syslog Streams from Devices and ovevent

Network equipment is often configured to log console messages over the network to a host using its syslog facility. All UNIX systems have a daemon called syslogd that listens on UDP port 514 and logs messages received to a file name indicated in the /etc/syslog.conf file. See Figure 8-1 for an example.

Figure 8-1. The syslog.conf file.

The UNIX syslogd daemon logs incoming UDP messages into one of the listed log files. For example, routers may be configured to send their console messages to the NNM system. They will be logged to a specific file, /var/log/routerlog.

# Log all kernel messages to the console. 
# Logging much else clutters up the screen. 
#kern.*                        /dev/console 

# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages! 
*.info;mail.none;authpriv.none /var/log/messages 

# Router console log messages (Check specific facility of your router) 
router                         /var/log/routerlog 

# The authpriv file has restricted access. 
authpriv.*                     /var/log/secure

# Log all the mail messages in one place. 
mail.*                         /var/log/maillog 

# Everybody gets emergency messages, plus log them on another 
# machine. 
*.emerg                       * 

# Save mail and news errors of level err and higher in a 
# special file. 
uucp,news.crit                 /var/log/spooler

The actual text logged by syslogd will be specific to the device and may even depend on the firmware revision, type of model, and type of interface adapter. The severity of the message is indicated by its text.

How can you monitor this file? Data in the syslog files is not monitored by NNM directly and the information in it may not be apparent when viewed through SNMP eyes.

If you’re running the ITO daemon, it can be configured to examine this file as it grows, to look for special text strings with special meaning, and to generate an ITO alarm. Perhaps ITO is not the right tool since the management application runs elsewhere.

An alternative, and perhaps preferable, solution is to run a small UNIX script in the background to monitor the router syslog file. The script can perform the following steps:

  • tail -f /var/log/routerlog to follow the file and capture new data

  • examine each string for specific text

  • reformat the string to remove metacharacters

  • identify the device that sent the syslog message

  • assign a severity code (depends on the message content)

  • assign an event category (probably a custom category)

  • send the message into the NNM event stream with ovevent

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.111.179