cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
0
Helpful
5
Replies

LMS 3.1 Using syslog-ng log store instead of Syslog collector

max12341234
Level 1
Level 1

We would like to use syslog-ng to feed the syslog analyzer without having a collector store. Is there a way to do this?

Also, if anyone knows where there is more documentation relating to the syslog collector and analyzer, it would be very helpful to see how the syslog analyzer and collector are integrated.

I've been looking at the User guide for RME 4.2, and the Installation guide for LMS 3.1 that describes the syslog collector installation.

The RME guide states that we can point the collector to read from a file, and I was wondering if I can just point the collector to the syslog-ng file?

_____________________________________

from RME User Guide documentation

______________________________________

You can configure the service to read syslogs from a specified file. This can be provided in a properties file located at:

On Windows:

NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\

Collector.properties

5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

Yes, you can use syslog-ng instead of the Cisco-provided syslog daemon. See the attached white paper for more details.

Thanks for the quick response JClarke.

This is a very informative paper.

We have a LINUX implementation of syslog-ng where our devices send their logs. We also have a Windows LMS 3.1 installation.

The last page of the paper says restart the syslog collector and syslog analyzer on the LMS server. Does the syslog collector store the messages fed by syslog-ng, or do the messages go directly into the Analyzer database?

--Max

The SyslogCollector must be able to read the messages out of the local syslog log file. The Collector applies any configured filters, then forwards interesting messages to the subscribed Analyzers. The Analyzers will then insert the messages into the RME database.

So, if syslog-ng is on a Linux box, you will need to forward the messages from that box to the LMS server (which will be running a syslog daemon). Then the Collector and Analyzer will take the messages from there.

Hi JClarke,

Thanks for your reply.

I see that I will have three data stores containing the same log information:

1. syslog-ng LINUX server

2. LMS collector syslog messaegs

3. LMS datbase

I'm trying to avoid storing a lot of duplicate data and hopefully reduce the storage required by the collector.

Can the collector be configured just as a "pass-through" to pass the syslog-ng messages to the database, or does the Collector need to store the messages? For example, once the collector sends the messages to the LMS database can it be configured to delete the messages in the collector's data store?

Thanks!

--Max

The Collector must read the messages from the log file. You can configure logrot on the LMS box to periodically purge the syslog.log. Consult the Common Services online help for more on configuring logrot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: