsyslog.d/22-axigen.conf

template(
name = “axigen”
type = “string”
string = “<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%”
)

input(

imfile Input module for text files

type="imfile"
File="/var/opt/axigen/log/everything.txt"
Tag="AXIGEN:"

ruleset="axigen"

)

ruleset(name=“axigen”) {
action(
type=“omfwd”
Target=“192.168.100.5”

Device=“eth0”

    Port="5144"
    Protocol="udp" (or tcp)
)

}

Note
I did choose udp since I have a small reliable network and did want to save on processing. However in principle tcp is more reliable / better.

After some restarts and tests that worked :slight_smile:

So done !! (but IHMO it should be possible from within Axigen itself)

.

However … after this OK situation, I did decide to upgrade Ubuntu to the latest release (2404.1) … that action killed this solution in a very weird way … (IMHO some bug)

The forwarding stopped and "sudo systemctl syslog shows an error
Oct 24 17:38:16 rsyslogd[1025]: imfile: error accessing file ‘/var/opt/axigen/log/everything.txt’: Permission denied [v8.2312.0 <<

I have spend a couple of hours trying to understand why imfile can no access the logfile any more.

At the end after hours I did decide to go back to the previous Ubuntu release (via a zfs snapshot). If someone has the solution …