Syslog

Please be advised that the online documentation for LabTech 2013 and later resides at http://docs.labtechsoftware.com/documentation/. The documentation below is only applicable to LabTech 2012 and will not be maintained moving forward.

Syslog

Was this information helpful?
(0 votes)
  1. Overview
  2. Syslog Events
  3. Syslog Logs
  4. Document Revision History

Overview

Syslog messages are event messages and alerts that are sent by the operating system, applications and network devices to report certain conditions, such as the start of a process or a critical event condition. 

Syslog can be used for system management, security auditing, analysis and debugging of messages.  Messages refer to a facility (e.g., auth, authpriv, daemon, etcl) and are assigned a priority level (e.g., emergency, alert, critical, etc.) by the sender of the message. 


Note NOTE: You can limit syslog messages to specific IP addresses by entering a regular expression on the Network Probe > General tab.  If left blank or set to 0.0.0.0, all incoming syslog events will be stored in the log file.  However, if you do create a regular expression, the IP address of the device that generated the message must match the regular expression for the event to be stored.  For example, the regular expression '192\.168\.100\..*' will only match events from the 192.168.100 subnet, while the expression '192\.168\.1\.100|192\.168\.1\.135' will cause only syslog messages from the devices at 192.168.1.100 and 192.168.1.135 to be stored.

All syslog messages that are received are stored locally on the probe-enabled computer regardless of whether they pass the filters or not.  The text file, syslog.txt can be found in the %windir%\ltsvc directory.  Syslog messages are transmitted in batches of 300 at a time.  Any additional messages that were received since the last transmission are not transmitted to the LabTech server, but remain in the log file.  So if you are performing any monitoring on received events at the server, make sure the amount of syslog messages sent to the probe is limited as much as possible.

This option is operational by default when you enable the network probe and you do not need to do anything to turn this feature on to receive log files, just point your devices log to the IP address of the probe-enabled computer.

Syslog Events

The Syslog Events tab allows you to create trap filters to define which syslog events should be accepted and which are thrown out.  A syslog event has to pass a trap filter in order for it to be sent to the server to create alerts.

Figure 1: Sample Syslog Event Trap Filters

Fig01_10B.41.177

Table 1: Syslog Events Column Descriptions

Column Description
Name Displays the name that you provided during the creation of the syslog event filter.
IP Address Displays the IP address of the transmitting device.
Facility Describes the part of the system generating the message (e.g., user-level, mail, system daemons, clock daemon, etc.).
Severity Displays the severity of the message (e.g., warning, alert, critical, notification, etc.).
Comparison Displays the comparison operator used (e.g., equals, contains, greater than, less than, etc.)
Result Displays the results associated with the comparison.  For example, filtering messages for the word 'failure' in them, use 'contains' for the Comparison and 'failure' as the Result

To add Syslog trap filters, follow the steps listed below:

  1. Double-click on the probe-enabled computer from the navigation tree in the Control Center
  2. Select the Network Probe tab > Syslog Events tab.  This will display all Syslog Event trap filters that have been created.
    Figure 2: Syslog Event Trap Filters
    Fig02_10B.41.177
  3. Right-click in the white area and select Add Trap.
    Figure 3: Syslog Event - Add Trap
    Fig03_10B.41.177
  4. Enter the desired Name for the trap you want to create.
    The IP Address Filter, Facility Filter, Severity Filter and Result Filter can all be used in conjunction with each other or individually.
  5. Select the IP Address Filter field and enter the IP Address of the transmitting device. If this field is not checked, it will ignore the IP address.
  6. Select the Facility Filter field.   The facility filter describes the part of the system generating the message.   Select the facility from the drop-down menu (e.g., system daemon). If this field is not checked, it will ignore the facility.
  7. Select the Severity Filter field and select the severity of the message from the drop-down (e.g., critical, alert, warning, etc.). If this field is not checked, it will ignore the severity.
  8. Select the Result Filterto enable, and then:
    1. Select the Check Condition from the drop-down menu.
    2. Enter the Result that you want the trap to report on.  If the Result Filter field is not checked, it will ignore the check condition and result.
  9. Once you have entered the appropriate information, click Save.

Note NOTE: To edit a trap, right-click on the trap and select Edit Trap from the menu or simply double-click.  Make the appropriate changes and click Save. To delete a trap, right-click on the trap and select Delete Trap.  You will be prompted to confirm.  Click Yes to delete.

Syslog Logs

The Syslog Logs tab will show you all the Syslog logs that have been received based on the filter you have set on General tab.   If no IP Filters are set, all logs will appear in the Syslog Logs tab.  To add IP filters, enter a regular expression.  For example, the regular expression '192\.168\.100\..*' will only match events from the 192.168.100 subnet, while the expression '192\.168\.1\.100|192\.168\.1\.135' will cause only syslog messages from the devices at 192.168.1.100 and 192.168.1.135 to be stored.

Figure 4: General tab - Syslog Settings

erugif40

Figure 5:  Syslog Logs

Fig05_10B.41.177

Table 2: Syslog Logs Received

Column Description
Log Name This will allows read 'Syslog'.
Log Source Displays the IP address of the machine where the syslog message originated from.
Log EventID Displays the facility code of the syslog 0=Kernal Messages, 1=User level messages, 2=Mail System, 3=System Daemons, 4=Security/Authorization Messages, 5=Messages generated internally by syslogd, 6=Line printer subsystem, 7=Network news subsystem, 8=UUCP subsystem, 9=Clock daemon...
Log Time Generated Displays the date and time of the event.
Log Message Displays the actual message that was sent. 

From this screen, there are additional options.  You can refresh the logs, copy the text, print the list or export the list to Excel.  Each of these options can be accessed by right-clicking in the white space of the window. 

Document Revision History

Date Notes
04/13/2011 Updated for 2011 release
09/16/2011 Corrected information on how to filter syslog messages.

Bonnie Whitmire Approved

Last modified on Friday, 07 October 2011 14:10
More in this category: « Self-Collection SNMP »
There are currently no Video for this item
There are currently no Blueprint for this item
There are currently no Related Materials for this item
Comments (0)Add Comment

Write comment

busy