Syslogd

Overview

The Unified Assurance Event Syslog Aggregator is a generic syslog message listener that receives messages from devices, parses the results with customizable rules and creates de-duplicated events within Unified Assurance.

Syslog Aggregator Setup

  1. Review the logic in the rules files referenced in the configuration to see the processing that will be done when syslogs are received:

    • LoadRules will be run during application startup to load data that might be needed during processing.

    • IncludeRules will be read during application startup to load additional files that might be called during processing.

    • BaseRules will be run for each syslog that is received.

    Update the logic as needed.

  2. Enable the default Service, unless a specific configuration option is needed.

    Configuration -> Broker Control -> Services

Default Service

Field Value
Package Name coreCollection-app
Service Name Event Syslog Aggregator
Service Program bin/core/collection/Syslogd
Service Arguments
Service Description Syslog Aggregator that runs on port 514/udp
Failover Type Standalone (Supported: Standalone, Primary/Backup)
Status Disabled
Privileged (Checked)

Default Configuration

Name Value Possible Values Notes
BaseRules collection/event/syslog/base.rules Text, 255 characters Relative path to Base Rules.
BranchDir core/default Text, 255 characters relative path to Rules dir
Host * Text, 255 characters DNS name or IP Address of the syslog server. Can associate to a particular interface. - NO RELOAD CONFIG SUPPORT
IncludeRules collection/event/syslog/base.includes Text, 255 characters Relative path to Include Rules.
LoadRules collection/event/syslog/base.load Text, 255 characters Relative path to Load Rules.
LogFile logs/EventSyslog.log Text, 255 characters Relative path to Log File.
LogLevel ERROR OFF, FATAL, ERROR, WARN, INFO, DEBUG Logging level used by application.
Port 514 Integer UDP Port for syslog server to collect messages. - NO RELOAD CONFIG SUPPORT
ShardID 1 Integer Database shard to be used.
Threads 3 Integer Number of process threads created. The aggregator takes a third of this value (rounded up) for database threads unless overridden by the DBThreads application configuration.
Capture Disabled Enabled/Disabled Optional - If enabled, saves the raw message in the Log.
DBThreads Integer Optional - Number of database threads to be created. If not specified, defaults to a third (rounded up) of Threads application configuration.
DisableDNS Disabled Enabled/Disabled Optional - If enabled, uses IP address instead of hostname for the event Node.
FailoverBufferLimit 0 Integer Optional - Enables Failover Standby buffer that keeps N-seconds worth of syslogs and replays this buffer when becoming Failover Active. (0=off N=seconds to keep) See Tokens: $buffer and $received.
FieldSetFile Text, 255 characters Optional - Path to csv file containing custom list of fields that will be used when inserting data. (Requires InsertSQLFile.)
InsertSQLFile Text, 255 characters Optional - Path to file containing custom SQL Insert statement for handling of event inserts. (Requires FieldSetFile.)

Best Practices

The following list shows the best practices for working with this application:

Rules

This aggregator uses the Unified Assurance standard rules architecture in Perl syntax. For information about creating rules, see the following in Unified Assurance Developer's Guide:

Tokens

The aggregator exposes the following tokens for rules processing.

Token Description
$AppConfig Hash reference to the application configuration name-value pairs that were configured. (i.e. use $AppConfig->{'Host'} to retrieve the set value for 'Host'.)
$Event Reference to the hash that is used to create and insert the Event data into the database. Keys map to the fields within the table used and values assigned are inserted in the database to that field. (e.g. $Event->{'IPAddress'} = '192.0.2.1' to assign the event IP address to '192.0.2.1') At least the 'Node' and 'Summary' fields must be set, or no event is inserted.
$received Epoch time syslog was received by the aggregator.
$buffer Flag for if was buffered during standby and was replayed (0 = No, 1 = Yes).
$line Syslog message.
$node DNS resolved source of syslog.
$ip IP of source of syslog.
$discard_flag Flag for discard (0 = No, 1 = Yes).
$count Message Counter.
$CustomHash Custom key, value cache available across all rules. Contents commonly defined in Load Rules then used in Base or other rules. NOTE: This variable is a shared object and any additional sub hashes or arrays must be shared before use or it will cause the error: Invalid value for shared scalar. Instantiate the sub hash/array using '&share({})' e.g. 
$CustomHash->{SubObject} = &share({});
$StorageHash Internal cache used as the StorageHash option when calling rules functions such as FindDeviceID(). NOTE: The structure of this cache is subject to change! Not recommended for custom global storage or manual manipulation; use $CustomHash.

Example Integrations

Creating Custom Rules Files

In this rules creation example, an IP Phone is sending syslogs that appear in the event list with summary:

Missing Rules for-<134>[0]SIP:RegFailed;Retry in 30s
Missing Rules for-<134>+++ send scaps discovery query

Note:

The Missing Rules for is added to the beginning of the summary for any syslog messages without corresponding rules.

Steps

  1. Go to the Rules UI:

    Configuration -> Rules

  2. Expand the folder path: core -> default -> collection -> event -> syslog

  3. Select the syslog folder, then click Add -> Add File. Enter the following:

    • File Name => ipphone.rules

    • Logic

      $Log->Message("DEBUG", " -> Starting running IP Phone Rules");

$Event->{'SubMethod'}  = "IPPhone";
$Event->{'Summary'}    = $line;
$Event->{'AlarmGroup'} = "IPPhone";

if ($line =~ "RegFailed"){
    # Phone Registration Failed
    $Event->{'Severity'}  = 3;
    $Event->{'SubMethod'} = "Registration Failure";
}
elsif ($line eq "<134>+++ send scaps discovery query") {
    #Discard unwanted event
    $discard_flag = 1;
}
else {
    # Catch all for all Phone events
    $Event->{'Severity'} = 0;
}

$Event->{'AlarmKey'} = $Event->{'SubMethod'} . $Event->{'Summary'};

$Log->Message("DEBUG", " -> Finished running IP Phone rules");

      In the example:

      • Events containing the text RegFailed are detected using a Regular Expression match. The event Severity is set to 3 (Minor) and the SubMethod is set to Registration Failure.

      • Events containing the text <134>+++ send scaps discovery query are discarded by setting the discard_flag to 1. This is useful if the event should not be kept.

      • Any other events have the Severity set to 0 (Normal).

      Of particular importance in the example is the $Event->{'AlarmKey'} as the AlarmKey is how events are deduplicated.

    • Click Submit, then enter a commit message, then click OK.

  4. In the syslog folder, select the base.includes file. Add the following line:

    • Logic

      IPPhoneRules,collection/event/syslog/ipphone.rules

    • Click Submit, then enter a commit message, then click OK.

  5. Determine how the aggregator should know the correct processing direction of the event using any of the available data. For example, the event can be based on the source of the Syslog Message:

    elsif ($node =~ "ipphone.*\.example\.com") {
    ...
}

    Or the event can be processed based on the message itself:

    elsif ($line =~ /\<134\>/){
    ...
}

    In the syslog folder, select on the base.rules file. Add the following line:

    • Logic

      elsif ($line =~ /\<134\>/ || $node =~ "ipphone.*\.example\.com") {
    $Event->{'SubMethod'} = "IPPhone";
    $Log->Message("DEBUG", "Running IPPhone Syslog Rules");
    IPPhoneRules();
}

    • Click Submit, then enter a commit message, then click OK.

  6. Restart the Syslog Aggregator.

  7. Verify the Syslog Aggregator is processing the events correctly.

Administration Details

The following list shows the technical details you will need for advanced administration of the application: