06-11-2009 10:02 AM
We would like to use syslog-ng to feed the syslog analyzer without having a collector store. Is there a way to do this?
Also, if anyone knows where there is more documentation relating to the syslog collector and analyzer, it would be very helpful to see how the syslog analyzer and collector are integrated.
I've been looking at the User guide for RME 4.2, and the Installation guide for LMS 3.1 that describes the syslog collector installation.
The RME guide states that we can point the collector to read from a file, and I was wondering if I can just point the collector to the syslog-ng file?
_____________________________________
from RME User Guide documentation
______________________________________
You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at:
On Windows:
NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties
06-11-2009 10:08 AM
06-11-2009 11:01 AM
Thanks for the quick response JClarke.
This is a very informative paper.
We have a LINUX implementation of syslog-ng where our devices send their logs. We also have a Windows LMS 3.1 installation.
The last page of the paper says restart the syslog collector and syslog analyzer on the LMS server. Does the syslog collector store the messages fed by syslog-ng, or do the messages go directly into the Analyzer database?
--Max
06-11-2009 11:05 AM
The SyslogCollector must be able to read the messages out of the local syslog log file. The Collector applies any configured filters, then forwards interesting messages to the subscribed Analyzers. The Analyzers will then insert the messages into the RME database.
So, if syslog-ng is on a Linux box, you will need to forward the messages from that box to the LMS server (which will be running a syslog daemon). Then the Collector and Analyzer will take the messages from there.
06-12-2009 03:10 AM
Hi JClarke,
Thanks for your reply.
I see that I will have three data stores containing the same log information:
1. syslog-ng LINUX server
2. LMS collector syslog messaegs
3. LMS datbase
I'm trying to avoid storing a lot of duplicate data and hopefully reduce the storage required by the collector.
Can the collector be configured just as a "pass-through" to pass the syslog-ng messages to the database, or does the Collector need to store the messages? For example, once the collector sends the messages to the LMS database can it be configured to delete the messages in the collector's data store?
Thanks!
--Max
06-12-2009 08:41 AM
The Collector must read the messages from the log file. You can configure logrot on the LMS box to periodically purge the syslog.log. Consult the Common Services online help for more on configuring logrot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide