LMS 3.1 Using syslog-ng log store instead of Syslog collector

Unanswered Question
Jun 11th, 2009
User Badges:

We would like to use syslog-ng to feed the syslog analyzer without having a collector store. Is there a way to do this?

Also, if anyone knows where there is more documentation relating to the syslog collector and analyzer, it would be very helpful to see how the syslog analyzer and collector are integrated.

I've been looking at the User guide for RME 4.2, and the Installation guide for LMS 3.1 that describes the syslog collector installation.

The RME guide states that we can point the collector to read from a file, and I was wondering if I can just point the collector to the syslog-ng file?


from RME User Guide documentation


You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at:

On Windows:



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
max12341234 Thu, 06/11/2009 - 11:01
User Badges:

Thanks for the quick response JClarke.

This is a very informative paper.

We have a LINUX implementation of syslog-ng where our devices send their logs. We also have a Windows LMS 3.1 installation.

The last page of the paper says restart the syslog collector and syslog analyzer on the LMS server. Does the syslog collector store the messages fed by syslog-ng, or do the messages go directly into the Analyzer database?


Joe Clarke Thu, 06/11/2009 - 11:05
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The SyslogCollector must be able to read the messages out of the local syslog log file. The Collector applies any configured filters, then forwards interesting messages to the subscribed Analyzers. The Analyzers will then insert the messages into the RME database.

So, if syslog-ng is on a Linux box, you will need to forward the messages from that box to the LMS server (which will be running a syslog daemon). Then the Collector and Analyzer will take the messages from there.

max12341234 Fri, 06/12/2009 - 03:10
User Badges:

Hi JClarke,

Thanks for your reply.

I see that I will have three data stores containing the same log information:

1. syslog-ng LINUX server

2. LMS collector syslog messaegs

3. LMS datbase

I'm trying to avoid storing a lot of duplicate data and hopefully reduce the storage required by the collector.

Can the collector be configured just as a "pass-through" to pass the syslog-ng messages to the database, or does the Collector need to store the messages? For example, once the collector sends the messages to the LMS database can it be configured to delete the messages in the collector's data store?



Joe Clarke Fri, 06/12/2009 - 08:41
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The Collector must read the messages from the log file. You can configure logrot on the LMS box to periodically purge the syslog.log. Consult the Common Services online help for more on configuring logrot.


This Discussion