TITLE:
How to configure and use the Jalasoft Xian Syslog Server. REVISION:
Revision : B001-SLR01 Date : 11/30/05 DESCRIPTION:
Jalasoft has released Service Pack 2 for Xian Network Manager, which includes the Jalasoft Xian Syslog Server that receives and filters all the syslog messages
generated by managed network devices and UNIX Servers. This new feature increases the functionality and monitoring power of Xian Network Manager by allowing it to asynchronously monitor devices and servers.
A syslog message is a log message sent from certain device or machine to a syslog server. This message includes the facility or logical location of the log message, the severity level and the message itself. Please refer to the RFC 3164 documentation for more information.
The Jalasoft Xian Syslog Server will receive all these syslog messages and after filtering them, it will immediately send the appropriate event messages to MOM. CONFIGURATION:
There are 2 steps to follow in order to setup the Xian Syslog server: - Enable the Xian Syslog Server to receive the syslog messages.
- Configure the managed network devices and UNIX servers to send their syslog messages to the Jalasoft Syslog Server.
Enabling the Xian Syslog Server:
The Syslog Server is part of the NSS service and it is disabled by default, so it is necessary to enable it and then configure its settings. Please follow these steps:
1. Open the Xian console.
2. Click on the ‘Xian Servers’ tab located on the upper left tree window:
3. Access the Network Scan Server properties by double clicking on the server or by right clicking on it and then clicking on the ‘Properties’ contextual menu option:
Please notice that the Server state is disabled.
5. Configure the UDP port that the server will use and then click on the ‘Apply’ button
Configure the level of severity of the Xian events associated to the syslog message severities. In other words, you should configure the severity level that the Xian event should display in MOM when a syslog message with a certain severity level is processed. Click on the ‘OK’ button after configuring these settings.
7. Once the port and the severities mapping is configured, click on the ‘Enable’ button. You will see that the Syslog server goes to the ‘Running’ status after a few seconds:
If for some reason (i.e., ports already used, services not running properly or not enough permissions) the service can not be enabled, then the ‘view last error’ button will be enabled. If you click on it, a window will be displayed indicating the error and the status of the server will remain in a disabled state.
Configuring the Network Devices and UNIX Servers to send syslog messages to the Xian Syslog Server:
Any network device or UNIX server that can send syslog messages can be configured to send this information to a syslog server. You should enable this service, configure the IP address of the server and configure also the message severities.
- Add a new entry in the /etc/hosts file with the Syslog server information:
<IP address> <fully qualified domain name> <host name> <nickname>
For example:
10.2.3.68 XianUser.DevLab.com XianUser loghost
- Add this entry to your etc/syslog.conf file with the nickname given on the previous step:
*.debug @<nickname>
For example:
*.debug @loghost
- Restart the syslog
Please review your device and server documentation for the necessary steps in order to send the syslog messages to the Xian Syslog Server.
WORKING WITH THE SYSLOG MESSAGE FILTERS:
Once you have the Xian Syslog Server, all the devices and UNIX servers enabled and have configured them to send their syslog messages to the Syslog Server, the next step is to add the filters that the Xian Syslog Server will apply to the arriving syslog messages in order to filter the desired messages and discard the undesired ones. Please note that there are 2 types of filters:
- User defined filters.
- Predefined syslog filters for Linux and Solaris servers. Adding and Configuring a User Defined Filter:
For adding a new user defined filter, please follow these steps (in the example we will use a Linux Server):
1. Open the Xian console and click on the ‘Syslog message filters’ tab.
The following window will be displayed:
3. Enter a name for the filter or use the default one suggested.
4. Select the action that the filter will perform when a syslog message that matches this filter arrives:
o The ‘Reject’ action will discard any syslog message that matches this filter.
5. Enter an Event number: this number will be used by MOM to identify this event with predefined rules in the Xian plug-in SMP, or use custom rules to create alerts based on the event and then associate them to the appropriate KB Article.
6. Enter the Event source: in a similar way to the Event number, this field will be used by MOM to associate the event to some predefined or user rule that will associate the event to a KB Article. Please note that there are some reserved words used by Xian predefined filters and an error message like the following will be displayed if you try to use some of them:
7. Enter the Description for the filter. This field is not mandatory but will give you an idea of the filter and its purpose.
8. The next step is to configure the filtering of the severity levels of the
9. The following step consists of selecting the syslog messages which will be filtered by contents. To do this, you will have to check the ‘Contents’ check box and enter a valid regular expression that will be applied to the contents of the syslog message so that the filter will process all the messages that match this criteria only. If no regular expression was provided for this field, the following error message will be displayed when pressing the ‘OK’ button:
The other types of filters that Xian Network Manager 2005 includes are the Linux and Solaris servers predefined filters that were created and configured to filter the most important syslog messages from these servers. These raise proper alert messages to MOM associated to the corresponding KB articles.
To add this type of syslog filters, follow the next procedure (in the example we will add a syslog filter to a Linux server but the procedure is the same for a Solaris server):
1. Open the Xian console.
2. Click on the ‘Syslog message filters” tab located on the upper right pane. You should see the following window:
3. Expand the ‘Linux Server’ tree and drag and drop the desired filter to the desired Linux Server:
You should select the filter that you want to apply to the server and then click on the ‘OK’ button.
Please note that you will not be able to edit the ‘Event number’ and the ‘Event source’ fields since this kind of filters were configured with default values in order to match rules present in the Jalasoft SMPs.
5. Select the server or servers where this filter will be applied. You can also select the hole category.
Note that you can select all of the severity levels or just configure the filter to not consider this aspect by unselecting the ‘Severity’ check box. Additionally, please note that unlike the user configured filters, the ‘Content’ filter will not be available since the content of the filter is also predefined.
7. Click on the ‘OK’ button in order to finish this filter configuration. Working with the Filter Order:
4. Right click on the syslog filter that you want to move. The following options will be displayed:
The filter can be moved up or down one position or it can be placed at the first or last position.
5. Click on the move option that you choose for the filter.
6. Repeat this procedure for each of the filters until they are placed on the appropriate position.
Editing and Removing the Syslog Filters:
The last operation that you can perform over a certain syslog filter consists of editing its settings and/or removing it.
To edit a syslog filter, please follow this procedure: - Open the Xian console.
- Go to the ‘Syslog message filters’ tab where the syslog filters are located. - Double click over the desired syslog filter or right click over it and click on the
‘Edit’ contextual menu option. The ‘Syslog message filter properties’ window will be opened for the filter and you will be able to edit it an click on the ‘OK’ button for applying these modifications or click on the ‘Cancel’ button for canceling the operation.
To delete or remove certain filter, you should follow these steps: - Open the Xian console.
- Go to the ‘Syslog message filters’ tab where the syslog filters are located. - Right click over the filter that you want to remove and then click on the
‘Remove’ contextual menu option.
You have to click on the ‘Yes’ button for removing the filter or click on the ‘No’ button if you don’t want to delete it
Working with the Syslog Messages using the Device Properties Window: Most of the operations described on this document can be also performed using the ‘Device Properties’ window that will allow you to add, edit and remove the syslog filters for a particular device.
To configure the syslog filters for a certain device, please follow these steps: 1. Open the Xian console
2. Double click on the device or server, or right click on it and click on the ‘Properties’ contextual menu option.
This window displays all the filters that were applied to the device or server, the ‘Add’, ‘Edit’ and ‘Remove’ buttons that will let you configure the filters which will be applied to the device or server. In the case of the Linux server and the Solaris server ins, the Predefined Syslog Filters List for the plug-in will be displayed.
4. Now you should be able to perform any of the previously described operations.
APPLIES TO:
Xian Network Manager 2005 SP2 STATUS:
Procedure provided.
ADDITIONAL COMMENTS:
At the time that this document was written, the Xian Syslog server was in a beta version and the following issues were present:
- The Syslog Server can not detect if the port that this service uses is being used by another application, if so the service will not work properly. Please make sure that the default UDP 514 port or the one assigned when enabling this service is not being used by any other service or application.
