Question

Syslog issue


Badge

We are installing Commvault 11.28.10 and seem to be having an issue with getting 

the Alerts/Events to send to our syslog server. We followed the instructions in the installation link

https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html

But it doesn’t seem to work properly, we have validated that we can reach the logging server

from the os command line (we are running the commserver on linux)

Does anyone have any thoughts on what might be missing to enable the alerts/events to

send to syslog server? We are getting them via email so that part does work.

 


11 replies

Userlevel 7
Badge +19

@UnixAdmin Please look through the logs on the CommServe! Most likely entries are logged EvMgrS.log and/or CVD.log. Any idea if there a devices like firewalls in between who are blocking UDP traffic? Have you checked it you can reach the destination UDP port from the CommServe? 

Userlevel 6
Badge +12

We are installing Commvault 11.28.10 and seem to be having an issue with getting 

the Alerts/Events to send to our syslog server. We followed the instructions in the installation link

https://documentation.commvault.com/2022e/essential/114237_configuring_syslog_server.html

But it doesn’t seem to work properly, we have validated that we can reach the logging server

from the os command line (we are running the commserver on linux)

Does anyone have any thoughts on what might be missing to enable the alerts/events to

send to syslog server? We are getting them via email so that part does work.

 

I’m debugging this currently.  The backend policies are not forwarding the messages

Userlevel 7
Badge +19

@UnixAdmin was it working before? did you perform a fresh CommServe installation or was it an upgrade? Based on the feedback @MFasulo it seems you are hitting a software defunct.

Userlevel 7
Badge +23

@UnixAdmin , following up to see if there were any messages in the logs @MFasulo referenced?

Thanks!

Userlevel 7
Badge +19

@Mike Struening well if I recall correctly @MFasulo posted that are working on it as we speak. so not sure when the fix will be made available but let's keep an eye on it and post it once it is available. also it might be something to add to the list with known issues that was openend by Damian. 

Userlevel 7
Badge +23

FYI Form ID 164918 is in System Test for this issue.

Userlevel 7
Badge +19

@Mike Struening thanks for circling back with the form id. I t.b.h. find it pretty odd that it is taking so much time to have this addressed. For a lot of customers sending alerts/events to a syslog endpoint can be very valuable during troubleshooting, but there are many customers who use it for SOC/SIEM purposes. Now it took almost 1,5 months for the form ID to be pulled into system testing. 

I'm assuming it really doesn't work anymore, but it could also be the case that you just can't complete the initial configuration. 

Userlevel 7
Badge +23

You’re definitely right.  It’s becoming more common by the day to see people ingesting alerts into another endpoint.  Our gfrowing mass of these, and API topics are a testament to this. 

I don’t have any context on the time span, though I also don’t know if it has been in test for 2 weeks or 2 hours.

I’d also imagine that the test cases they need to run through are pretty vast for a system as capable as Alerting.

Userlevel 7
Badge +19

In my believes this one, although being reported in the thread, should have been added to the main post from @Damian Andre referring to this post:
 

 

Userlevel 7
Badge +19

Just out of curiosity but I can't find a fix in the list with all MRs with syslog in its description that refers to the official hotfix, so I was wondering if it even was released already. 

Userlevel 7
Badge +23

Looks like it is native to 11.32, system test for 11.28.

Not released just yet.

Reply