Network Syslog Agent€¦ · Syslog is also a network protocol that allows a machine to send event...
21
Network Syslog Agent User Guide 1.6 VMC-TNW
Transcript of Network Syslog Agent€¦ · Syslog is also a network protocol that allows a machine to send event...
Network Syslog AgentUser Guide
1.6VMC-TNW
VISUAL Message Center Network Syslog Agent User Guide
The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.
Copyright Notice
Copyright © 2012 Tango/04 All rights reserved.
Document date: August 2012
Document version: 2.13
Product version: 1.6
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani-cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04.
Trademarks
Any references to trademarked product names are owned by their respective companies.
Technical Support
For technical support visit our web site at www.tango04.com.
Tango/04 Computing Group S.L. Avda. Meridiana 358, 5 A-B Barcelona, 08027 Spain
Tel: +34 93 274 0051
Table of Contents
Table of Contents
Table of Contents .............................................................................. iii
How to Use this Guide.........................................................................v
Chapter 1
Introduction ...................................................................................... 1
Chapter 2
Data source Configuration................................................................... 2
Chapter 3
Network Syslog Monitor Configuration ................................................. 43.1. Variables .........................................................................................................6
3.2. Default monitor settings ..................................................................................7
Chapter 4
Configuration in the Remote Host ........................................................ 8
© 2012 Tango/04 Computing Group Page iii
Table of Contents
Chapter 5
Important Notes ................................................................................ 9
Appendices
Appendix A: Regular Expressions ....................................................... 10
Appendix B: Further Information ....................................................... 12B.1. Using Tango/04 PDF Documentation...........................................................12
B.2. Tango/04 University......................................................................................12
B.3. Contacting Tango/04 ....................................................................................14
About Tango/04 Computing Group .................................................... 15
Legal Notice .................................................................................... 16
© 2012 Tango/04 Computing Group Page iv
How to Use this Guide
© 2012 Tango/04 Computing Group Page v
How to Use this Guide
This chapter explains how to use Tango/04 User Guides and understand the typographical conventions
used in all Tango/04 documentation.
Typographical Conventions
The following conventional terms, text formats, and symbols are used throughout Tango/04 printed
documentation:
Convention Description
Boldface Commands, on-screen buttons and menu options.
Blue Italic References and links to other sections in the manual or further documentation containing relevant information.
Italic Text displayed on screen, or variables where the user must substitute their own details.
Monospace Input commands such as System i commands or code, or text that users must type in.
UPPERCASEKeyboard keys, such as CTRL for the Control key and F5 for the function key that is labeled F5.
Notes and useful additional information.
Tips and hints that will improve the users experience of working with this product.
Important additional information that the user is strongly advised to note.
Warning information. Failure to take note of this information could potentially lead to serious problems.
Introduction
© 2012 Tango/04 Computing Group Page 1
Chapter 11 Introduction
Syslog is a standard UNIX utility for reporting system messages. It is a host-configurable, general-
purpose uniform system logging facility available in almost every UNIX machine but also in other
hardware devices such as routers or firewalls. In UNIX, the system uses a centralized system logging
process. Usually the process name is syslogd. Applications running in this process can use the logger
system call to send messages to the syslog daemon process. The Syslog Daemon can be configured to
send the message to a user, or to all users, can write it to a file and can send it to another remote Syslog
Daemon running in another computer.
Syslog is also a network protocol that allows a machine to send event notification messages across IP
networks to event message collectors - also known as Syslog Servers or Syslog Daemons. In other
words, a machine or a device can be configured in such a way that it generates a Syslog Message and
forwards it to a specific Syslog Daemon (Server) running in another computer. The Network Syslog
ThinAgent is an example of such a service. It processes the incoming messages forwarded by a remote
Syslog Daemon.
Any program that is executed in a system running a Syslog daemon can generate a syslog message.
Each message consists of four parts:
• Program name
• Facility (kind of application that generates the message)
• Priority (criticalness of the message)
• Log message itself
Note Some syslog daemon implementations (such as syslog-ng) allow the use of TCP protocol
instead of UDP.
Example
The message:
login: Root LOGIN REFUSED on ttya
is a log message generated by the login program. It means that somebody tried to log into an
unsecured terminal as root. The message’s facility (authorization) and error level (critical error) are
not shown.
Data source Configuration
Chapter 2 2 Data source Configuration
Configuring a data source for the Network Syslog ThinAgents is very easy. You can define an optional
filter to select the IP addresses or DNS names you want to receive messages from in this data source.
The default data source configuration receives all the events and send them to every monitor attached
to it.
You can configure the IP network interface where the service is going to listen for messages (only if you
want to use a specific interface for this task), the port type UDP or TCP, and the specific port number. In
the default configuration the Interface IP field is left blank, indicating that the server will listen in all the
available IP interfaces.
Figure 1 – Sample Data Source configuration that retrieves data from IP 192.168.0.101. Note the
use of \. Instead of a simple . For further information, see Appendix A: Regular Expressions on
page 10.
Several data sources can be configured to use the same interface IP and ports, but only one socket will
be opened for each configured port and the messages will be redirected to all the data sources
depending on the IP Address/DNS Name filter defined in its configuration.
© 2012 Tango/04 Computing Group Page 2
Data source Configuration
Remember that before being able to receive the messages from the Network Syslog Daemon some
server-side configuration is required. See Chapter 4 - Configuration in the Remote Host on page 8 for
more information.
© 2012 Tango/04 Computing Group Page 3
Network Syslog Monitor Configuration
Chapter 3 3 Network Syslog Monitor Configuration
Figure 2 – UDP Syslog Monitor
A Network Syslog monitor, like other monitors needs to be configured to filter and react to relevant
syslog messages from the configured data source.
There are four filters available:
• Facility
• Severity
• Source IP/Name
• Message Filter
© 2012 Tango/04 Computing Group Page 4
Network Syslog Monitor Configuration
The Facility is the application or operating system component that generates the syslog message. The
following table explains all the elements of Facility.
Also, the filter admits two more values: ANY_FACILITY to receive events of all possible facilities and
ANY_LOCAL to receive any message from LOCAL0 to LOCAL7 facilities.
The second filter in the Network Syslog Monitor is Severity, that informs about how critical the message
is.
All possible Severity values and their meaning are listed in the table below, ordered by priority and
beginning with the most severe value.
The monitor also admits the ANY_SEVERITY value to filter all severity messages.
Name Facility
KERNEL Kernel messages
USER Regular user processes
MAIL Mail system
LPR Line printer subsystem
AUTHORIZATIONAuthorization system, or programs that ask for user names and passwords (login, su, getty, ftpd, etc.)
DAEMON Other system daemons
NEWS News subsystem
UUCP UUCP subsystem
LOCAL0…LOCAL7 Reserved for site-specific use
SYSLOG Syslog messages
CRON Cron
Severity Meaning
EMERGENCYEmergency condition, such as an imminent system crash, usually broadcast to all users
ALERTCondition that should be corrected immediately, such as a corrupted system database
CRITICAL Critical condition, such as a hardware error
ERROR Ordinary error
WARNING Warning
NOTICECondition that is not an error, but possibly should be handled in a special way
INFORMATION Informational message
DEBUG Messages that are used when debugging programs
© 2012 Tango/04 Computing Group Page 5
Network Syslog Monitor Configuration
The field Source IP/Name filters messages by the source IP address or DNS Name and the Message
filter allows you to create filters based on the message contents. You can use any regular expression to
match these filters. See Appendix A: Regular Expressions on page 10 for more information regarding
regular expressions.
The default monitor configuration assigns the Monitor Health depending on the severity of the received
message. In the default configuration, the ERROR, CRITICAL, ALERT and EMERGENCY messages change
the health to CRITICAL. WARNING messages change the health to WARNING, whereas NOTICE messages
change it to MINOR. The remaining severities are treated as SUCCESS.
Figure 3 – Default monitor settings
3.1 VariablesThis is the list of the Network Syslog Monitor specific variables you can use in the scripts:
Variable Description
FilterFacilityFilter defined for the Facility value. The message facility has to match this filter
FilterMessage Filter based on the message contents
FilterRemoteAddressFilter address defined in the DataSource configura-tion.
FilterSeverity The message severity has to match this filter
FilterSourceIP The source IP or DNS name has to match this filter
InterfaceIP Interface IP listening for UDP Syslog messages
MsgSlog_Date Message date
© 2012 Tango/04 Computing Group Page 6
Network Syslog Monitor Configuration
3.2 Default monitor settingsIn the default monitor settings the Monitor sends messages to the SmartConsole with the following
variables:
MsgSlog_DateTime Message Date and time
MsgSlog_Facility Message Facility
MsgSlog_FacilityDescription Message Facility description
MsgSlog_Format Message Format
MsgSlog_FullMessage Full raw message
MsgSlog_Message Message
MsgSlog_RawDate Message raw date
MsgSlog_RawTime Message raw time
MsgSlog_Severity Message severity
MsgSlog_SeverityDescription Message severity description
MsgSlog_SourceIP Message Source IP address
MsgSlog_SourceName Message Source DNS name
MsgSlog_Time Message time
MsgSlog_ValidTimeStamp Indicates if the message contains a valid timestamp
PortNumberUDP port where the ThinAgent is listening for sys-log messages
Variable Description
SmartConsole ThinkServer Description
Var01 Set Health Health script name
Var02 Host Host name
Var03 IPAddress IP address
Var04 MsgSlog_Date Message date
Var05 MsgSlog_Facility Message Facility
Var06MsgSlog_FacilityDescription
Message Facility descrip-tion
Var07 MsgSlog_Severity Message Severity
Var08MsgSlog_SeverityDescription
Message Severity descrip-tion
Var07 MsgSlog_FullMessage Full raw message
© 2012 Tango/04 Computing Group Page 7
Configuration in the Remote Host
© 2012 Tango/04 Computing Group Page 8
Chapter 4 4 Configuration in the Remote Host
Before being able to receive syslog messages from a remote UNIX machine (or any other device
running a syslog daemon) you need to change the configuration in the remote server. There are
differences in the syslog configuration among the different UNIX/Linux distributions, please read the
Syslog manual pages or ask your system administrator for more details on how to configure your
systems.
In Linux systems, if you want to send all Syslog messages to the computer running ThinkServer
(Network Syslog ThinAgent), you will need to modify the ./etc/syslog.conf file adding a line such as:
These settings will send all the messages to the remote computer but you can add some advanced
filtering based on the severity or facility of the message to reduce network traffic.
After modifying these settings you have to inform the syslogd process to update the configuration (for
example, in Linux you can use killall -SIGHUP syslogd) or restart the syslogd process.
After this change, you can use the logger command to test that the syslog daemon is configured
properly. This command sends a message to the syslog daemon. You can select the facility and
severity of the message.
#If you know the IP Address
*.*@192.168.0.123
#If the DNS name is ‘THINKSERVER_COMPUTER’
#and is in the host file
*.*@THINKSERVER_COMPUTER
Important Notes
© 2012 Tango/04 Computing Group Page 9
Chapter 5 5 Important Notes
Syslog protocol is UDP based, and therefore it is unreliable. It can not guarantee the delivery of the
messages. They may either be dropped due to network congestion, or they may be maliciously
intercepted and discarded. Furthermore, an UDP protocol can never ensure ordered delivery of packets
There is no standard defined for syslog message codes and as every UNIX or application can use a
different format for the same kind of messages, there is little uniformity to the content of syslog
messages. For this reason, no assumption is made about the formatting or contents of the messages.
Check the format and contents of every message you want to work with as they might be very different
from system to system. Syslog just sends messages. The messages are created by the applications.
Another important topic in the syslog protocol is the Authentication problem: A misconfigured machine
may send syslog messages to a Syslog Daemon representing itself as another machine (spoofing).
Note You can use a TCP based syslog daemon if you need reliability. However, the non-standard
message formats and the spoofing problems will still continue.
Appendix A : Regular Expressions
Appendix A Appendix A: Regular Expressions
A number of ThinAgents, like the Network Syslog Agent, allow you to use monitor filters to narrow down
the entries to monitor. You should use regular expressions when creating these monitor filters.
A regular expression is a formula for comparing character strings that follow a sequence. Regular
expressions are composed of normal characters and meta-characters. Normal characters include upper
and lower case letters and numbers. Meta-characters have a special meaning and are described below.
At its most simple, a regular expression is like a normal search string. For example, the regular
expression test does not contain meta-characters. The string “test” matches the regular expression,
but “Test” does not.
To make good use of regular expressions, it is critical to understand meta-characters. The following
table lists the most important meta-characters and gives a brief explanation of their meanings:
Regex character
DescriptionSample expressi
on Results
. Single character wildcard. b.n ban, b4n, b n, b#n; not baan.
?
The immediately preceding character or regular expres-sion is optional – i.e. may occur 0 or 1 time.
Colou?r
e-?mail
Color and colour; not colouur
e-mail and email; not e--mail
*
The immediately preceding character or regular expres-sion is both optional and repeatable – i.e. it may occur 0, 1 or more times.
.*
.*gnt.*
Any number (0 or more) of repetitions of any character
All strings containing gnt: aagntaa, gnta, agnt, etc
+The immediately preceding expression is repeatable – i.e. it may occur 1or more times.
Co+ld Coold, cooold, coooold; not cold.
© 2012 Tango/04 Computing Group Page 10
Appendix A : Regular Expressions
Note – This table discusses the most important meta-characters. There is a lot of documentation about regular expressions available on the Internet.
For example: the default Network Syslog monitor filter applies the following mask:
We could change this to:
[a-z] or [0-9]
One character inside the specified range. NOTE: Only two characters (start and end) are used to define the range so [10-20] is equivalent to 1[0-2]0. If written in reverse order [z-a] or [5-0] the expression will be invalid and never match.
char[e-g]19[6-8]1
chare1961, charf1961, charg1961, chare1971 ...
[ ]Specifies to match any of the single characters within the brackets.
t[aou]n tan, ton, tun; not tin
|
Either/Or – i.e. at least one of the characters or expressions should match. Use in combi-nation with parenthesis (). Note that you can specify dou-ble characters.
t(a|e|o|oo)n
It belongs to (him|her)
tan, ten, ton, toon
“It belongs to him”, “It belongs to her”; not “It belongs to them”
[^ab]Not. Any character except for those indicated within the brackets.
t[^aio57]n
NOT tan, tin, ton, t5n, t7n
( )Parenthesis are used to group characters or expressions.
(ca)*B B, caB, cacaB
\A meta character preceded by a backslash (\) makes the character a literal character
a\+b\.
a+b; not a\\b
full stop; not \wildcard
Regex character
DescriptionSample expressi
on Results
Field Regex Results
Source IP/Name filter
.* A message from any source
Message filter .* Any message
Field Regex Results
Source IP/Name filter
192\.168\.0\.101
The IP 192.168.0.101
Note that to match a dot you have to use the backslash
Message filter .*password.* Any message that contains the substring password
© 2012 Tango/04 Computing Group Page 11
Appendix B : Further Information
Appendix BAppendix B: Further Information
B.1 Using Tango/04 PDF DocumentationTango/04 documentation is available directly from the Tango/04 solutions DVD.
To open the Tango/04 documentation that is provided in PDF files use Adobe Acrobat Reader. Acrobat
Reader lets you view, search, and print the documentation. You can download Acrobat Reader for free
from the Adobe Web site (http://www.adobe.com).
To access PDF documents on the DVD:
Step 1. Navigate to a product suite (VISUAL Message Center for example) and click on the
Product Documentation link to open a list of all the User Guides available for that
product suite. The list contains direct links to the documents in PDF format.
Step 2. Alternatively, you can navigate within the DVD menu to a particular product and click on
the Product Documentation link to open the User Guide in PDF format for that
product.
B.2 Tango/04 UniversityIn a continuous effort to provide all users of Tango/04 technologies with high quality training and
education, Tango/04 Computing Group presents the new training program open to partners and users
worldwide.
Tango/04 University is aimed at providing Tango/04 users and partners with the most effective tools and
knowledge to manage Tango/04 technologies and products and use them at their highest potential.
Attendance of the training course and passing the related exams is mandatory in order to qualify as
Tango/04 Business Partner for the technology area covered by the course, and will offer you important
benefits such as:
• Tango/04 Official Certifications - Tango/04 partners will be required to have a number of
certified consultants, depending on the Business Partner Level
Tip We advise printing PDF documentation for easy reference. Please ensure you familiarize
yourself with a products user guide before attempting to use the product.
© 2012 Tango/04 Computing Group Page 12
• Exploit the full potential of Tango/04 technologies - Solutions such as VISUAL Message
Center and VISUAL Security Suite are very broad solutions that feature much functionality.
Knowing all these functions and how to use them is key to getting the most out of the product
• Integration with other solutions - Tango/04 is constantly growing: knowing the new products
and agents may allow you to integrate other parts of the IT infrastructure into Tango/04
Solutions
• Tango/04 Business Partners will learn how to effectively deploy a monitoring project in order
to obtain the maximum effectiveness and customer satisfaction.
Participants' profile: Consultants, System Administrators, operators and technical staff, with
knowledge of Windows, iSeries, Linux and Unix systems who will be involved in managing or deploying
Tango/04 technology.
Pre-requisites: Being Tango/04 Business Partner or Tango/04 Customer.
© 2012 Tango/04 Computing Group Page 13
B.3 Contacting Tango/04
North America
Tango/04 North America
PO BOX 3301
NH 03458 Peterborough USA
Phone: 1-800-304-6872 / 603-924-7391
Fax: 858-428-2864
www.tango04.com
EMEA
Tango/04 Computing Group S.L.
Avda. Meridiana 358, 5 A-B
08027 Barcelona Spain
Phone: +34 93 274 0051
Fax: +34 93 345 1329
www.tango04.com
Italy
Tango/04 Italy
Viale Garibaldi 51/53
13100 Vercelli Italy
Phone: +39 0161 56922
Fax: +39 0161 259277
www.tango04.it
Sales Office in France
Tango/04 France
La Grande Arche
Paroi Nord 15ème étage
92044 Paris La Défense France
Phone: +33 01 40 90 34 49
Fax: +33 01 40 90 31 01
www.tango04.fr
Sales Office in Switzerland
Tango/04 Switzerland
18, Avenue Louis Casaï
CH-1209 Genève
Switzerland
Phone: +41 (0)22 747 7866
Fax: +41 (0)22 747 7999
www.tango04.fr
Latin American Headquarters
Barcelona/04 Computing Group SRL (Argentina)
Avda. Federico Lacroze 2252, Piso 6
1426 Buenos Aires Capital Federal
Argentina
Phone: +54 11 4774-0112
Fax: +54 11 4773-9163
www.barcelona04.com
Sales Office in Peru
Barcelona/04 PERÚ
Centro Empresarial Real
Av. Víctor A. Belaúnde 147, Vía Principal 140 Edificio Real Seis, Piso 6
L 27 Lima
Perú
Phone: +51 1 211-2690
Fax: +51 1 211-2526
www.barcelona04.com
Sales Office in Chile
Barcelona/04 Chile
Nueva de Lyon 096 Oficina 702,
Providencia
Santiago
Chile
Phone: +56 2 234-0898
Fax: +56 2 2340865
www.barcelona04.com
© 2012 Tango/04 Computing Group Page 14
About Tango/04 Computing Group
Tango/04 Computing Group is one of the leading developers of systems management and automation
software. Tango/04 software helps companies maintain the operating health of all their business
processes, improve service levels, increase productivity, and reduce costs through intelligent
management of their IT infrastructure.
Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM's
Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over
35 authorized Business Partners around the world.
Alliances
Awards
Partnerships IBM Business Partner
IBM Autonomic Computing Business Partner
IBM PartnerWorld for Developers Advanced Membership
IBM ISV Advantage Agreement
IBM Early code release
IBM Direct Technical Liaison
Microsoft Developer Network
Microsoft Early Code Release
© 2012 Tango/04 Computing Group Page 15
Legal Notice
The information in this document was created using certain specific equipment and environments, and it is limited in
application to those specific hardware and software products and version and releases levels.
Any references in this document regarding Tango/04 Computing Group products, software or services do not mean
that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group
operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally
equivalent product that does not infringe any of Tango/04 Computing Group's intellectual property rights may be used
instead of the Tango/04 Computing Group product, software or service
Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this
document. The furnishing of this document does not give you any license to these patents.
The information contained in this document has not been submitted to any formal Tango/04 Computing Group test
and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer
responsibility, and depends on the customer's ability to evaluate and integrate them into the customer's operational
environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a
specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers
attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group
shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they
have been advised of the possibility of such damages. This document could contain technical inaccuracies or
typographical errors.
Any pointers in this publication to external web sites are provided for your convenience only and do not, in any
manner, serve as an endorsement of these web sites.
The following terms are trademarks of the International Business Machines Corporation in the United States and/or
other countries: iSeries, iSeriese, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS.
Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft
Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are
trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a
registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle
is a registered trade mark of Oracle Corporation.
Other company, product, and service names may be trademarks or service marks of other companies.
© 2012 Tango/04 Computing Group Page 16
