Syslog Collector
The Syslog Collector microservice collects syslogs in RFC3164 and RFC5424 format from devices and creates a JSON structure containing the attributes from the syslog, such as severity, facility, hostname, and timestamp. By default, it publishes the JSON to the Pulsar topic to which the FCOM Processor microservice is subscribed.
This microservice is part of the Event microservice pipeline. See Understanding the Event Pipeline in Unified Assurance Concepts for conceptual information.
You can enable redundancy for this microservice when you deploy it. See Configuring Microservice Redundancy for general information.
This microservice provides additional Prometheus monitoring metrics. See Syslog Collector Self-Monitoring Metrics.
Syslog Collector Prerequisites
Before deploying the microservice, confirm that the following prerequisites are met:
-
A microservice cluster is set up. See Microservice Cluster Setup.
-
The Apache Pulsar microservice is deployed. See Pulsar.
Deploying Syslog Collector
To deploy the microservice in a single server environment, run the following commands:
su - assure1
export NAMESPACE=<namespace>
export WEBFQDN=<WebFQDN>
a1helm install <microservice-release-name> assure1/syslog-collector -n $NAMESPACE --set global.imageRegistry=$WEBFQDN
In a multi-server environment, deploy the Syslog Collector microservice to a specific node by running the following commands:
su - assure1
export NAMESPACE=<namespace>
export WEBFQDN=<WebFQDN>
export NODEFQDN=<Cluster Target Node FQDN>
a1helm install <microservice-release-name> assure1/syslog-collector -n $NAMESPACE --set global.imageRegistry=$WEBFQDN --set nodeSelector."kubernetes\.io/hostname"=$NODEFQDN
In the commands:
-
<namespace> is the namespace where you are deploying the microservice. The default namespace is a1-zone1-pri, but you can change the zone number and, when deploying to a redundant cluster, change pri to sec.
-
<WebFQDN> is the fully-qualified domain name of the primary presentation server for the cluster.
-
<microservice-release-name> is the name to use for the microservice instance. Oracle recommends using the microservice name (syslog-collector) unless you are deploying multiple instances of the microservice to the same cluster.
You can also use the Unified Assurance UI to deploy microservices. See Deploying a Microservice by Using the UI for more information.
Changing Syslog Collector Configuration Parameters
When running the install command, you can optionally change default configuration parameter values by including them in the command with additional --set arguments. You can add as many additional --set arguments as you need.
For example:
-
Set a parameter described in Default Syslog Collector Configuration by adding --set configData.<parameter_name>=<parameter_value>. For example, disable DNS lookups by adding --set configData.DISABLE_DNS="true".
-
Enable redundancy for the microservice by adding --set redundancy=enabled.
Default Syslog Collector Configuration
The following table describes the default configuration parameters found in the Helm chart under configData for the microservice.
| Name | Default Value | Possible Values | Notes |
|---|---|---|---|
| LOG_LEVEL | INFO | FATAL, ERROR, WARN, INFO, DEBUG | Logging level used by application. |
| STREAM_INPUT | udp://:514 | Text, 255 characters | UDP socket port. |
| STREAM_OUTPUT | persistent://assure1/event/collection | Text, 255 characters | Apache Pulsar topic path. Topic at end of path may be any text value. |
| DISABLE_DNS | false | true, false | Enable or disable reverse DNS lookups for IPs from incoming syslog messages. |
| LOOKUP_CACHE_TTL | 120 | Integer | THe number of seconds between refreshing the DNS cache of IPs for reverse lookups. |
| REDUNDANCY_POLL_PERIOD | 5 | Integer | The number of seconds between status checks from the secondary microservice to the primary microservice. |
| REDUNDANCY_FAILOVER_THRESHOLD | 4 | Integer | The number of times the primary microservice must fail checks before the secondary microservice becomes active. |
| REDUNDANCY_FALLBACK_THRESHOLD | 1 | Integer | The number of times the primary microservice must succeed checks before the secondary microservice becomes inactive. |
Syslog Collector Self-Monitoring Metrics
The Syslog Collector microservice exposes the self-monitoring metrics described in the following table to Prometheus.
| Metric Name | Type | Description |
|---|---|---|
| total_syslogs_processed | Counter | Number of syslogs processed |
| processing_time_per_syslog | Gauge | Processing time per syslog from receiving it to sending |
| receive_queue_length_udp | Gauge | Indicates the length of the receive queue waiting to be read in UDP buffer |
| receive_queue_length_udp6 | Gauge | Indicates the length of the receive queue waiting to be read in UDP6 buffer |
Note:
Metric names in the database include a prefix that indicates the service that inserted them. The prefix is prom_ for metrics inserted by Prometheus. For example, total_syslogs_processed is stored as prom_total_syslogs_processed in the database.