Configuring opennms syslog NBI

We would like to forward certain events from openNMS (v.23.02 on CentOS 7) via syslog to a server running Windows Server 2012R2. I have set the parameters of syslog-northbounder-configuration.xml as below but I am not seeing anything being generated using Wireshark to capture all UDP (I have also tried TCP.) I also made sure that the specific events noted in the config were being triggered and could be seen in the event GUI of opennms. Each time I edited the config xml I first attempted to reload the config via the on the Alarmd daemon. When that didn’t work, I followed it with a complete systemctl restart of opennms. What am I missing?

   <!-- The following are set to the default values. -->
   <message-format>ALARM ID:${alarmId} NODE:${nodeLabel} SEV:${severity}; ${logMsg}</message-format>
    <!-- You can specify date format within <date-format>, default is ISO 8601 -->
<!-- You could do something like the following
   <message-format>ALARM ID:${alarmId} NODE:${nodeLabel} IP:${ipAddr} 
      FIRST:${firstOccurrence} LAST:${lastOccurrence} 
      COUNT:${count} UEI:${alarmUei} SEV:${severity} 
      x733Type:${x733AlarmType} x733Cause:${x733ProbableCause} 
<!-- More than one destination is supported -->
<!-- Highly recommended, but not required, to only forward a set of Alarm UEIs -->



I’ve tried to reproduce your problem with Horizon 23.0.2. As a Syslog receiver I’ve used Graylog. Basically I’ve used the same configuration, I’ve just removed the filter to all alarms in my small test setup and forward every alarm via Syslog. To see if I get packets on my Graylog instance, I’ve used Wireshark. Here is what I’ve received:

I’ve found the forwarded alarms as messages in Graylog and here is how one of them looks like:

Can you verify in your setup if you can receive Syslog UDP datagrams and if you can see errors on the Syslog receiving part while parsing the packets from OpenNMS?

Thanks so much for taking time on this. I’ve been dealing with other issues this week, but I’m back on this one now.

I must be missing something obvious here. I have opened up the config file to not filter based on specific event (i.e., all all events.) I’ve opened port 514 on the local and target receiver firewalls. I’m using Wireshark to look for the packets leaving the server running OpenNMS but there are no UDP Syslog packets being generated at all. Once I’ve edited the config file and reloaded alarmd, is there anything within the GUI that I need to activate or initialize? I’ve even tried to send the packets back to localhost ( but, no luck. I’m at a loss…

So basically, <enabled>true</enabled> is enough to enable the function. The hard requirement is, Alarmd needs to be started. You can check this with opennms -v status. I assume you have OpenNMS running on a Linux box? If so which distribution and version is it?

Just checking cause from the reply it was not 100% clear to me :slight_smile: You have debugged the network communication with Wireshark on the OpenNMS server itself, right? I would make sure I look at the interface on the OpenNMS server itself.

I’ve been running the platform on Centos 7 on a standalone NUC and on a VM running on a separate Win10 machine (completely separate networks - the VM is for testing.) I have had Wireshark set up on the OpenNMS server and on the target server to look for packets leaving and arriving. This morning I started testing syslog forwarding on the VM and it was working. The difference was the facility parameter in the syslog northbound config file. On the VM it was set to LOCAL0 (default in the original config file) and to USER on the NUC. I had changed it from LOCAL0 to USER initially because of OpenNMS startup failures. The manager log indicated that parameter was the cause of the startup fails. I changed the facility parm back to LOCAL0 on the NUC and I can now see syslog messages arriving at the target server! However, I don’t seem to be getting anywhere near all of the messages I’m seeing on the events list via the web GUI. I’ll start trying to decipher why now. But, the good news is that OpenNMS is now forwarding syslog.

Thanks again for all your help. If you have any thoughts on why most messages are not being forwarded via syslog, I’d appreciate your thoughts.

OK, I understand why I was only seeing a select few syslog messages. All Events are not Alarms.

Tons to do and I’m sure I’ll have plenty more questions. I really appreciate having this forum available.

1 Like

Ah ok got it. Yes sorry stuck in the OpenNMS bubble and this are generally speaking Alarm Northbounder. For integration Jesse White gave a very nice talk last year at our OpenNMS User Conference in Europe (OUCE) for integration. Maybe this is something interesting to you:

That interests me greatly. Kafka looks to be exactly what we should be using to stream not only Alarms, but Events, Node data, and Performance Metrics. I’m going to begin looking for documentation on exactly how to set this up. Thanks for pointing me to this great video.

The demo with some code samples published Jesse here: