Syslogd

The Oracle Communications Unified Assurance Event Syslog Aggregator is a generic syslog message listener that receives messages from devices, parses the results with customizable rules and creates de-duplicated events within Unified Assurance.

You can run this application as a service using the Services UI.

Syslog Aggregator Setup

Review the logic in the rules files referenced in the configuration to see the processing that will be done when syslogs are received:
- LoadRules will be run during application startup to load data that might be needed during processing.
- IncludeRules will be read during application startup to load additional files that might be called during processing.
- BaseRules will be run for each syslog that is received.
Update the logic as needed.
Enable the default service, unless you need a specific configuration option.

See Services in Unified Assurance User's Guide for information about the Services UI.

Default Service

The following table shows the settings for the default service. Actual values are in bold, descriptions of values are in plaintext.

Field	Default Value
Package	coreCollection-app
Name	Event Syslog Aggregator
Program	bin/core/collection/Syslogd
Arguments	This field is blank. There is no default value.
Description	Syslog Aggregator that runs on port 514/udp
Failover Type	Standalone (Supported: Standalone, Primary, Redundant/Backup)
Status	Disabled
Privileged	This option is selected.

See Services in Unified Assurance User's Guide for general information about the settings for services.

See Using Application Primary/Backup Failover for more information about the different failover types.

Default Configuration

The following table shows the default configurations for the application. Actual values are in bold, descriptions of values are in plaintext.

Name	Default Value	Possible Values	Notes
BaseRules	collection/event/syslog/base.rules	Text, 255 characters	The relative path to the syslog base rules.
BranchDir	core/default	Text, 255 characters	The relative path to the rules directory.
Host	*	Text, 255 characters	The DNS name or IP Address of the syslog server. Can associate to a particular interface. NO RELOAD CONFIG SUPPORT
IncludeRules	collection/event/syslog/base.includes	Text, 255 characters	The relative path to the syslog include rules.
LoadRules	collection/event/syslog/base.load	Text, 255 characters	The relative path to the syslog load rules.
LogFile	logs/EventSyslog.log	Text, 255 characters	The relative path to the syslog log file.
LogLevel	ERROR	OFF, FATAL, ERROR, WARN, INFO, DEBUG	The logging level for the application.
Port	514	An integer	The UDP port for the syslog server to collect messages. NO RELOAD CONFIG SUPPORT
ShardID	1	An integer	The database shard to use.
Threads	3	An integer	The number of process threads created.
Capture	Disabled	Enabled or Disabled	(Optional) If enabled, the raw messages are saved in the log.
DBThreads	A third, rounded up, of the Threads value.	An integer	(Optional) The number of database threads to create.
DisableDNS	Disabled	Enabled or Disabled	(Optional) If enabled, uses IP address instead of hostname for the event node.
FailoverBufferLimit	0	An integer	(Optional) If set to an integer greater than 0, a failover standby buffer keeps that number of seconds worth of syslogs and replays them when becoming failover active. Set to 0 to disable the buffer. See the descriptions of the $buffer and $received tokens in Tokens.
FieldSetFile	This field is blank. There is no default value.	Text, 255 characters	(Optional) The path to a CSV file containing a custom list of fields to use when inserting data. If you specify this, you must also specify InsertSQLFile.
InsertSQLFile	This field is blank. There is no default value.	Text, 255 characters	(Optional) The path to the file containing a custom SQL Insert statement for handling event inserts. If you specify this, you must also specify FieldSetFile.)

Best Practices

The following list shows the best practices for working with this application:

Depending on the server specifications and loads, the number of the Threads that the aggregator uses may need to be increased, however, too many threads has also been seen to have negative effects.
By default, devices send Syslog Messages on UDP port 514, but this can be changed for other environments. If messages are not reaching the Unified Assurance system, check firewall settings in the network.
By default, syslog messages are sent in a carriage return delimited format.

Rules

This aggregator uses the Unified Assurance standard rules architecture in Perl syntax. For information about creating rules, see the following in Unified Assurance Developer's Guide:

Core for information about core rules functions.
Events for information about Event rules functions.
Application Logging

Tokens

The aggregator exposes the following tokens for rules processing.

Token	Description
$AppConfig	Hash reference to the application configuration name-value pairs that were configured. (i.e. use $AppConfig->{'Host'} to retrieve the set value for 'Host'.)
$Event	Reference to the hash that is used to create and insert the Event data into the database. Keys map to the fields within the table used and values assigned are inserted in the database to that field. (e.g. $Event->{'IPAddress'} = '192.0.2.1' to assign the event IP address to '192.0.2.1') At least the 'Node' and 'Summary' fields must be set, or no event is inserted.
$received	Epoch time syslog was received by the aggregator.
$buffer	Flag for if was buffered during standby and was replayed (0 = No, 1 = Yes).
$line	Syslog message.
$node	DNS resolved source of syslog.
$ip	IP of source of syslog.
$discard_flag	Flag for discard (0 = No, 1 = Yes).
$count	Message Counter.
$CustomHash	Custom key, value cache available across all rules. Contents commonly defined in Load Rules then used in Base or other rules. NOTE: This variable is a shared object and any additional sub hashes or arrays must be shared before use or it will cause the error: Invalid value for shared scalar. Instantiate the sub hash/array using '&share({})' e.g. $CustomHash->{SubObject} = &share({});
$StorageHash	Internal cache used as the StorageHash option when calling rules functions such as FindDeviceID(). NOTE: The structure of this cache is subject to change! Not recommended for custom global storage or manual manipulation; use $CustomHash.

Example Custom Rule

The following example shows how to create a custom rule for an IP Phone is sending syslogs that appear in the event list with summary:

Missing Rules for-<134>[0]SIP:RegFailed;Retry in 30s
Missing Rules for-<134>+++ send scaps discovery query

Note:

Missing Rules for is added to the beginning of the summary for any syslog messages without corresponding rules.

For more examples and explanation of how rules are applied, see Events Examples.

To create a custom rule for the IP phone syslogs:

Create the rule:
1. Go to the Rules UI:
  
  From the Configuration menu, select Rules. See Rules for information about this UI.
2. Expand the following folders:
  
  Core Rules (core)/Default read-write branch (default)/collection/event
3. Select the syslog folder, then, from the Add menu, select Add File.
4. In File Name, enter ipphone.rules.
5. In the Perl section, add the following:
```
$Log->Message("DEBUG", " -> Starting running IP Phone Rules");

$Event->{'SubMethod'}  = "IPPhone";
$Event->{'Summary'}    = $line;
$Event->{'AlarmGroup'} = "IPPhone";

if ($line =~ "RegFailed"){
    # Phone Registration Failed
    $Event->{'Severity'}  = 3;
    $Event->{'SubMethod'} = "Registration Failure";
}
elsif ($line eq "<134>+++ send scaps discovery query") {
    #Discard unwanted event
    $discard_flag = 1;
}
else {
    # Catch all for all Phone events
    $Event->{'Severity'} = 0;
}

$Event->{'AlarmKey'} = $Event->{'SubMethod'} . $Event->{'Summary'};

$Log->Message("DEBUG", " -> Finished running IP Phone rules");
```
  In the example:
  - Events containing the text RegFailed are detected using a Regular Expression match. The event Severity is set to 3 (Minor) and the SubMethod is set to Registration Failure.
  - Events containing the text <134>+++ send scaps discovery query are discarded by setting the discard_flag to 1. This is useful if the event should not be kept.
  - Any other events have the Severity set to 0 (Normal).
  Of particular importance in the example is the $Event->{'AlarmKey'} as the AlarmKey is how events are deduplicated.
6. Click Submit, enter a commit message, and then click OK.
Add the rule to the include rules:
1. In the syslog folder, select the base.includes file.
2. Add the following line to the Plain text section:
```
IPPhoneRules,collection/event/syslog/ipphone.rules
```
3. Click Submit, enter a commit message, and then click OK.
Add the processing direction to the base rules. You must determine how the aggregator should know the correct processing direction of the event using any of the available data. For example, if the event is based on the source of the syslog message, or process based on the message itself:
1. In the syslog folder, select on the base.rules file.
2. Add the following code to the Perl section:
```
elsif ($line =~ /\<134\>/ || $node =~ "ipphone.*\.example\.com") {
    $Event->{'SubMethod'} = "IPPhone";
    $Log->Message("DEBUG", "Running IPPhone Syslog Rules");
    IPPhoneRules();
}
```
3. Click Submit, enter a commit message, and then click OK.
Restart the Syslog Aggregator.
Verify the Syslog Aggregator is processing the events correctly.

Administration Details

The following list shows the technical details you will need for advanced administration of the application:

Package: coreCollection-app
Package: ./Syslogd [OPTIONS]

Options:

 -c, --AppConfigID N   Application Config ID (Service, Job, or Request ID)
 -?, -h, --Help        Print usage and exit

Threaded: Multithreaded

Title and Copyright Information

Implementation Guide

G18224-01