Syslog messages are event messages and alerts that are sent by the operating system, applications and network devices to report certain conditions, such as the start of a process or a critical event condition.
Syslog can be used for system management, security auditing, analysis and debugging of messages. Messages refer to a facility (e.g., auth, authpriv, daemon, etcl) and are assigned a priority level (e.g., emergency, alert, critical, etc.) by the sender of the message.
|NOTE: You can limit syslog messages to specific IP addresses by entering a regular expression on the Network Probe > General tab. If left blank or set to 0.0.0.0, all incoming syslog events will be stored in the log file. However, if you do create a regular expression, the IP address of the device that generated the message must match the regular expression for the event to be stored. For example, the regular expression '192\.168\.100\..*' will only match events from the 192.168.100 subnet, while the expression '192\.168\.1\.100|192\.168\.1\.135' will cause only syslog messages from the devices at 192.168.1.100 and 192.168.1.135 to be stored.|
All syslog messages that are received are stored locally on the probe-enabled computer regardless of whether they pass the filters or not. The text file, syslog.txt can be found in the %windir%\ltsvc directory. Syslog messages are transmitted in batches of 300 at a time. Any additional messages that were received since the last transmission are not transmitted to the LabTech server, but remain in the log file. So if you are performing any monitoring on received events at the server, make sure the amount of syslog messages sent to the probe is limited as much as possible.
This option is operational by default when you enable the network probe and you do not need to do anything to turn this feature on to receive log files, just point your devices log to the IP address of the probe-enabled computer.
The Syslog Events tab allows you to create trap filters to define which syslog events should be accepted and which are thrown out. A syslog event has to pass a trap filter in order for it to be sent to the server to create alerts.
Figure 1: Sample Syslog Event Trap Filters
Table 1: Syslog Events Column Descriptions
|Name||Displays the name that you provided during the creation of the syslog event filter.|
|IP Address||Displays the IP address of the transmitting device.|
|Facility||Describes the part of the system generating the message (e.g., user-level, mail, system daemons, clock daemon, etc.).|
|Severity||Displays the severity of the message (e.g., warning, alert, critical, notification, etc.).|
|Comparison||Displays the comparison operator used (e.g., equals, contains, greater than, less than, etc.)|
|Result||Displays the results associated with the comparison. For example, filtering messages for the word 'failure' in them, use 'contains' for the Comparison and 'failure' as the Result.|
To add Syslog trap filters, follow the steps listed below:
- Double-click on the probe-enabled computer from the navigation tree in the Control Center.
- Select the Network Probe tab > Syslog Events tab. This will display all Syslog Event trap filters that have been created.
Figure 2: Syslog Event Trap Filters
- Right-click in the white area and select Add Trap.
Figure 3: Syslog Event - Add Trap
- Enter the desired Name for the trap you want to create.
The IP Address Filter, Facility Filter, Severity Filter and Result Filter can all be used in conjunction with each other or individually.
- Select the IP Address Filter field and enter the IP Address of the transmitting device. If this field is not checked, it will ignore the IP address.
- Select the Facility Filter field. The facility filter describes the part of the system generating the message. Select the facility from the drop-down menu (e.g., system daemon). If this field is not checked, it will ignore the facility.
- Select the Severity Filter field and select the severity of the message from the drop-down (e.g., critical, alert, warning, etc.). If this field is not checked, it will ignore the severity.
- Select the Result Filterto enable, and then:
- Select the Check Condition from the drop-down menu.
- Enter the Result that you want the trap to report on. If the Result Filter field is not checked, it will ignore the check condition and result.
- Once you have entered the appropriate information, click Save.
|NOTE: To edit a trap, right-click on the trap and select Edit Trap from the menu or simply double-click. Make the appropriate changes and click Save. To delete a trap, right-click on the trap and select Delete Trap. You will be prompted to confirm. Click Yes to delete.|
The Syslog Logs tab will show you all the Syslog logs that have been received based on the filter you have set on General tab. If no IP Filters are set, all logs will appear in the Syslog Logs tab. To add IP filters, enter a regular expression. For example, the regular expression '192\.168\.100\..*' will only match events from the 192.168.100 subnet, while the expression '192\.168\.1\.100|192\.168\.1\.135' will cause only syslog messages from the devices at 192.168.1.100 and 192.168.1.135 to be stored.
Figure 4: General tab - Syslog Settings
Figure 5: Syslog Logs
Table 2: Syslog Logs Received
|Log Name||This will allows read 'Syslog'.|
|Log Source||Displays the IP address of the machine where the syslog message originated from.|
|Log EventID||Displays the facility code of the syslog 0=Kernal Messages, 1=User level messages, 2=Mail System, 3=System Daemons, 4=Security/Authorization Messages, 5=Messages generated internally by syslogd, 6=Line printer subsystem, 7=Network news subsystem, 8=UUCP subsystem, 9=Clock daemon...|
|Log Time Generated||Displays the date and time of the event.|
|Log Message||Displays the actual message that was sent.|
From this screen, there are additional options. You can refresh the logs, copy the text, print the list or export the list to Excel. Each of these options can be accessed by right-clicking in the white space of the window.
|04/13/2011||Updated for 2011 release|
|09/16/2011||Corrected information on how to filter syslog messages.|