TIBCO LogLogic Universal Collector User's Guide

Transcription

1 TIBCO LogLogic Universal Collector User's Guide Software Release 2.7 January 2016 Two-Second Advantage

2 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE LICENSE FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc. TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries. Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform Enterprise Edition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle Corporation in the U.S. and other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only. THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME. THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES. Copyright TIBCO Software Inc. ALL RIGHTS RESERVED. TIBCO Software Inc. Confidential Information

3 3 Contents TIBCO Documentation and Support Services...6 Introduction... 7 Overview...7 Collecting Logs...8 Real-Time File Logs... 8 Collecting Single-line Messages...8 Log File Rotation... 9 Collecting Multi-line Messages Custom Multi-line Log Sources Windows Event Logs...12 Local Collection...12 Remote Collection Filtering Windows Event Logs...12 Syslog Logs...13 Filtering Syslog Logs...14 Remote Files...14 UC Internal Logs Creating and Configuring Log Sources...15 Add a New Log Source Copy a Log Source Delete a Log Source...15 Creating Multiple Log Sources Create a CSV File...16 Import Log Sources Creating a Complete Configuration Edit Configuration General Settings Add a New Configuration...18 Open a Stored Configuration...19 Activate the Configuration...19 Save a Configuration...19 Editing Log Sources...19 Edit a Real-Time File Log Source Edit Multiple Real-Time Log Sources...23 Edit a Windows Event Log Source...23 Edit Multiple Windows Event Log Sources...26 Edit a Syslog Log Source Edit Multiple Syslog Log Sources...30 Edit a Remote File Log Source...30

4 4 Edit Multiple Remote File Log Sources Edit Different Types of Log Sources...33 Edit a Log Source using the Command Line...34 Sorting Log Sources...36 Create a New Tag Apply a Tag...36 Remove a Tag...36 Sort Log Sources Forwarding Logs...38 Creating a Syslog TCP or UDP Connection Creating an LMI Connection...40 Creating a Connection in Authentication and or Encryption Mode...41 Step 1 Get a Root Certificate Authority from your PKI...42 Step 2 Create a Certificate Signing Request...43 Using the Internal Tool Using the OpenSSL Step 3 Create a Valid UC Certificate using a CA and OpenSSL Step 4 Import the Certificate into *.ks or *.p Step 5 Configure the Forwarding Process For *.ks For *.p For *.pem Configure the Forwarding Process...47 Step 6 Enable Secure Connection...48 Managing the list of Forwardings...50 Copying a Forwarding...50 Deleting a Forwarding...51 Monitoring UC Activities...52 Starting UCMon Tool...52 To start UCMon from UC Console...52 To start UCMon manually...52 Summary Screen...52 Status Screen...54 Log Source Status...54 Forwarding Connection Status Metrics Screen...56 Log Source Metrics Forwarding Connection Metrics Trends Screen Log Source Trends... 59

5 5 Forwarding Connection Trends...60 RealTime Screen...61 Log Sources RealTime...61 Forwarding Connection RealTime...62 Command Line Interface...64 cert_mgt Manage the Security Certificates uc_checkconf Check the Current Configuration...65 uc_createlogsources Import and Create Several Log Sources at a time...65 uc_decodepwd Decode Passwords for Windows Files uc_encryptpwd Encrypt Passwords for Windows Files uc_monitor UCMon Tool...66 uc_reload Reload Configuration uc_saveactiveconfas Save an Active Configuration...67 uc_switchto Make Configuration Active...67 Sample Configuration Files...70 UC Configuration uc.xml...70 LMI Connection uldp-samplecommented.uldp.xml LMI Connection uldp-samplecommentedauthjks.uldp.xml LMI Connection uldp-samplecommentedauthpem.uldp.xml...74 LMI Connection uldp-samplecommentedauthpks12.uldp.xml Log Sources file-samplecommented.ls.xml Log Sources syslog-samplecommented.ls.xml...81 Log Sources wmi-samplecommented.ls.xml Regular Expressions...87 Event Output Format...92 IPv6 Support Matrix...95

6 6 TIBCO Documentation and Support Services Documentation for this and other TIBCO products is available on the TIBCO Documentation site. This site is updated more frequently than any documentation that might be included with the product. To ensure that you are accessing the latest available help topics, please visit: Product-Specific Documentation Documentation for TIBCO products is not bundled with the software. Instead, it is available on the TIBCO Documentation site. To directly access documentation for this product, double-click the following file: TIBCO_HOME/release_notes/TIB_loguc_version_docinfo.html where TIBCO_HOME is the top-level directory in which TIBCO products are installed. On Windows, the default TIBCO_HOME is C:\tibco. On UNIX systems, the default TIBCO_HOME is /opt/tibco. The following documents for this product can be found on the TIBCO Documentation site: TIBCO LogLogic Universal Collector Installation Guide How to Contact TIBCO Support For comments or problems with this manual or the software it addresses, contact TIBCO Support: For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site: If you already have a valid maintenance or support contract, visit this site: Entry to this site requires a user name and password. If you do not have a user name, you can request one. How to Join TIBCOmmunity TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to the following web address:

7 7 Introduction Overview UC collects the information from four types of log sources: Syslog, Windows Event Logs, Real-Time File pull, or Remote File pull. Several UC agents can be deployed on a dedicated/shared appliance or physical/virtual hardware to remotely collect hundreds of log sources located at the same site. UC can seamlessly collect and forward logs to multiple log sources. Collecting Logs UC allows you to gather data from several types of log sources while ensuring integrity of the logs. You can easily collect event logs from local or remote instances of MS Windows, including time-stamped or rotated files. The UC agent works as a Syslog listener. Forwarding Logs UC has the ability to forward secure and authenticated data to an LMI server via a ULDP protocol without the need for a dedicated appliance. UC also forwards to Syslog server using either UDP or TCP protocols. Monitoring Activity A UCMon tool is also available to monitor the internal process of the UC which ensures that your collection and forwarding processes are correctly responding. Easy Configuration A UC configuration is composed of Log Sources, Forwarding connections, and UC general parameters. UC configuration must be created and updated via the GUI or the Command Line Interface. You can create, save, and store a configuration. A stored configuration is useful: to create a configuration and then activate it whenever you want, even if an active configuration is open, i.e. another configuration is running on the system. to create several configurations and deploy them rapidly on other UCs. Easy Management Multiple UCs can be remotely managed using TIBCO LogLogic Management Center (MC) and MC Agent configured and running on each UC Asset. MC is a software solution that allows you to manage Assets, schedule batch upgrade for Assets, monitor system health check, and backup and restore Asset data. Adaptability UC is a software program with a small footprint and low memory usage on your Domain Controllers, or application servers. It is highly adaptable and can be customized easily. Its lightweight and reliable configuration helps you to manage changes according to your particular needs.

8 8 Collecting Logs UC handles file collection from four different types of files. Real-Time File Logs UC reads logs from local files - i.e. logs from files generated on the machine where UC is installed and forwards them to either an LMI or a Syslog server. UC can collect single and multi-line messages. Collecting Single-line Messages When a file is collected, only the newly added logs at the end of the file are collected. Logs already available in a file before the UC log source creation will not be collected. UC operates by monitoring specified text files that are receiving log output from log sources. The log sources append new logs to the end of the text file as events occur. As new records appear at the tail of the monitored file, they are instantly taken into account by UC. UC forwards single-line log messages to an LMI or Syslog server. By default, UC sends a maximum of characters per line. UC uses cursors to track the monitored files and to resume continuously after having stopped. The cursors have information about the file positions at which to restart - called metadata - as well as file identification information. It can determine whether the file to be resumed is the file to which the saved position applies. In other terms, even if the UC is stopped for a while, all messages contained in the file will be collected using the position cursors, no messages will be lost.

9 9 Log File Rotation In the case of log file rotation, a log file is retired and renamed to a rotated name, and the monitored file is replaced by a new log file. Therefore, periodically during the monitoring of a log file that is rotated, the file is replaced by a fresh log file. UC is able to manage rotation files in two different ways. 1. The log file name contains a date that changes during the rotation process UC handles the rotation process of logs that contain a date in their name provided you correctly configured the File Log Source configuration file. If you enter the parameter [date] in the file path you must: a. Activate the file rotation. Enable and enter a date format for the date pattern such as yyyymmdd. For example, Filenames: logfile log, logfile log Absolute path: c:\logdir\logfile.[date].log 2. The log file name contains an id that changes during the rotation UC handles the rotation process of logs that contain an Id in their name provided you correctly configured the File Log Source configuration file. If you enter the parameter [id] in the file path you must: 1. Activate the file rotation. 2. Enable and enter the number of digits expected (1-9) for the nbdigit parameter. For example, Filenames: logfile.1.log, logfile.2.log Absolute path: c:\logdir\logfile.[id].log You can combine the two examples to allow the use of both [id] and [date] parameters in the file path. Recommendations In the case of resuming after having been stopped, if the log file has been rotated during the period in which the collector was stopped, some log data will be missed. Therefore, you must ensure that the collector is not temporarily stopped during an interval in which a rotation occurs. To be collected, a file must have been modified after the latest collected file. The log file name does not change during the rotation. The UC records the identity of a log file in the cursor as a hash of the first several bytes of the file. When the file is rotated and replaced with a fresh one, the hash will be different. File identity checking is performed throughout the log file monitoring process to detect log rotation. If a log file needs to be replaced and enriched while UC is running, do not copy content in the file but move it on the same partition.

10 10 Collecting Multi-line Messages UC can combine multiple consecutive related lines or multi-lines in a source log file into a single line which will be sent to the LMI. Multi-line message groups may require analysis to determine the correct expression to use if the format is complex. UC supports Java regular expressions. Before sending, groups of lines that represent a logical message are converted to a single-line format. All of the original messages' data is kept intact nothing is altered. UC can collect multi-line messages from default application sources or custom ones: Log Source Tomcat / Servlet Container WebLogic Application Server WebSphere Application Server JBoss Application Server Default log location is CATALINA_BASE/logs. Tomcat and application logs unless configured otherwise. The default format is multi-line, with the first line beginning with a timestamp. It may change due to localization. Logs are rotated daily by default Default log location is under the server root DOMAIN_NAME/servers/ ADMIN_SERVER_NAME/logs/. Each server or cluster maintains a server log and selected events are forwarded to a domain log. Most of the entries are single line, but can contain java exceptions. Each message begins with '####'. There may also be a web access log Default log location is under the WebSphere directory APPSERVER/ profiles/profilename/logs/servername/. There is no default log rotation. There are server start and stop logs (SystemErr.log, SystemOut.log), JVM log files (native_stderr.log, native_stdout.log), and process log files (startserver.log, stopserver.log). All of these logs contain entries describing the system environment that do not have a timestamp. The error logs do not contain any timestamps. Continuation lines are indented Default log location is JBOSS_HOME/server/NAME/log. The boot log records startup events prior to the initialization of the logging service. The server.log file records activity while the server is running. The boot.log file entries begin with a time with no date. The server.log file entries start with a timestamp in the form 'YYYY-MM-DD HH:MI:SS,FFF'. Log messages can be multi-line and the continuation lines are sometimes indented, but frequently not. Messages start with a timestamp. Note: The regex format for these default applications are indicated in <InstallationFolder> \runtime\conf\static\line_combiner.xml file. Custom multi-line Custom regex can be defined for custom multiline logs. You need to define - the header regex pattern. - whether you keep orphaned lines, i.e UC sends messages that do not match the Header Regexp - the timeout after which messages are sent even if the regex is not found again.

11 11 Custom Multi-line Log Sources Custom regex can be defined for custom multiline logs. the header regex pattern. whether you keep orphaned lines, i.e UC sends messages that do not match the Header Regexp the timeout after which messages are sent even if the regex is not found again. An example of a custom application log is as follows: :09:41,344 WARN [main] file.fileimportsqldao (?(think)) - File not found (/home/exaprotect/conf/tbsmp6/report/etc/export.properties) :09:41,344 WARN [main] config.configurationfactory (ConfigurationFactory.java:127) - No configuration found. Configuring ehcache from ehcache-failsafe.xml found in the classpath: jar:file:/home/exaprotect/ report_tbsmp6/webapps/exareport/web-inf/lib/ehcache jar!/ehcache-failsafe.xml java version "1.6.0_18" Java(TM) SE Runtime Environment (build 1.6.0_18-b07) :09:50,723 INFO [main] config.facesconfigurator (FacesConfigurator.java:151) - Reading standard config org/apache/myfaces/resource/ standard-faces-config.xml Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13, mixed mode) In the UC Console, you can create a regex like: ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\s[^\s]+\s+\[[^\]]+\]\s with a timeout of 3 seconds and indicating that orphaned lines are kept. It will match the header of the multiline log (date and level), which is: :09:41,344 WARN [main] All the lines will be aggregated and then forwarded as a single log to LMI. The \r and \n will be replaced by escaped ones \\r and\\n), until UC finds another regex header. You can obtain something like: :09:41,344 WARN [main] file.fileimportsqldao (?(think)) - File not found (/home/exaprotect/conf/tbsmp6/report/etc/export.properties) :09:41,344 WARN [main] config.configurationfactory (ConfigurationFactory.java:127) - No configuration found. Configuring ehcache from ehcache-failsafe.xml found in the classpath: jar:file:/home/exaprotect/ report_tbsmp6/webapps/exareport/web-inf/lib/ehcache jar!/ehcache-failsafe.xml \r\njava version "1.6.0_18"\r\nJava(TM) SE Runtime Environment (build 1.6.0_18-b07) :09:50,723 INFO [main] config.facesconfigurator (FacesConfigurator.java:151) - Reading standard config org/apache/myfaces/resource/ standard-faces-config.xml\r\n Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13, mixed mode) Refer to Appendix to get the full content of the Real-Time File Log Source commented file.

12 12 Windows Event Logs UC can collect Windows Event Logs on Windows systems. However, it is not supported on Linux systems. The supported Windows versions for remote collection are Windows 2003 R2 (32/64-bit), Windows 2008 (32/64-bit), Windows 2008 R2 (64-bit), Windows 7 (32/64-bit), and Windows 2012 (64-bit). UC forwards Windows logs to the LMI appliance by using the ULDP. Windows logs collected from UC are forwarded in a format which is based upon the Snare over Syslog format. Although Snare over Syslog and Snare formats are not 100% similar, a subtle difference may exist for certain messages. For details, see Event Output Format on page 92. Non-administrator user accounts can collect Windows Event Logs from remote event host. For administrator user accounts, UC auto-discovers the platform family and language type of the remote event host. For non-administrator user accounts, you should manually set the platform and language type on each Windows event host using the advanced option and must set the following configuration settings: Enable the Remote Registry Service on the remote event host On Windows 2008, Windows 7, and Windows 2012 Domain Controller systems, the nonadministrator domain user must be created and added to the Event Log Readers Group. On domain member systems, the local user must be created on each local host and added to the local Event Log Readers Group. However, the domain user created on the Domain Controller system will not be able to access the event logs on the domain member system. On Windows 2003, refer to: blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-readevent-logs-windows-2003-and-windows-2008.aspx. Local Collection This section explains how to prepare a Windows host for local collection. Enable the following Windows services: Windows Management Instrumentation (For Windows 2003 only) Remote Registry Remote Collection This section explains how to prepare a Windows host for remote collection. Enable the following Windows services: Windows Management Instrumentation (For Windows 2003 only) Remote Registry If Windows Firewall is enabled, run the following command to enable access to the above services: netsh firewall set service RemoteAdmin enable Filtering Windows Event Logs It may be required to minimize Windows Audit events generated by certain UC activities via one of the following methods: Procedure 1. Removal of Object Access/ Success from the audit policy on Windows log sources. (For further details, reference Audit Policy Management on Windows below.)

13 13 2. Review the current Security Access Control List (SACL) settings for the Windows Event Logs namespace \\root\cimv2, and verify that Enable Account/Successful is not checked for accounts/ group to which the UC is connected. If necessary, create a new policy for the UC for which the Enable Account/Successful is not checked. If necessary, inheritance of SACL may have to be disabled for that namespace. Platform Windows 2003 R2/ Windows 2008 Windows 2008 only The audit policy in Windows is configured via local policies and/or GPO linked to domain/ou/site. A good way to understand the resulting policy is to use Resulting set of policy snap-in of MMC. Check the current resulting policy is set to generate results for local host only. The current resulting policy can be found under Computer Configuration > Windows Settings > Local Policies > Audit Policy. On Windows 2008 more granular settings are possible, named subcategory. Based on the solution used, you can check the precise auditing policy with: auditpol /get /category:* For more information on sub-category audit capabilities, please refer to the Microsoft documentation. Also review the article on Windows Event Logs namespaces mentioning specifically Windows Event Logs auditing: Syslog Logs UC reads logs sent via the Syslog protocol. The syslog logs will be collected using the TCP or UDP. UC will not start up a syslog listener on the desired port until at least one syslog collector exists. If you want to use both protocols, you must define two Log Sources. Protocol UDP TCP Default configuration. It specifies that the syslog logs should be collected via UDP protocol. When modifying the UC s status (such as updating or stopping it) or when the UC is not running during the collection, messages may be lost. Indeed, contrary to the TCP protocol, the UDP protocol avoids the overhead of checking whether every packet actually arrived, which may lead to data loss. Specify that the syslog logs should be collected via TCP protocol. If another Syslog log is running on the server where the UC is installed, the UC and syslog will not have the same port, IP and protocols. In that case, you must either stop the syslog or make the UC listen on another port.

14 14 Filtering Syslog Logs The Syslog logs can be filtered, before being forwarded, according to their severity and facility. facility - type of message that must be collected. severity - levels of severity that will be reported. If a message has neither severity nor facility, UC automatically allocates the local use 7 facility and the debug severity to the message. Then, it will be automatically filtered. Remote Files UC can collect files remotely and forwards them to LMI. By default, UC pulls every 1 hour but it can also pull every X minutes, every X hour, daily at X time, weekly on Y day on X time. It is highly recommended to use a physical machine for remote file collection. It is not recommended to use the UC's remote file collection to collect large remote files (above 1GB) on Virtual Machine systems as it will slow down the system significantly. Remote File with Rotation In the case of log file rotation, a log file is retired and renamed to a rotated name, and the monitored file is replaced by a new log file. Therefore, periodically during the monitoring of a log file that is rotated, the file is replaced by a new log file. When the date field is checked for rotation, UC will only collect files that are modified after the remote file log source creation time. UC is able to manage file rotation in two different ways. For more information, refer to Log File Rotation on page 9. Remote File with No Rotation Single Files Make sure that you gave the correct file path on the remote file system to pull the file correctly. Directory Directory pull allows you to choose a directory and pull files from that directory based on the include or exclude options provided to you. Directory pull does not support file rotation. Example: /loglogic/ directory has three files: a.txt, b.txt, c.txt Scenario 1: if users put * for include, it will pull a.txt, b.txt, c.txt Scenario 2: if users put *.txt for include and put a.txt for exclude, it will pull b.txt and c.txt Scenario 3: if users put a.txt for include and nothing for exclude, it will only pull a.txt. UC Internal Logs UC generates its own logs when it is subjected to changes or errors (for example, starting of the UC, creation of a Log Source, disconnection of the UC, etc.). These internal logs are also sent to the LMI and can be used to repair or troubleshoot the UC. Collecting UC Internal Logs The UC internal logs are automatically generated in the uc.log file, which is located in the UC installation folder in \LogLogic\UniversalCollector\logs (for Windows).

15 15 The uc.log is forwarded to the LMI provided you correctly configured the forwarding process (LMI connection). The LMI connection used to forward the UC internal logs can be the same as any log source LMI connection. Creating and Configuring Log Sources You can add, copy, and delete Log Sources. Add a New Log Source You can add a new Log Source. Procedure 1. Open the UC Console by clicking on the shortcut and click the Collection tab. 2. Click New and select the type of Log Sources you want to add; Real Time File, Syslog, Windows Event Log, Remote Files, or Cmd. 3. In the Edition screen, enter the relevant information as explained in Editing Log Sources on page Click Save to save the Log Source. A new log source is added in the list of Log Sources. Copy a Log Source You can copy one or multiple Log Source configurations. Procedure 1. Open the UC Console by clicking on the shortcut and click the Collection tab. 2. Select one or several Log Sources (Ctrl + click to select more than one Log Source) from the list of log sources. 3. Click Copy and confirm. The new log source(s) is/are displayed below the list of log sources. You can edit and modify as any other log source. By default, the log source configuration is not enabled. Delete a Log Source You can delete one or multiple log sources. Procedure 1. Open the UC Console by clicking on the shortcut and click the Collection tab. 2. Select one or several Log Sources (Ctrl + click to select more than one Log Source) from the list of log sources. 3. Click Delete. The Log Source list is automatically refreshed.

16 16 Creating Multiple Log Sources You can import and create multiple Log Sources of the same type at the same time. Make sure that a CSV file with Log Source information must be available. Create a CSV File Procedure 1. Open a program such as Notepad. 2. In the header, on the first line, enter the following field names according to the type of Log Source you want to create: Log Source File Syslog Windows Remote File Fields name, description, lmi_connection*, enabled, timeinutc, message_filter, match_filter, file_path*, usedaterolling, date_pattern, useidrolling, nbdigit, usefilechangenotification, multiline_active, multiline_header_type, multiline_custom_regex, multiline_orphaned_lines, multiline_linetimeout, appname*, hostname*, maxlinelength, charset name, description, lmi_connection*, enabled, timeinutc, protocol, ip, port, severity, facilities, source_ip name, description, lmi_connection*, enabled, timeinutc, event_id_filter, filter_operator, source_filter, address*, domain, login, password, include_eventlogs, eventlogs_list, polling_period, win_type, lang_type name, description,lmi_connection, enabled, ip, protocol, time_zone, file_system_type, user_id, password, domain, share_name, path_type, path, include, exclude, device_type, original_name, usedaterolling, date_pattern, useidrolling, nbdigit, usefilechangenotification, useucip, uc_ip, deleteinactivefile, inactivedays, every_minutes, every_hours, daily_at_time, weekly_at_time, weekly_at_day

17 17 Log Source Cmd Fields name, description, lmi_connection, enabled, timeinutc, command, multiline_active, multiline_linetimeout, appname, hostname, maxlinelength, run_once, schedule_active, every_minutes, every_hours, daily_at_time, weekly_at_time, weekly_at_day * mandatory fields 1.LMI connection is mandatory only if there is more than one existing connections available. The sole connection will be taken by default. 2. Name is not mandatory as a name will be automatically created, such as Real Time File #n or Windows Event Log #n or Syslog #n. 3. On the lines below, fill in the fields with the correct values and save in CSV format. The CSV file format example: name,description,lmi_connection,timeinutc Log Source A, Windows Log Sources, LMI_Connection, true A detailed example of the fields and values to enter in the CSV file is available from UC Console when importing the CSV file. Import Log Sources Procedure 1. Open the UC Console by clicking on the shortcut. 2. In the Collection tab, click New > Batch import. The Batch Import tab is displayed. 3. In the drop-down list, select the type of Log Sources you are going to import. 4. Browse the CSV file and click OK. 5. Click Import. The Log Sources are created under the Collection tab, for example, Import #1 - LS #1 Creating a Complete Configuration A configuration contains general settings, a list of Log Sources, and one or several Forwarding connections. All of these items are configured via the Graphical User Interface and are stored in a UC Configuration file (*.ucc) that you can unzip to explore the content. Edit Configuration General Settings You can modify the default configuration at any time. Procedure 1. Open the UC Console by clicking on the shortcut. 2. Click.

18 18 3. Modify the following information: Option Name Communication Port Collector Domain TCP/UDP socket buffer size UDP max packet size Name of the configuration. Port used by the UC to get information (for example, status, metrics, memory used...) via the CLI. Make sure this port is not already used. Otherwise UC will not work. An identification name used to identify each message sent from a specific UC. This field can be empty. If defined, it must have a unique name with maximum 256 characters. This field is case sensitive. Do not include special characters, for example, \ /"?'*:% TCP/UDP parameter and socket buffer size (in kilobytes) - this parameter applies to all the Syslog Log Sources associated to the UC. UDP parameter and max packet size (in kilobytes) - this parameter applies to all the Syslog Log Sources associated to the UC. The maximum size is 64KB. Notes for Red Hat and SUSE Linux Enterprise If you obtain a log message saying Syslog Unable to set the required socket buffer size, then it is recommended to increase the maximum size of the buffer on your RHEL, SUSE, and Solaris systems. On RHEL, SUSE or Solaris, the default maximum TCP/UDP buffer size is 128 KB. In the UC configuration file, the default value of the buffer socket size is 1MB. These parameters apply to all the Syslog Log Sources related to UC. Therefore, you must increase the maximum value of the Syslog buffer already set with a specific command. To change the maximum value of the buffer: 1. Log in as root on the system. 2. Enter the following command (example with 1 Megabyte): sysctl -w net.core.rmem_max= (this value is expressed in bytes) The modification of the system parameter will impact the maximum limitations for all sockets. 4. Click Apply. The configuration is updated. Add a New Configuration You can easily add a new configuration. After adding a new configuration, you must activate it. Procedure 1. Open the UC Console by clicking on the shortcut. 2. Go to Manage Configuration > New.

19 19 3. In the Browsing window, select a folder where you will store your configuration. 4. Enter a configuration name with a *.ucc extension in the Filename field and click Save. The new configuration is automatically displayed in the UC console, but it is not active. Open a Stored Configuration You can edit an existing or stored configuration other than the one running on the local UC at any time. Procedure 1. Open the UC Console by clicking on the shortcut. 2. Under Manage Configuration, click Open and browse the UC configuration file (*.ucc). 3. Click Open. The configuration is displayed in the GUI. However, this configuration is neither applied nor running. You can display back your active configuration at any time by selecting Manage Configuration > Open Active Configuration in the drop-down menu. Activate the Configuration You can make a stored configuration active at any time. Then, all the modifications applied on the fresh active configuration will be automatically saved and updated each time you validate the changes. Procedure 1. Open the UC Console by clicking on the shortcut. 2. Display the configuration that you want to activate in the UC Console. 3. Click. A warning message is displayed which indicates that the active configuration will be overwritten if you continue. 4. Click Continue to accept. If you do not want the active configuration to be erased, click Cancel and make a copy of it before activating another configuration. The configuration is now active and can be modified. Save a Configuration You should save an active or stored configuration on the local system. Procedure 1. Open the UC Console by clicking on the shortcut. 2. To copy a configuration, select Manage Configuration > Save as. 3. In the Browsing window, select the folder where you want to save the configuration. You can create a new folder. 4. Name the configuration and click Save. A UC Configuration file with the *.ucc extension is created. Editing Log Sources You can edit a single Log Source configuration. Similarly, you can update parameters for multiple Log Sources of the same type at a time.

20 20 Edit a Real-Time File Log Source Procedure 1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Edit button. The RT File Edition tab is displayed. 2. In the General part of the screen, you can modify the following information: Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. of the Log Source. 3. In the Forwarding Connection part of the screen, you can modify the following information: Option Name UC Collection date Select the Forwarding connection to which you want to forward collected RT File logs. A Log Source must be linked to an existing Forwarding connection, which can be edited under the Forwarding tab. Define whether the log message sent to the LMI server remains in a local system time zone or is converted into UTC time zone. 4. In the Message Filtering part of the screen, you can modify the following information: UC supports Java regular expressions. Option [Filtering] Collect messages Click ON or OFF to activate or deactivate the option. Define whether you collect messages that: - match the regex (other logs are filtered) - do not match the regex (i.e. filter the logs that match the regex)

21 21 Option Filter Enter a case insensitive regular expression to specify the messages to be matched. For example, if Not matching regex is selected : "packet accepted" means that all the lines containing packet accepted are filtered. "^64\.242" means that all the lines that are beginning exactly with are filtered "846$" means that all the lines that are ending exactly with 846 are filtered. For example, if Matching regex is selected : "packet accepted" means that only the lines containing packet accepted are kept. "^64\.242" means that only the lines that are beginning exactly with are kept. "846$" means that only the lines that are ending exactly with 846 are kept. 5. In the Collection part of the screen, you can modify the following information: On Windows, Real-Time file collection is unavailable on network shared and Network File System (NFS) mounted drives. Option File Path Browse the log file to be collected. If the log file is rotated, you may enter [id] or [date] or both in the filename as well as configuring the File rotation parameters. For example, c:\temp\logfile[date].log to obtain file names such as logfile log For example, c:\temp\logfile[id].log to obtain file names such as logfile1.log File rotation [If File rotation is ON] Date pattern [If File rotation is ON] Max number of digits Click ON or OFF to activate or deactivate the option. Enter the date format you want to use for the [date] parameter. For example, yyyymmdd for Check the box and indicate the maximum number of digits you want for the [id] parameter. UC can collect any file with an [id] whose number of digits is between 1 and 9 inclusive. For example, If you set 5, the following [id] will be taken into account: 1, 054, 586, 00599, 78945, etc.

22 22 Option File change notification Click ON or OFF to activate or deactivate the option. This option allows you to monitor file changes. If set ON, a notification will be sent to LMI via uc.log file when the specified file's modified date changes. The notification includes the changed content and time. A new log is recorded for the notification when UC internal logs are forwarded to LMI. The file changes are not monitored for rotated files. In this case, the File change notification option is disabled. The specified file size should be less than the default size (10MB). If the file size is more than 10MB, the notification does not include changed content. Before activating this monitoring option, make sure to set the LMI Connection > Forwarding > Forward UC Internal Logs option to ON. [Multiline messages] [If Multiline messages is ON] Multiline header type [If Multiline messages is ON] Custom header regex [If Multiline messages is ON] Send orphaned lines [If Multiline messages is ON] Multiline timeout after detected header [Advanced] Host name Application name Maximum messages length Click ON or OFF to activate or deactivate the option to define whether the single message has several lines. Select the type of multi-line logs. For example, 'jboss', 'tomcat', 'weblogic', 'websphere' or 'custom'. Set a regular expression matching the header of the first line of a log. Indicate whether you want the UC to send messages that do not match the Header Regexp. Indicate the number of seconds after which the multi-line logs are ready to be sent. Click the drop-down menu to display advanced parameters. Enter the name of the host used to pair logs on the LMI server. For example, customhostname.com If you enter an IPv4 / IPv6 address, the device to be displayed in LMI will be referred with this IP address. Enter the name of the application used to identify logs on the LMI server. For example, customapplicationname Indicate the possible maximum length for the message (in bytes). Default value: 64000

23 23 Option [Collected file] Charset Select the data format. Default value: Use local system charset 6. Click Apply to validate the changes. Edit Multiple Real-Time Log Sources Procedure 1. Under the Collection tab, select the Log Sources and click the Edit button. The RT File Edition tab is displayed. 2. Check the boxes in front of the set of RT File parameters you want to change. 3. Modify the parameters as explained in Edit a Real-Time File Log Source on page 20. Edit a Windows Event Log Source Procedure 1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Edit button. The Windows Events Log Source Edition tab is displayed. 2. In the General part of the screen, you can modify the following information: Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. For example, ls-win-template of the Log Source. 3. In the Forwarding Connection part of the screen, you can modify the following information: Option Name UC Collection date Select the Forwarding connection to which you want to forward collected RT File logs. A Log Source must be linked to an existing Forwarding connection, which can be edited under the Forwarding tab. Define whether the log message sent to the LMI server remains in a local system time zone or is converted into UTC time zone. 4. In the Message Filtering part of the screen, you can modify the following information:

24 24 Option [Filtering] Event ID Filter and/or Source Filter Click ON or OFF to activate or deactivate the option. Regular expression to filter the Windows event ID. For example, 567 ^58[1-9] means that the events with an Event ID containing 567 but also those from 581 to 589 inclusive are collected. ^(8.*) ^(5[2-9].*) means that the events with an ID starting with 8 but also those starting with 52 to 59 inclusive are collected. If the field is empty or.* is set means that no filter is set. Refer to Regular Expressions on page 87 to get the list of characters used in regular expressions. Select if you want to use both filters at the same time or one or another Enter a regular expression to filter Windows events on source field. For example, Security means that all the events with a Security source field are filtered. DNS Client Events means that all the events with a DNS Client Events source field are filtered. Time-Service means that all the events with a time-service source field are filtered. If the field is empty or.* is set means that no filter is set. Refer to Regular Expressions on page 87 to get the list of characters used in regular expressions. 5. In the Collection part of the screen, you can modify the following information: Option [Location] Local/Remote host Host name Indicate whether the Windows host from which to poll logs is the local machine or a remote host. Enter the IPv4 / IPv6 address to connect to the remote Windows server. [Credentials] Use UC service credentials/use custom credentials Select the relevant options to use the correct Windows credentials. If you have configured credentials in the UC Windows Services Control Panel, you can use those credentials to create multiple Windows Event Log Collections. To do this, select the UC service credentials option.

25 25 Option Domain (if Use custom credentials is set) Login (if Use custom credentials is set) Enter the domain name to access the Windows server. For example, domain.company Enter the login to connect to the Windows server. If the user has nonadministrator privileges, make sure to satisfy the prerequisites specified in the section Windows Event Logs on page 12. If the login belongs to a local user with administrator privileges, the User Account Control (UAC) needs to be turned off at the event host. Password (if Use custom credentials is set) To connect to the Windows server, enter a password [Windows Event Logs] Collect List Edit List Define the Windows Event Logs journals to include. It can be either: - all event logs = all current and logs to come are collected - all event logs except the following ones = all current and event logs to come are collected except the one indicated in the List form. - only the following event logs = only the following event logs indicated in the List form are collected List of Event Logs to include or exclude. Displays the Edit List window to select the event logs to be collected: 1 - In the Available Event Logs pane, select an event log and click Add. This will add the logs to the list. 2 - If you want to remove them from the list, select them and click Remove. 3 - If you want to manually add an Event Log, enter the name and click Add. Make sure you entered the name correctly as it is case-sensitive. 4 - Click OK. If you want to display all the Event Logs available, click the Discover Event Logs button. [Advanced] Polling Period Enter the time period (in seconds) after which UC checks for new Windows events. Default value: 10

26 26 Option Windows type Specify the platform from the drop-down list. If you do not specify the platform type, UC will try to autodiscover the platform type. However, if the user has nonadministrator privileges, UC will fail to auto-discover the platform type. Language type Specify the language type from the drop-down list. 6. Click Apply to validate the changes. If you do not specify the type, by default it will be assigned as English. Edit Multiple Windows Event Log Sources Procedure 1. Under the Collection tab, select the Log Sources and click the Edit button. The Windows Event Log Edition tab is displayed. 2. Check the boxes in front of the set of Windows Event Logs parameters you want to change. 3. Modify the parameters as explained in Edit a Windows Event Log Source. Edit a Syslog Log Source Procedure 1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Edit button. The Syslog Log Source Edition tab is displayed. 2. In the General part of the screen, you can modify the following information: Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. of the Log Source. 3. In the Forwarding Connection part of the screen, you can modify the following information:

27 27 Option Name UC Collection date Select the Forwarding connection to which you want to forward collected RT File logs. A Log Source must be linked to an existing Forwarding connection, which can be edited under the Forwarding tab. Define whether the log message sent to the LMI server remains in a local system time zone or is converted into UTC time zone. 4. In the Collection part of the screen, you can modify the following information: Option Protocol Port Binding interface Define whether the Log Source uses the udp/tcp SYSLOG protocol. In order to listen on both UDP and TCP protocols, you must create two Syslog Log Sources. Enter the port to listen to the Syslog flow. Default value: 514 If there are multiple network interfaces, enter the IP address to listen to the Syslog flow. Only one IP address is possible. To listen to all network interfaces for IPv4, use To listen to a specific interface for IPv4, use an address like To listen to all network interfaces for IPv6, use ::0. To listen to a specific interface for IPv6, use an address like fe80::84c8:f82e:74a1:a187 Default value: When there are multiple syslog collectors, if one of the collectors has been bound to a specific interface, all remaining collectors cannot be bound to The remaining collectors should be bound to other specific interfaces. 5. In the Message Filtering part of the screen, you can modify the following information: Option [Filtering] Click ON or OFF to activate or deactivate the option. If Message Filtering is set on OFF, messages with a debug severity are not collected (max severity set to 6). If a message has neither severity nor facility, UC automatically allocates the local use 7 facility and the debug severity to the message. It will then be automatically filtered.

28 28 Option Maximum Severity Select the maximum accepted severity (numerical code, see RFC 3164) 0 - Emergency: system is unusable 1 - Alert: action must be taken immediately 2 - Critical: critical conditions 3 - Error: error conditions 4 - Warning: warning conditions 5 - Notice: normal but significant condition 6 - Informational: informational messages 7 - Debug: debug-level messages Default value: 6 - Informational: informational messages

29 29 Option Authorized facilities Authorized IP addresses Select one or several accepted facilities (see RFC 3164). The logs with these facilitities are kept. 0 - kernel messages 1 - user-level messages 2 - mail system 3 - system daemons 4 - security/authorization messages (note 1) 5 - messages generated internally by syslogd 6 - line printer subsystem 7 - network news subsystem 8 - UUCP subsystem 9 - clock daemon (note 2) 10 - security/authorization messages (note 1) 11 - FTP daemon 12 - NTP subsystem 13 - log audit (note 1) 14 - log alert (note 1) 15 - clock daemon (note 2) 16 - local use 0 (local0) 17 - local use 1 (local1) 18 - local use 2 (local2) 19 - local use 3 (local3) 20 - local use 4 (local4) 21 - local use 5 (local5) 22 - local use 6 (local6) 23 - local use 7 (local7) Default value: 0-23 Enter the regular expression to filter the accepted IP addresses and to filter the accepted host. All the logs from all IP addresses are collected if the field is blank (default). 6. Click Apply to validate the changes.

30 30 Edit Multiple Syslog Log Sources Procedure 1. Under the Collection tab, select the Log Sources and click the Edit button. The Syslog Log Source Edition tab is displayed. 2. Check the boxes in front of the set of Syslog parameters you want to change. 3. Modify the parameters as explained in Edit a Syslog Log Source on page 26. Edit a Remote File Log Source Procedure 1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Edit button. The Remote File Log Source Edition tab is displayed. 2. In the General part of the screen, you can modify the following information: Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. of the Log Source. 3. In the Forwarding Connection part of the screen, you can modify the following information: Option Name Select the Forwarding connection to which you want to forward collected RT File logs. A Log Source must be linked to an existing Forwarding connection, which can be edited under the Forwarding tab. Remote File Collection is only supported by LMI v5.4 or above and can only be forwarded to LMI, not generic syslog servers. 4. In the Collection part of the screen, you can modify the following information: Option Host IP/Name Protocol Enter the IP or name of the remote log source. Define whether the Log Source uses the ftp, sftp, cifs or file protocol. On Windows, Remote file collection using file protocol is unavailable on network shared and Network File System (NFS) mounted drives.

31 31 Option [If ftp is selected] Server TimeZone [If a non-local timezone is selected] File System Type User ID [If cifs is selected] Domain/User name User password [If cifs is selected] Share name File / Directory [If File is selected] File path [If File is selected] File Rotation [If File is selected] File change notification Select the timezone of the remote log source. Select the file system type. Enter the User ID to connect to the remote log source. Enter the domain or user name. Enter the user password. Enter the cifs share name. Select the source of the collection, either a file or the content of a directory. If File is selected, enter the file path. This is the absolute path of the file system where the UC is installed. For example, on Windows: d: \myfolder\mylog.log. However, on Linux/UNIX systems it must be as /usr/myaccount/mylog.log. Click ON or OFF to activate or deactivate the option. Only available if File is selected. Click ON or OFF to activate or deactivate the option. You can monitor a file changes. If set ON, a notification will be sent to LMI via uc.log file when the specified file's modified date changes. The notification includes the changed content and time. A new log is recorded for the notification when UC internal logs are forwarded to LMI. The file changes are not monitored for rotated files. In this case, the File change notification option is not available. The specified file size should be less than the default size (10MB). If the file size is more than 10MB, the notification does not include changed content. Before activating this monitoring option, make sure to set the LMI Connection > Forwarding > Forward UC Internal Logs option to ON. [If File Rotation is ON] Original name [If File Rotation is ON] Date pattern The file that is currently being written; it is usually the file without date or id tag. Enter the date format you want to use for the [date] parameter. For example, yyyymmdd for

32 32 Option [If File Rotation is ON] Max number of digits [If Directory is selected] Directory path [If Directory is selected] File(s) Include [If Directory is selected] File(s) Exclude [If Directory is selected] File change notification Check the box and indicate the maximum number of digits you want for the [id] parameter. UC can collect any file with an [id] whose number of digits is between 1 and 9 inclusive. For example, If you set 5, the following [id] will be taken into account: 1, 054, 586, 00599, 78945, etc. If Directory is selected, enter the directory pathname. Enter the files that must be included in the collection. The field supports the standard common wildcard characters for matching file names (* and?). Enter the files that must be excluded from the collection. The field supports the standard common wildcard characters for matching file names (* and?). Click ON or OFF to activate or deactivate the option. You can monitor a directory changes. If set ON, a notification will be sent to LMI via uc.log file when the specified directory's modified date changes. The notification includes the changed content and time. A new log is recorded for the notification when UC internal logs are forwarded to LMI. Before activating this monitoring option, make sure to set the LMI Connection > Forwarding > Forward UC Internal Logs option to ON. Device type Test connection [Advanced] Log Source IP Select the type of logs to be collected. Click this button to check if the connection to the remote log source is working. Select an option: - Remote file server: selected by default. The IP is grabbed from the host IP that you previously entered. This option is not available when the file protocol is selected. - UC: IP address of the workstation where UC is installed. You can change it as you want. The IP address will be set as the host IP address when the file protocol is selected. Delete inactive file Click ON or OFF to activate or deactivate the option. You can purge files that are older than certain time based on the modified time.

33 33 Option [If Delete inactive file is selected] Delete file remains unchanged more than [Schedule] Enter the number of days after which the inactive file is deleted. The default is set to 7 days. Select the collection period, either per minute, hour, daily or weekly at a specific hour. 5. Click Apply to validate the changes. Edit Multiple Remote File Log Sources Procedure 1. Under the Collection tab, select the Log Sources and click the Edit button. The Remote File Log Source Edition tab is displayed. 2. Check the boxes in front of the set of Remote file parameters you want to change. 3. Modify the parameters as explained in Edit a Remote File Log Source. Edit Different Types of Log Sources You can edit several Log Sources of different types, except remote files, at a time. Only the common parameters are editable. Procedure 1. Under the Collection tab, press Ctrl while clicking on the Log Sources to select them. 2. Click Select screen to only select the list of visible Log Sources at a time or click Select all to select all the lists of Log Sources. 3. Click the Edit button and select All. The All tab is displayed. 4. In the General part of the screen, you can modify the following information:

34 34 Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. of the Log Source. 5. In the Forwarding Connection part of the screen, you can modify the following information: Option Name UC Collection date Select the Forwarding connection to which you want to forward collected RT File logs. A Log Source must be linked to an existing Forwarding connection, which can be edited under the Forwarding tab. Define whether the log message sent to the LMI server remains in a local system time zone or is converted into UTC time zone. 6. Click OK to save the changes. If you open again one of the Log Source you selected, you can see that the changes are applied. Edit a Log Source using the Command Line Procedure 1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Edit button. The Cmd Log Source Edition tab is displayed. 2. In the General part of the screen, you can modify the following information: Option Log Source Enabled Name Click ON or OFF to define whether the current Log Source is enabled or disabled. Name of the Log Source. of the Log Source. 3. In the Forwarding Connection part of the screen, you can modify the following information: Option Name UC collection date Select the Forwarding connection to which you want to forward collected logs. Define whether the log message sent to the LMI server remains in a local system time zone or is converted into UTC time zone.

35 35 4. In the Collection part of the screen, you can modify the following information: Option Command Enter the command line script path. If the script path or argument contains empty spaces, it must be entered in double quotation marks. On Windows, if the script path and argument contain empty spaces, you must enter the command as shown below: ""D:\folder name\hello World.py" "hello world"" (double quotation marks for the the whole command) or D:\"folder name"\"hello World.py" "hello world" [Multiline messages] [If Multiline messages is ON] Multiline timeout after detected header [Advanced] Host name Application name Maximum messages length Run once [Schedule] Click ON or OFF to activate or deactivate the option to define whether the single message has several lines. Indicate the number of seconds after which the multi-line logs are ready to be sent. Click the drop-down menu to display advanced parameters. Enter the name of the host used to pair logs on the LMI server. For example, customhostname.com If you enter an IPv4 / IPv6 address, the device to be displayed in LMI will be referred with this IP address. Enter the name of the application used to identify logs on the LMI server. For example, customapplicationname Indicate the possible maximum length for the message (in bytes). Default value: Click ON or OFF to activate or deactivate the option to define whether the script should be run once or multiple times. Select the collection period, either per minute, hour, daily, or weekly at a specific hour. 5. Click Apply to validate the changes.

36 36 Sorting Log Sources Tags are useful to store, sort, and search for Log Sources in a list. For example, if you want to easily find the logs coming from Windows server A to which the administrator has logged. You can create tags such as Server A, Connection, Administrator, and then search based on tags. You can create and apply up to 10 filters. Create a New Tag Procedure 1. Under the Collection tab, select one or several log sources. 2. In the Tag edition panel on the right, enter a tag in the combo box and click Add Tag. The tag is automatically saved. Apply a Tag Once you have created tags, you can apply them to one or several log sources. Procedure 1. Under the Collection tab, select the log source(s) to which you want to apply a tag. 2. In the combo box in the right hand panel, select the tag you want to apply and click Add Tag. The tag is displayed under the Tags column. Remove a Tag Procedure 1. Under the Collection tab, select the log source for which you want to remove the tag. 2. In the Tag edition panel, click the cross of the tag you want to remove. The list is updated automatically. Sort Log Sources You can sort the list of log sources to display only the relevant items. Procedure 1. In the left hand part of the configuration panel, click the + Add Filter button. Two drop-down list boxes are displayed. 2. In the first drop down list, select the type of information you want to filter. The options are: Enabled, Name, Forwarder, Type, Collection or Tags. 3. Based on the type, select the relevant values.

37 37 Filter Enabled Name Forwarder Type Collection Tags Values Sorts log sources per status, i.e. Off or On. Sorts log sources per name. Enter the log source name. For example, ls-logsource-windows Sorts log sources per Forwarding connection (names of the connection file), for example, uldp-sample Sorts log sources per type, i.e. file, syslog or windows. Sorts log sources per collection type, i.e. file, syslog or windows. Sorts log sources per user-created tags, for example, server, web. 4. Click Apply to filter the list. 5. To add another filter, click +Add Filter and repeat the procedure explained above. For example, to make a search on a specific forwarder AND a specific type of file, you will obtain something like this: 6. For a same filter if you want to add another value, click the + button and select the relevant value. For example, to find a File Log Source OR a Syslog log source, you will have to obtain something like this: 7. To remove a filter or only a value, click the - button. 8. Click the column header to display the filtered list by alphabetical order. 9. Click the Clear all button to disable the filters.

38 38 Forwarding Logs UC collects the information from various types of log sources and forwards them to an LMI server. The logs are forwarded to an LMI server via the proprietary ULDP protocol or to a Syslog server using UDP or TCP protocols for the communication between the UC and the LMI server or syslog server. You must select the UDP when forwarding syslog to LMI server. A file is identified by a file identifier usually a string representing the path name of the file in the source device. Creating a Syslog TCP or UDP Connection You can add up to 10 Forwarding Connections. Procedure 1. Open the UC Console and click the Forwarding tab. 2. Select the New > TCP (Syslog) or UDP (Syslog) menu. 3. In the General section, modify the name of the connection. 4. In the Security section, make sure the button is set to OFF. 5. In the Forwarding section, modify the following values: Forwarding Address Enter the IPv4 / IPv6 address or host name of the TCP /UDP server. Port Enter a port number. (Default: 514) [TCP Only] Test Connection Test the connection between UC and the server. Message Format

39 39 Facility Severity Custom Header Select the facility to be applied to the log: 0 - kernel messages 1 - user-level messages 2 - mail system 3 - system daemons 4 - security/authorization messages (note 1) 5 - messages generated internally by syslog 6 - line printer subsystem 7 - network news subsystem 8 - UUCP subsystem 9 - clock daemon (note 2) 10 - security/authorization messages (note 1) 11 - FTP daemon 12 - NTP subsystem 13 - log audit (note 1) 14 - log alert (note 1) 15 - clock daemon (note 2) 16 - local use 0 (local0) 17 - local use 1 (local1) 18 - local use 2 (local2) 19 - local use 3 (local3) 20 - local use 4 (local4) 21 - local use 5 (local5) 22 - local use 6 (local6) 23 - local use 7 (local7) Select the severity to be applied to the log: 0 - Emergency: system is unusable 1 - Alert: action must be taken immediately. 2 - Critical: critical conditions. 3- Error: error conditions. 4 - Warning: warning conditions. 5 - Notice: normal but significant condition. 6 - Informational: informational messages. 7 - Debug: debug-level messages. Indicate the header of the message. Advanced

40 40 [TCP only] Session timeout UC Binding interface Enter the session timeout (in seconds) If there are multiple network interfaces, enter the IP address that the UC uses when establishing the connection. Default: In the Message Buffering section, modify the following values: Message Buffering Buffer size (MB) Enter the buffer size in megabytes. (Default: 100 MB) 7. Click OK to save and close the screen. The list of connections is updated. Creating an LMI Connection Procedure 1. Open the UC Console and click the Forwarding tab. 2. Select the New > ULDP to open the LMI Connection tab. 3. In the General section, modify the name of the connection. 4. In the Security section, make sure the button is set to OFF. 5. In the Forwarding section, modify the following values: Forwarding Address Port Test connection Forward UC Internal Logs Compress Messages Enter the IPv4 / IPv6 address or host name of the LMI. Select the LMI port or enter a port for connection with LMI 5.0 and 5.1 (default value) for secured connection with LMI 5.0 or later (configurable in LMI) for connection with LMI 5.2 or later Test the connection between UC and LMI. Define whether the UC internal logs are sent to the remote LMI by selecting ON. If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed by selecting ON. Advanced

41 41 Reconnection Session timeout UC Binding interface Enter the reconnection frequency to the LMI (in seconds) Enter the session timeout to LMI (in seconds) If there are multiple network interfaces, enter the IP address that UC uses when establishing the connection to LMI. Default: In the Message Buffering part of the screen, modify the following values: Message Buffering Buffer size (MB) Scheduled Forwarding Enter the buffer size in megabytes. (Default: 100 MB) Define the period of time during which the logs are sent to the LMI (time window) by selecting ON. Schedule forwarding is not recommended for pulling large files via remote file collection. Daily Start Daily Stop Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (default value = 23:00) Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (default value = 05:00). 7. Click OK to save and close the screen. The list of LMI connections is updated. Creating a Connection in Authentication and or Encryption Mode The information is delivered through the communication between the UC and LMI server or syslog server can be encrypted. To secure communications between the UC and LMI or syslog servers, the following information will be checked: LMI or a syslog server and UC identities and encryption of communication between UC and LMI or a syslog server (public and private key mechanism). If you need to use AES192 or AES256 key, you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 package from Oracle. The 2 JAR files included in this package must be loaded into the lib/security directory of the Java instance that UC uses in order to utilize AES192 or AES256 key ciphers. If you do not have JCE installed, then the UC Console will fail when you try to import an AES192 or AES256 key. As a requirement, you need a PKI and OpenSSL or another compatible tool. This section is intended for advanced users with the necessary encryption and secure communication skills.

42 42 Procedure 1. A public key and a private key are used to create a Root Certificate Authority (Root CA). 2. A public key and a private key are generated to create the UC s Certificate Signing Request (CSR). 3. This request will be sent along with the UC s identity information and the public key and then the Root CA delivers the certificate by signing the Certificate Signing Request. The UC s certificate is then created and sent with the Authority s certificate. Step 1 Get a Root Certificate Authority from your PKI When deploying an authentication process with UC, you need to use a Public Key Infrastructure (PKI) consisting of a certificate authority or CA (and a registration authority or RA) that issues and verifies digital certificate. A certificate includes the public key; one or more directories where the certificates (with their public keys) are held and a certificate management system. A number of products that enable a company or group of companies to implement a PKI exist. Procedure 1. Access a tool such as OPENSSL. 2. Generate a public and a private key. The recommended and maximum size is 2048 bit and encrypted in AES 128 (3DES is also supported). Example: openssl genrsa -out ca.key -aes

43 43 3. Generate the CA (valid for 7305 days) Example: openssl req -new -x509 -days key ca.key -out ca.pem What to do next Refer to the SSL Certificates HOWTO documentation to know how to create your Certificate Authority: HOWTO.html Step 2 Create a Certificate Signing Request Prerequisites You must now generate a Certificate Signing Request in a UC to be able to create a Certificate on a Certificate Authority. You will obtain a file with the *.csr extension. Using the Internal Tool The tool is located in <INSTALL_DIR>/tools folder. Procedure 1. Enter the following command to start the tool: Windows:cert_mgt.bat RHEL, SUSE, Solaris:cert_mgt 2. Enter the following command: <script-name> request 3. Enter the command to indicate the file path of the file to be generated. You have three possibilities according to the type of your certificates. [ -jks <file path of the generated *.ks containing the private key> ] [ -p12 <file path of the generated *.p12 certificate containing the private key> ] [ -pem <file path of the generated *.pem private key> ] -csr <file path of the generated Certificate Signing Request> [ -dn <CSR Distinguished Name> ]

44 44 -pwd <mandatory password for the file containing the private key> This command generates 2 files containing the private key (i.e. a *.ks or *.p12 or *.pem) and a Certificate Signing Request (CSR). If it is not specified in the command line, by default, the DN of the CSR is: CN=<UC-IP>, O=loglogic For example: cert_mgt request -jks uc.ks -pwd loglogic -csr uc.csr Using the OpenSSL You need UC's public and private keys and OpenSSL. Procedure 1. Generate the public and private keys. The recommended and maximum size is 2048 bit and encrypted in AES 128 (3DES is also supported): openssl genrsa -out uc.key -aes Create the CSR like: openssl req -new -key uc.key -out uc.csr What to do next Refer to the SSL Certificates HOWTO documentation to know how to create your Certificate Authority. Step 3 Create a Valid UC Certificate using a CA and OpenSSL You must create the valid Certificate issued by a Certificate Authority in the UC configuration. Procedure Enter the following command: openssl ca -config conf_file.txt -days 730 -in uc.csr -out uc.pem -notext In this example, a file has been defined (conf_file.txt). If no configuration file has been specified, then OpenSSL takes /usr/local/ssl/openssl.cnf by default. Make sure that the path /usr/local/ssl/openssl.cnf is created and configured in advance. You will get a *.pem certificate that contains the UC s certificate. Refer to the SSL Certificates HOWTO documentation to know how to create your Certificate Authority.

45 45 Step 4 Import the Certificate into *.ks or *.p12 This step is not required if you work with a *.pem certificate. Prerequisites This command allows you to import the UC certificate and/or the root CA certificate in a *.ks or the UC certificate in a *.p12 certificate. Procedure Using the CLI provided by LogLogic, enter the command to format the file: <script-name> import [ -jks <file path of the *.ks> ] [ -p12 <file path of the *.p12 certificate> ] -pwd <mandatory password> [ -cert <file path of the UC certificate in *.pem format> ] [ -rootcert <file path of the root CA certificate in *.pem format> ] This command imports the UC certificate and/or the root CA. You can obtain a *.ks certificate file that contains a Certificate Authority, private key and the UC s certificate or a *.p12 certificate binary code, which contains the UC s certificate and a private key encrypted by a passphrase. For example: cert_mgt import -jks uc.ks -pwd loglogic -cert uc-cert.pem -rootcert ca.pem Step 5 Configure the Forwarding Process If the connection is authenticated or encrypted, the necessary cryptographic elements must be imported. The three supported formats are: *.ks--a keystore in the JKS format containing the root CA, the private key and the associated UC certificate. Associated configuration elements are a keystore filename and a password for the keystore (mandatory) *.p12--a keystore in the PKCS#12 format, containing the private key and the associated UC certificate and the root CA (in *.pem format) as a separate file. Associated configuration elements are a PKCS#12 (.p12) file, a password protected PKCS#12 file (mandatory) and a root CA file.

46 46 *.pem--a private key (encrypted or not), a certificate to be used by UC in PEM format, a root CA certificate in PEM format. Associated configuration elements are a private key file, a password if the private key is encrypted (mandatory), a UC certificate file, a root CA certificate file. The Certificate Authority s certificate allows to check the validity of the LMI or syslog server s certificate towards the UC. The UC Valid certificate allows you to identify the UC from the LMI. The Certificate Authority must be the one you previously used to validate the LMI or syslog server certificate. Procedure 1. Open the UC Console and click the Forwarding tab. 2. Click the New Connection button to open the Edition tab. 3. In the part of the screen, modify the name of the LMI or syslog server connection. 4. In the Security part of the screen, activate the following options: Value Authentication Encryption Certificate Initialize Secured Connection Activates the authenticated communication when the button is ON Activates the encrypted communication when the button is ON Displays the certificate imported in UC Displays the screens to import the certificates For *.ks Procedure 1. In the Secured Connection Initialization screen, select JKS and click Continue. 2. In the Java Keystore section, click Import and select the UC JKS Certificate in *.jks format. 3. Enter the certificate password and click OK. 4. Click OK to close the window. The screen is automatically updated. For *.p12 Procedure 1. In the Secured Connection Initialization screen, select P12 and click Continue. 2. In the UC Certificate section, click Import and select the UC PKCS#12 Certificate in *.p12 format. 3. Enter the certificate password and click OK.

47 47 4. In the Root CA Certificate section, click Import and select the root CA certificate stored in *.p12 format. 5. Click OK to close the window. The screen is automatically updated. For *.pem Procedure 1. In the Secured Connection Initialization screen, select PEM and click Continue. 2. In the UC Certificate section, click Import and select the UC Certificate in *.pem format. 3. In the new small window, click Import Private Key and select the file in.pem format. 4. Enter the private key password and click OK. 5. In the Root CA Certificate section, click Import and select the root CA certificate stored in *.pem format. 6. Click OK to close the window. The screen is automatically updated. Configure the Forwarding Process Procedure 1. In the Forwarding part of the screen, modify the following values: Forwarding Address Port Test connection Forward UC Internal Logs Compress Messages Enter the IPv4 / IPv6 address or host name of the LMI. Select the LMI port or enter a port for connection with LMI 5.0 and 5.1 (default value) for secured connection with LMI 5.0 or later (configurable in LMI) for connection with LMI 5.2 or later Test the connection between UC and LMI. Define whether the UC internal logs are sent to the remote LMI by selecting ON. If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed by selecting ON. Advanced

48 48 Reconnection Session timeout UC Binding interface Enter the reconnection frequency to the LMI (in seconds) Enter the session timeout to LMI (in seconds) If there are multiple network interfaces, enter the IP address that the UC uses when establishing the connection to LMI. Default: In the Message Buffering part of the screen, modify the following values: Message Buffering Buffer size (MB) Scheduled Forwarding Daily Start Daily Stop Enter the buffer size in megabytes. (Default: 100 MB) Define the period of time during which the logs are sent to the LMI (time window) by selecting ON. Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (Default: 23:00) Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (Default: 05:00). 3. Click OK to save and close the screen. The list of LMI connections is updated. The configuration of UC has finished. When the certificate has expired, you must follow the procedure from the beginning. You can use the same CSR you used if you have stored it earlier. Step 6 Enable Secure Connection As for LMI, two certificates are needed: The root CA can be retrieved from your certificate authority server or from your organization's PKI administrators. It will check the UC s identity. A certificate signing request or CSR. In order to generate the signed certificate, manual steps are required unlike UC.

49 49 Procedure 1. Using the LogLogic CLI, create a Certificate Signing Request: system secureuldp create csr This will generate a private key as well as the CSR. The CSR is the value between the Begin Certificate and End Certificate lines. 2. If you have already created your CSR and just want to display it again, enter: system secureuldp show csr 3. Copy the CSR and sign the CSR. Once the CA signs the CSR, it will generate a signed certificate. Alternatively, you can create a CSR as per your desired option, sign it, and then import the certificate using the Administration > SSL certificate > Certificate Import menu. 4. Install this signed certificate back to the LMI Appliance by entering: system secureuldp install certificate 5. Paste the certificate in. Make sure to include the Begin Certificate and End Certificate lines when pasting it in 6. Install the root CA certificate which will be the common certificate used for validation between the LMI and UC. To do so, enter: system secureuldp install rootca 7. Paste it in the root CA certificate. 8. You may need to restart the ULDP collector: mtask -s engine_uldpcollector stop ; mtask -s engine_uldpcollector start 9. Once you have created all the certificates, you must go to Administration > System Settings > General and check the Yes radio button associated with Enable Secure ULDP. Result The communication between UC and LMI is now secured.

50 50 Managing the list of Forwardings You can easily copy or delete Forwardings. Prerequisites Label/Button Name Address Port [ULDP only] UC Logs [ULDP only] Comp. Auth. Encrypt Buffer (MB) [ULDP only] Sched. Label of the configuration IPv4 / IPv6 address or host name of the server Forwarding port Indicates whether the UC internal logs are sent to the remote LMI or not Indicates whether the logs are compressed or not Communication authenticated or not Communication encrypted or not Buffer size in megabytes (100 MB - default value, 50 GB - maximum value) Indicate if the messages are sending to the server during a specified time window New Allows you to add new Forwardings to the list (Maximum 10) Edit Copy Delete Allows you to edit Forwardings one by one Allows you to copy Forwardings to the list Allows you to delete Forwardings from the list Copying a Forwarding You can copy a Forwarding one by one. The copied Forwardings keep the same configuration and the same name with the _Copy suffix. Procedure 1. Select the Forwarding that you want to copy. 2. Click Copy. The new Forwarding is displayed in the Forwarding list. Double-click on the row to edit or modify the configuration. By default, the Forwarding is linked with no Log Source.

51 51 Deleting a Forwarding You can delete Forwardings one by one. Procedure 1. Make sure that the Log sources linked to the Forwarding are removed or disabled. 2. Select a row from the list and click Delete. Click Yes to confirm. The list is automatically refreshed.

52 52 Monitoring UC Activities A UCMon tool is also available to monitor the internal process of the UC. This section provides instructions for quickly checking that UC is working properly, troubleshooting UC, Forwarding connection configuration, and monitoring the activities of the different log sources Starting UCMon Tool To start UCMon from UC Console Procedure Open the UC Console and go to Manage Configuration > Monitor Active Configuration. To start UCMon manually Procedure Open the UC installation folder and launch the executable file located in the tools folder: uc_monitor.exe (Windows) also available by clicking on the uc_monitor shortcut uc_monitor (RHEL, SUSE or Solaris) The UCMon is displayed. Summary Screen Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Totals for the UC Collected Filtered Total number of collected message for a given period of time Between brackets, number of collected message per second Total number of filtered message for a given period of time Between brackets, number of filtered message per second

53 53 Label To Buffer UC Mem Config Total number of forwarded message for a given period of time Between brackets, number of forwarded message per second Current memory used / Total memory (Java Heap Size) Current configuration name Forwarding Connections and Log Sources All Forwarding Conn. Forwarding connection status Active: the Forwarding connection works correctly Idle: Forwarding connection is OK but the connection is NOT established Error: there is an error on the Forwarding connection Off: indicates when the Forwarding connection is not used Total: total number of enabled Forwarding connections All Log Sources/Syslog/ Windows Event Log/RT File/Remote File Log Sources status Active: the Log Sources are answering correctly Idle: Log Source not active at the moment Error: there is an error on the Log Source Off: indicates when a Log Source is inactive Total: total number of Log Sources Interactive menu < C > Changes the time value of the Totals for UC metrics. Each time you enter C, the value switches as follows: current value 1 minute 5 minutes 15 minutes 24 hours time when the UCMon has been started < M > Displays additional information < 1 > Displays the Summary view < 2 > Displays the Status view

54 54 Label < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool Status Screen To switch between Log Sources and Forwarding connection views, press L. Log Source Status Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Log Source: Name of the Log Source Status Status of the current Log Source: Active: the connection is OK Err: the connection encountered an error Idle: the connection never received a message from the source or nothing at all for 24 hours Off: a Log Source is inactive Type Collection Type of the Log Source: Win EL, RT File, Remote File or Syslog Connection parameters Win EL: Server IP or address Syslog: protocol/binded port RT File: Filename (no path) Remote: File path Forwarding Connection Current Forwarding connection associated with the current Log Source Interactive menu

55 55 Label 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous view of the list of Log Sources < E >rr first Sort Log Source status by Error (ERR) or alphabetical order < V >erbose mode Display additional information < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < 1 > Displays the Summary view < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool Forwarding Connection Status Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Forwarding Connection Status Status of the current Log Source: Active: the connection is OK Err: the connection encountered an error or spool may be full Idle: no message transmitted from the source or nothing for 24 hours Off: a Forwarding connection is not used Address IP address and port of the remote Forwarding connection

56 56 Label S C A E Current Forwarding connection settings: S: Scheduled C: Compression A: Authentication E: Encryption Usage Spool load of the current Forwarding connection in % Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous view of the list of Forwarding connections < E >rr first Sort Log Source status by Error (ERR) or alphabetical order < V >erbose mode Display additional information < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < 1 > Displays the Summary view < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool Metrics Screen To switch between Log Sources and Forwarding connection views, press L. Log Source Metrics To switch between Log Sources and Forwarding connection views, press L. Label Uptime Time when the UC has been started

57 57 Label Current Time Current date and time are automatically refreshed Log Source: Name of the Log Source Format Format of the displayed values (messages or mps) Period Period of time when the data are displayed (since uptime, 1min, 5 min, 15 min, 24h) Sort Forwarding Connection Collected Filtered To Buffer Sorting order of Log Source: By name/ In values (descending) Define the current Forwarding connection with the Log Source Total number of collected message for a given period of time Total number of filtered message for a given period of time Total number of forwarded message for a given period of time Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous view of the list of Log Sources < F >ormat data Switch between message or messages per second. < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < C >ycle period Switch of time period (current, 1mn, 5mn, 15mn, 24h, uptime) < S >ort table Sort by collected values (descending) or by name < 1 > Displays the Summary view < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool

58 58 Forwarding Connection Metrics Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Forwarding Connection Format Format of the displayed values (messages or mps) Period Period of time when the data are displayed (since uptime, 1min, 5 min, 15 min, 24h) Sort IN OUT Usage Sorting order of Forwarding connection: By name/ In values (descending) Input log rate Number of forwarded logs coming out from the spool Current Forwarding connection spool load Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous view of the list of Log Sources < F> omat data Switch between message or messages per seconds < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < C >ycle period Switch of time period (current, 1mn, 5mn, 15mn, 24h, uptime) < S >ort table Sort by IN (descending) or by name < 1 > Displays the Summary view < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool

59 59 Trends Screen To switch between Log Sources and Forwarding connection views, press L. Log Source Trends Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Log Source: Name of the Log Source Format Display Format of the displayed values (messages or mps) Type of display. The possible values are: Collected Filtered Forwarded Forwarding Conn. current, 1min, 5min, 1h, 24h, since uptime Name of the Forwarding connection Log rate over different time periods: n/a: value not available Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous view of the list of Log Sources < F >ormat data Switch between message or messages per seconds < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < D >isplay Displays the values for different probes: Forwarding connection data type: IN or OUT Log Source data type (Collected, Filtered, Forwarded) < 1 > Displays the Summary view < 2 > Displays the Status view

60 60 Label < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool Forwarding Connection Trends Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Forward Connection Format Display Format of the displayed values (messages or mps) Type of display. The possible values are: IN OUT current, 1min, 5min, 1h, 24h, since uptime Log rate over different time periods: n/a: value not available Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous Forwarding connection and Log Sources < F >ormat data Switch between message or messages per seconds < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < D >isplay Displays the values for different probes: Forwarding connection data type: IN or OUT Log Source data type (Collected, Filtered, Forwarded) < 1 > Displays the Summary view < 2 > Displays the Status view

61 61 Label < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool RealTime Screen To switch between Log Sources and Forwarding connection views, press L. Log Sources RealTime Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Log Source: Name of the Log Source Display Type of display. The possible values are: Collected Filtered Forwarded current, 1min, 5min, 1h, 24h, since uptime Log rate over different time periods: n/a: value not available Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous Forwarding connection and Log Sources < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < D >isplay Displays the values for different probes: Forwarding connection data type: IN or OUT Log Source data type (Collected, Filtered, Forwarded)

62 62 Label < 1 > Displays the Summary view < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool Forwarding Connection RealTime Label Uptime Current Time Time when the UC has been started Current date and time are automatically refreshed Forwarding Connection Display Type of display. The possible values are: IN OUT current, 1min, 5min, 1h, 24h, since uptime Log rate over different time periods: n/a: value not available Interactive menu 1-n/n Scrolls the tables into view < N >ext/< P >revious Displays the next or previous Forwarding connection and Log Sources < L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables < D >isplay Displays the values for different probes: Forwarding connection data type: IN or OUT Log Source data type (Collected, Filtered, Forwarded) < 1 > Displays the Summary view

63 63 Label < 2 > Displays the Status view < 3 > Displays the Metrics view < 4 > Displays the Trend view < 5 > Displays the Real Time view < Q > Quit the UCMon tool

64 64 Command Line Interface The Command Line Interface (CLI) interacts with the local Universal Collector. You can make a configuration active and reload the current configuration, check the current configuration, manage the security certificates, encrypt password or import several Log Sources in a row. To start a Command Line Interface, open a shell into the following path: Operating System Windows RHEL, SUSE, Solaris CLI C:\Program Files\LogLogic\Universal Collector \tools\ /opt/loglogic/universal_collector/tools/ The extension of the file to execute in order to run the commands differs on each UC supported OS: Windows: uc_*.bat RHEL, SUSE, Solaris: no extension All the samples are given for RHEL, SUSE and Solaris environments. For Windows environment, use the same command with *.bat. cert_mgt Manage the Security Certificates UC does not have to be started. Goal Syntax Options Request for *.pem cert_mgt request -pem <certfile> -csr <fileresult> -pwd <password> Request for *.ks cert_mgt request -jks <file.ks> -pwd <password> -csr <fileresult.csr> Request for *.p12 cert_mgt request -p12 <file.p12> -pwd <password> -csr <fileresult.csr> Import for *.ks cert_mgt import -jks <file.ks> -pwd <password> -cert <certtoimport> -rootcert <rootcertificate> Import for *.p12 cert_mgt import -p12 <file.p12> -pwd <password> -cert <certtoimport> Get help on the certificates cert_mgt cert_mgt request cert_mgt import -h

65 65 Goal Syntax Options Get information on the tool version cert_mgt -v <nameofconf> uc_checkconf Check the Current Configuration UC must be started. Goal Syntax Options Indicate validity of the configuration and displays potential errors and warnings uc_checkconf -ucc <nameofconf> Get help on the tool uc_checkconf -h Indicate the port to connect to the UC uc_checkconf -ucc <nameofconf> -p <portnumber> Get information on the tool version uc_checkconf -v uc_createlogsources Import and Create Several Log Sources at a time UC does not have to be started. Goal Syntax Options Indicate the type of Log Sources to import (Windows Event Log, syslog, file, remotefile) Import a CSV file with Log Source information to create a Log Source Indicate the *.ucc file where to export the Log Source information uc_createlogsources uc_createlogsources uc_createlogsources -t <windows, syslog, file, remotefile> -in <pathname> -out <pathname>

66 66 Goal Syntax Options Force the command without any confirmation uc_createlogsources -f uc_decodepwd Decode Passwords for Windows Files UC does not have to be started. Goal Syntax Options Allows decoding password /opt/loglogic/universalcollector/tools/ uc_decodepwd <passwordtodecode> uc_encryptpwd Encrypt Passwords for Windows Files UC does not have to be started. Goal Syntax Options Allows encoding password /opt/loglogic/universalcollector/tools/ uc_encryptpwd <passwordtoencrypt> uc_monitor UCMon Tool UC does not have to be started. Goal Syntax Options Indicates the UC port to which the UCMon listens to (if not default port) /opt/loglogic/universalcollector/tools/ uc_monitor -p <portnumber> -p <portnumber> uc_reload Reload Configuration UC must be started. This command is used to update the active configuration without stopping the whole process. To update the current configuration, the command is: For Windows:uc_reload.bat For RHEL, SUSE, Solaris:uc_reload Example 1: You want to update the active configuration conf1.

67 67 Enter the command to apply a new configuration to the UC via the CLI located in <INSTALL_DIR>/ tools. \uc_reload.bat The active configuration is updated. Example 2: You want to check the impacted process during an update of the configuration. Enter the following command: uc_reload.bat -dryrun -vb Goal Syntax Options Reload the current configuration to apply changes uc_reload There is no need to enter the name of the configuration as it is the current configuration, which is automatically updated. uc_saveactiveconfas Save an Active Configuration UC does not have to be started. Goal Syntax Options Save a configuration currently in use Force to save a configuration currently in use even if it already exists uc_saveactiveconfas <pathname\confname.ucc> uc_saveactiveconfas <pathname\confname.ucc> -f uc_switchto Make Configuration Active UC must be started. Goal Syntax Options Activate UC Configuration uc_switchto -ucc <nameofconf>

68 68 Goal Syntax Options Simulate the change of the active UC configuration. Displays possible errors and warnings in the stored configuration and changes between active and stored configurations. uc_switchto -ucc <nameofconf> -dryrun Get help on the Switch command uc_switchto -h Indicate the port to connect to the UC uc_switchto -ucc <nameofconf> -p <portnumber> Get information on the Switch version uc_switchto -v Activate UC Configuration and display verbose information uc_switchto -ucc <nameofconf> -vb Switching from One Configuration to Another It is possible to switch from one configuration to another one. To apply a new configuration, the command is: uc_switchto.bat -ucc {myconf}(under Windows) uc_switchto -ucc {myconf} (under RHEL, SUSE, Solaris) In case of an error, the configuration switch is interrupted and the configuration error is logged in the uc.log file. Example: You want to switch from the current configuration conf1 to conf2. Enter the command to apply a new configuration to the UC via the CLI located in <INSTALL_DIR>/ tools. \uc_switchto.bat -ucc c:\tmp\conf2 The current configuration is now conf2. Checking the Impacted Processes It is possible to check which log sources and Forwarding connections are impacted by the new configuration - without having to apply it. To check the impact on the processes: -dryrun gives information on the switch or the update of configurations -dryrun -vb gives detailed information on the switch or the update of configurations Example: You want to check the impacted process during a switch of configurations. Enter the following command: uc_switchto.bat -ucc {uc.conf.file}.ucc -dryrun -vb You can obtain something like this:

69 69 3 configuration files checked 1 Log Source config updated 1 SYSLOG Log Source config updated 2 Forwarding connection updated (1 created, 1 removed) 1 LS Config Updated ============================================================ syslog.1 UPDATE 2 Forwarding Config Updated ============================================================ MyCuteLmi2 REMOVE MyCuteLmi CREATE WARNING data may not have been collected during the switch configuration operation, the log sources [syslog.1] may have been impacted WARNING data contained in Forwarding connection spool of [MyCuteLmi2] may have been lost if remote Forwarding connection was not available SUCCESS-[conf3] DryRun mode : No change has been applied to the running configuration Limitations During a switch process, some limitations may occur. First case--if you remove or update a Syslog Log Source, you may stop the flow and lose some data. Second case--if you switch from a Forwarding connection to another one for a given Syslog Log Source, you may lose a few events. This behavior is rare though. Third case--if you remove a Forwarding connection or modify the values of the buffer size while the connection to the Forwarding connection is not available (for example, network failure), the Forwarding connection buffer will try to empty itself by sending the remaining data to the Forwarding connection. This will cause the loss of the buffer content during the time-out.

70 70 Sample Configuration Files In the installation directory, the folder <config-samples> contains the templates you can copy to create a complete configuration manually without using UC Console. sample-commented.ucc contains documented XML files. sample-lite.ucc contains XML files with mandatory tags only without documentation. sample.ucc contains XML files with all the tags without documentation. When you unzip one of them, you obtain: uc.xml file: allows the configuration of the UC s general information. log-sources sub-folder: contains documented templates to define a log source, it is what you can find under the Collection tab in the GUI. uldp sub-folder: contains documented templates to define the Forwarding connections. It is what you can find under the Forwarding tab or when editing a Forwarding Connection in the GUI. UC Configuration uc.xml You must unzip sample.ucc to display the uc.xml file, which contains the information you can find under the General Settings tab in the GUI. <!-- This is the Universal Collector configuration file. The uc.xml file contains the Universal Collector general parameters. --> <uc schemaversion="2.0"> <!-- Enter the UC configuration label. This value is mandatory --> <configurationname>samplecommented</configurationname> <!-- Enter the UC domainname label. This value is not mandatory --> <domainname>sampledomainname</domainname> <!-- Enter the port used by the UC to get information (for example, status, metrics, memory used...) via the CLI. Make sure this port is not already used. Otherwise the UC cannot work. --> <uccommunicationport>1099</uccommunicationport> <!-- If a Syslog Log Source is used, enter general information about the Syslog collection process --> <syslogcollection> <!-- Enter the TCP/UDP parameter and socket buffer size (in kilobytes) - this parameter applies to all the Syslog Log Sources associated to the UC --> <socketbuffersize>1024</socketbuffersize> <!-- UDP parameter and max packet size (in kilobytes) - this parameter applies to all the Syslog Log Sources associated to the UC --> <udpmaxpacketsize>8</udpmaxpacketsize> </syslogcollection> </uc>

71 71 LMI Connection uldp-samplecommented.uldp.xml <!-- The LMI Connection Configuration file defines the properties for connecting the Universal Collector (UC) with an LMI server. Log source logs are sent from the UC to the LMI server. IMPORTANT: this file is linked with the LMI Connection Configuration files and its name must be composed of: - an ID, for example, uldp-sample - an extension, i.e. *.uldp.xml. --> <uldpconnection schemaversion="2.0"> <!-- Enter the label of the LMI connection --> <name>full_uldp_file</name> <!-- Enter the information about the modification of the LMI connection --> <revision> <!-- Enter the version number of the current LMI Connection file --> <version>12</version> <!-- Enter the name of the LMI connection author --> <author>admin</author> <!-- Enter the date and time of the LMI connection creation --> <creationdate> t01:00:00-05:00</creationdate> <!-- Enter the name of the user who last modified the LMI connection --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the LMI connection last modification --> <lastmodifieddate> t01:00:00-05:00</lastmodifieddate> </revision> <!-- Enter the IPv4 / IPv6 address or host name of the LMI --> <address> </address> <!-- Enter the LMI port (either encrypted or not) for connection with LMI 5.0 and 5.1 (default value) for secured connection with LMI 5.0 or later for connection with LMI 5.2 or later --> <port>5514</port> <!-- If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed (true) or not (false - default value). --> <compression>true</compression>

72 72 <!-- Define whether the logs are sent to the LMI during a certain period of time (true) - called a time window - or not (false - default value) --> <sendingwindow>true</sendingwindow> <!-- Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (default value = 22:00). --> <sendingwindowstart>22:00</sendingwindowstart> <!-- Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (default value = 05:00). --> <sendingwindowstop>05:00</sendingwindowstop> <!-- Define whether the communication is authenticated (true) or not (false - default value) --> <authentication>false</authentication> <!-- Define whether the communication is encrypted (true) or not (false - default value) --> <encryption>false</encryption> <!-- Enter the general LMI connection properties --> <uldpforwarder> <!-- If there are multiple network interfaces, enter the IP address that the UC uses when establishing the connection to LMI. --> <ucbindingip> </ucbindingip> <!-- Enter the spooler size in megabytes (100 MB - default value, 50 GB - maximum value) --> <spoolersize>100</spoolersize> <!-- Enter the reconnection frequency to the LMI (in seconds) --> <reconnectionfrequency>60</reconnectionfrequency> <!-- Enter the session timeout to LMI (in seconds) --> <sessiontimeout>600</sessiontimeout> <!-- Define whether the UC internal logs are sent to the remote LMI (true) or not (false - default value) --> <internaluclogs>false</internaluclogs> </uldpforwarder> </uldpconnection> LMI Connection uldp-samplecommentedauthjks.uldp.xml <!-- The LMI Connection file defines the properties for connecting the Universal Collector (UC) with an LMI server. Log source logs are sent from the UC to the LMI server. IMPORTANT: this file is linked with the LMI connection files and

73 73 its name must be composed of: - an ID, for example, uldp-sample - an extension, i.e. *.uldp.xml. --> <uldpconnection schemaversion="2.0"> <!-- Enter the label of the LMI connection --> <name>full_uldp_file</name> <!-- Enter the information about the modification of the LMI connection --> <revision> <!-- Enter the version number of the current LMI connection --> <version>12</version> <!-- Enter the name of the LMI connection author --> <author>admin</author> <!-- Enter the date and time of the LMI connection creation --> <creationdate> t01:00:00-05:00</creationdate> <!-- Enter the name of the user who last modified the LMI connection --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the LMI connection last modification --> <lastmodifieddate> t01:00:00-05:00</lastmodifieddate> </revision> <!-- Enter the IPv4 / IPv6 address or host name of the LMI --> <address> </address> <!-- Enter the LMI port (either encrypted or not) for connection with LMI 5.0 and 5.1 (default value) for secured connection LMI 5.0 or later for connection with LMI 5.2 or later --> <port>5515</port> <!-- If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed (true) or not (false - default value). --> <compression>true</compression> <!-- Define whether the logs are sent to the LMI during a certain period of time (true) - called a time window - or not (false - default value) --> <sendingwindow>true</sendingwindow> <!-- Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (default value = 22:00). --> <sendingwindowstart>22:00</sendingwindowstart>

74 74 <!-- Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (default value = 05:00). --> <sendingwindowstop>05:00</sendingwindowstop> <!-- Define whether the communication is authenticated (true) or not (false - default value) --> <authentication>true</authentication> <!-- Define whether the communication is encrypted (true) or not (false - default value) --> <encryption>false</encryption> <!-- Define the options of the certificate used for LMI connection --> <certificate> <jks> <!-- Enter the filename where the UC Java keystore will be generated --> <jksfile>sample.jks</jksfile> <!-- Enter the UC Java keystore mandatory password you have encrypted with the UC password encryption tool, e.g. "LSKS9bw/t01FqNd4P3l3pgeOy/N/qqqlEzG+QC/ kfdq0lvxtpvgziq==" is the encrypted password for "jdoepassword".--> <password>lsks9bw/t01fqnd4p3l3pgeoy/n/qqqlezg+qc/kfdq0lvxtpvgziq==</password> <!-- Define whether the UC internal logs are sent to the remote LMI (true) or not (false - default value) --> <internaluclogs>false</internaluclogs> </jks> </certificate> </uldpconnection> LMI Connection uldp-samplecommentedauthpem.uldp.xml <!-- The LMI Connection Configuration file defines the properties for connecting the Universal Collector (UC) with an LMI server. Log source logs are sent from the UC to the LMI server. IMPORTANT: this file is linked with the LMI Connection Configuration files and its name must be composed of: - an ID, for example, uldp-sample - an extension, i.e. *.uldp.xml. --> <uldpconnection schemaversion="2.0"> <!-- Enter the label of the LMI connection --> <name>full_uldp_file</name> <!-- Enter the information about the modification of the LMI connection -->

75 75 <revision> <!-- Enter the version number of the current LMI Connection Configuration file --> <version>12</version> <!-- Enter the name of the LMI connection author --> <author>admin</author> <!-- Enter the date and time of the LMI connection creation --> <creationdate> t01:00:00-05:00</creationdate> <!-- Enter the name of the user who last modified the LMI connection --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the LMI connection last modification --> <lastmodifieddate> t01:00:00-05:00</lastmodifieddate> </revision> <!-- Enter the IPv4 / IPv6 address or host name of the LMI --> <address> </address> <!-- Enter the LMI port (either encrypted or not) for connection with LMI 5.0 and 5.1 (default value) for secured connection LMI 5.0 or later for connection with LMI 5.2 or later --> <port>5515</port> <!-- If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed (true) or not (false - default value). --> <compression>true</compression> <!-- Define whether the logs are sent to the LMI during a certain period of time (true) - called a time window - or not (false - default value) --> <sendingwindow>true</sendingwindow> <!-- Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (default value = 22:00). --> <sendingwindowstart>22:00</sendingwindowstart> <!-- Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (default value = 05:00). --> <sendingwindowstop>05:00</sendingwindowstop> <!-- Define whether the communication is authenticated (true) or not (false - default value) --> <authentication>true</authentication> <!-- Define whether the communication is encrypted (true) or not (false - default value) -->

76 76 <encryption>false</encryption> <!--Define the options of the certificate used for LMI connection--> <certificate> <!-- Define whether the UC internal logs are sent to the remote LMI (true) or not (false - default value) --> <internaluclogs>false</internaluclogs> <pem> <!-- Enter the filename of the UC private key stored in PEM format --> <pemprivkeyfile>pemprivkeyfile</pemprivkeyfile> <!-- Enter the private key mandatory password you have encrypted with the UC password encryption tool, e.g. "LSKS9bw/t01FqNd4P3l3pgeOy/N/qqqlEzG+QC/ kfdq0lvxtpvgziq==" is the encrypted password for "jdoepassword".--> <password>lsks9bw/t01fqnd4p3l3pgeoy/n/qqqlezg+qc/kfdq0lvxtpvgziq==</password> <!-- Enter the filename of the UC certificate stored in PEM format --> <pemcertfile>pemcertfile</pemcertfile> <!-- Enter the filename of the root CA certificate stored in PEM format --> <pemrootcertfile>pemrootcertfile</pemrootcertfile> </pem> </certificate> </uldpconnection> LMI Connection uldp-samplecommentedauthpks12.uldp.xml <!-- The LMI Connection Configuration file defines the properties for connecting the Universal Collector (UC) with an LMI server. Log source logs are sent from the UC to the LMI server. IMPORTANT: this file is linked with the LMI Connection Configuration files and its name must be composed of: - an ID, for example, uldp-sample - an extension, i.e. *.uldp.xml. --> <uldpconnection schemaversion="2.0"> <!-- Enter the label of the LMI connection --> <name>full_uldp_file</name> <!-- Enter the information about the modification of the LMI connection --> <revision> <!-- Enter the version number of the current LMI Connection Configuration file --> <version>12</version> <!-- Enter the name of the LMI connection author -->

77 77 <author>admin</author> <!-- Enter the date and time of the LMI connection creation --> <creationdate> t01:00:00-05:00</creationdate> <!-- Enter the name of the user who last modified the LMI connection --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the LMI connection last modification --> <lastmodifieddate> t01:00:00-05:00</lastmodifieddate> </revision> <!-- Enter the IPv4 / IPv6 address or host name of the LMI --> <address> </address> <!-- Enter the LMI port (either encrypted or not) for connection with LMI 5.0 and 5.1 (default value) for secured connection LMI 5.0 or later for connection with LMI 5.2 or later --> <port>5515</port> <!-- If the connection is slow, you can configure the logs to be compressed for a more rapid flow of data. Define whether the logs are compressed (true) or not (false - default value). --> <compression>true</compression> <!-- Define whether the logs are sent to the LMI during a certain period of time (true) - called a time window - or not (false - default value) --> <sendingwindow>true</sendingwindow> <!-- Define the beginning of the time window. If sendingwindow = true in the above parameter, define the time (hour and minute) when the event starts to be sent (default value = 22:00). --> <sendingwindowstart>22:00</sendingwindowstart> <!-- Define the end of the time window. If you set sendingwindow = true in the above parameter, define the time (hour and minute) when the event stops to be sent (default value = 05:00). --> <sendingwindowstop>05:00</sendingwindowstop> <!-- Define whether the communication is authenticated (true) or not (false - default value) --> <authentication>true</authentication> <!-- Define whether the communication is encrypted (true) or not (false - default value) --> <encryption>false</encryption> <!-- Define the options of the certificate used for LMI connection --> <certificate> <pkcs12>

78 78 <!-- Enter the UC PKCS#12 certificate's filename --> <p12certfile>p12certfile</p12certfile> <!-- Enter the PKCS#12 certificate's mandatory password you have encrypted with the UC password encryption tool, e.g. "LSKS9bw/t01FqNd4P3l3pgeOy/N/qqqlEzG+QC/ kfdq0lvxtpvgziq==" is the encrypted password for "jdoepassword".--> <password>lsks9bw/t01fqnd4p3l3pgeoy/n/qqqlezg+qc/kfdq0lvxtpvgziq==</password> <!-- Enter the filename of the root CA certificate stored in PEM format --> <pemrootcertfile>pemrootcertfile</pemrootcertfile> <!-- Define whether the UC internal logs are sent to the remote LMI (true) or not (false - default value) --> <internaluclogs>false</internaluclogs> </pkcs12> </certificate> </uldpconnection> This file is located in <InstallFolder>\config-samples\. You must unzip sample.ucc and open the log-sources folder. Log Sources file-samplecommented.ls.xml <!-- This is the FILE Log Source configuration file. The logs will be directly forwarded to the LMI appliance. IMPORTANT: The file name must be composed of: - an ID, for example, file-sample - an extension, i.e. *.ls.xml. --> <!-- The Type refers to the type of Log Source. --> <logsource type="file" schemaversion="2.0"> <general> <!-- Define whether the current Log Source is active (true - default value) or inactive (false) --> <active>true</active> <!-- Enter the FILE configuration label --> <name>ls-file-template</name> <!-- Enter the FILE configuration description --> <description>comment of the ls-file-template</description> <!-- Enter the modification of the FILE configuration --> <revision> <!-- Enter the current FILE configuration file version number -->

79 79 <version>12</version> <!-- Enter the FILE file author's name --> <author>admin</author> <!-- Enter the name of the user who last modified the file --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the FILE creation --> <creationdate> t01:00:00-01:00</creationdate> <!-- Enter the FILE last modification date and time --> <lastmodifieddate> t03:40:10-01:00</lastmodifieddate> </revision> </general> <!-- Enter log forwarding information --> <forwarding> <!-- Enter the information about the LMI connection necessary to send logs from the UC to the LMI server --> <uldp> <!-- Enter the LMI connection ID without the extension, e.g. uldp-sample --> <connectionid>uldp-samplecommented</connectionid> <!-- Define whether the log message sent to the LMI server remains in a local time zone (false - default value) or is converted into UTC (true) time zone --> <timeinutc>false</timeinutc> </uldp> </forwarding> <!-- Enter log collection information --> <collection> <!-- Enter the possible maximum length for the message ( default value) --> <maxlinelength>65000</maxlinelength> <!-- Enter the data format, for example, UTF8 --> <charsetname></charsetname> <!-- Enter general information about the file where the logs are located--> <filename> <!-- Enter the absolute path of the log file to collect. If the log file is rotated, you may enter [id] or [date] in the filename. for example, c:\temp\logfile[id].log to obtain file names such as logfile1.log or c: \temp\logfile[date].log to obtain file names such as logfile log--> <absolutepath>c:\temp\logfile.log</absolutepath>

80 80 <!-- If you have entered [date] for the tag <absolutepath> above (e.g. c:\temp \logfile[date].log), you must set this parameter to true (false - default value) -- > <usedaterolling>false</usedaterolling> <!-- If you have set the tag <usedaterolling> to true, you must enter a date format, e.g. yyyymmdd (see SimpleDateFormat.html ) --> <dateformat>yyyymmdd</dateformat> <!-- If you have entered [id] for the tag <absolutepath> above (e.g. c:\temp \logfile[id].log), you must set this parameter to true (false - default value) --> <useidrolling>false</useidrolling> <!-- If you have set the tag <useidrolling> to true, you must enter the number of digits expected (1-9). UC can collect any file with an [id] whose number of digits is between 1 and 9 inclusive. E.g. If you set 5, the following [id] will be taken into account: 1, 054, 586, 00599, 78945, etc.--> <nbdigit>2</nbdigit> </filename> </collection> <!-- Enter log processing information --> <processing> <!-- Define whether the single message has several lines --> <multiline> <!-- Define whether the current multi-line function is active (true) or inactive (false - default value) --> <active>false</active> <!-- Enter the type of multi-line logs, (jboss - default value) 'jboss', 'tomcat', 'weblogic', 'websphere' or 'custom' --> <linecombinerid>jboss</linecombinerid> <!-- If you set 'custom' in the <linecombinerid> parameter above, you must set a regular expression matching the header of the first line of a log --> <userdefinedregexp></userdefinedregexp> <!-- Enter whether you want the UC to send messages that do not match the Header Regexp (true) or not (false - default value)--> <keepheadlesslog>false</keepheadlesslog> <!-- Enter the number of ms after which the multi-line logs are ready to be sent --> <linetimeout>3000</linetimeout> </multiline> <!-- Enter the name of the host used to pair logs on the LMI server --> <hostname>customhostname.com</hostname>

81 81 <!-- Enter the name of the application used to pair logs on the LMI server --> <appname>customapplicationname</appname> </processing> <!-- Enter log filtering information --> <filter> <!-- Enter a case insensitive regular expression to specify the messages to be matched. E.g. "packet accepted" means that all the lines containing packet accepted are filtered "^64\.242" means that all the lines that are beginning exactly with are filtered "846$" means that all the lines that are ending exactly with 846 are filtered --> <messagefilter>packet accepted</messagefilter> <!-- Define whether the matched messages are filtered (false - default value) or not (true) --> <matchacceptedmessage>false</matchacceptedmessage> </filter> <!-- Enter a tag to filter, sort and search for log sources. Tags are case sensitive. --> <tags> <!-- You can enter as many tags as you need. The possible values are._a-za-z0-9 and blank space. --> <tag>sample</tag> <tag>commented</tag> </tags> </logsource> Log Sources syslog-samplecommented.ls.xml <!-- This is the SYSLOG Log Source configuration file. The source of logs to be forwarded is a SYSLOG message. IMPORTANT: The file name must be composed of: - an ID, for example, syslog-sample - an extension, i.e. *.ls.xml. --> <!-- The Type refers to the type of Log Source. --> <logsource type="syslog" schemaversion="2.0"> <general> <!-- Define whether the current Log Source is active (true - default value) or inactive (false) -->

82 82 <active>true</active> <!-- Enter the SYSLOG configuration label --> <name>ls-syslog-template</name> <!-- Enter the SYSLOG file description information --> <description>comment of the ls-syslog-template</description> <!-- Enter the information about the modification of the SYSLOG configuration --> <revision> <!-- Enter the SYSLOG file author's name --> <author>admin</author> <!-- Enter the name of the user who last modified the SYSLOG file --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the SYSLOG file creation --> <creationdate> t01:00:00-01:00</creationdate> <!-- Enter the SYSLOG file last modification date and time --> <lastmodifieddate> t03:40:10-01:00</lastmodifieddate> </revision> </general> <!-- Enter log forwarding information --> <forwarding> <!-- Enter the information about the LMI connection necessary to send logs from the UC to the LMI server --> <uldp> <!-- Enter the LMI connection ID without the extension, e.g. uldp-sample --> <connectionid>uldp-sample</connectionid> <!-- Define whether the log message sent to the LMI server remains in a local time zone (false - default value) or is converted into UTC (true) time zone --> <timeinutc>false</timeinutc> </uldp> </forwarding> <!-- Enter log collection information --> <collection> <!-- If there are multiple network interfaces, enter the IP address to listen to the logs.otherwise, all the IP addresses are listened to. --> <ip> </ip> <!-- Enter the port to listen to logs --> <port>514</port> <!-- Define whether the Log Source uses the udp (default value) or tcp SYSLOG protocol. Attention: 'udp' or 'tcp' must be in lower case -->

83 83 <protocol>udp</protocol> </collection> <!-- Enter log filtering information --> <filter> <!-- Enter the minimum accepted severity (see RFC 3164) --> <severity>6</severity> <!-- Enter the accepted facilities (see RFC 3164) To indicate what are the facilities to be accepted: - use a '-' to indicate a range, e.g use a ';' to indicate the exact facilities, e.g. 1;8;23 - use '-' and ';' to indicate the exact facilities and a range, e.g. 1;8-23 Note: 0-23 is the default value--> <facilities>0-23</facilities> <!-- Enter the regular expression to filter the accepted source host. All the logs from all the IP addresses are collected if.* (default value) is set. --> <sourceip>.*</sourceip> </filter> <!-- Enter a tag to filter, sort and search for log sources. Tags are case sensitive. --> <tags> <!-- You can enter as many tags as you need. The possible values are._a-za-z0-9 and blank space. --> <tag>sample</tag> <tag>commented</tag> </tags> </logsource> Log Sources wmi-samplecommented.ls.xml <!-- This is the WEL Log Source configuration file. All the events about the machine s Windows journals will be forwarded. IMPORTANT: The file name must be composed of: - an ID, for example, wmi-sample - an extension, i.e. *.ls.xml.--> <!-- The Type refers to the type of Log Source. --> <logsource type="wmi" schemaversion="2.0"> <general>

84 84 <!-- Define whether the current Log Source is active (true - default value) or inactive (false) --> <active>true</active> <!-- Enter the WEL configuration label --> <name>ls-win-template</name> <!-- Enter the WEL configuration file description --> <description>comment of the ls-win-template</description> <!-- Enter the modification of the WEL configuration --> <revision> <!-- Enter the current WEL configuration file version number --> <version>12</version> <!-- Enter the WEL file author's name --> <author>admin</author> <!-- Enter the name of the user who last modified the WEL file --> <lastmodifiedby>admin</lastmodifiedby> <!-- Enter the date and time of the WEL file creation --> <creationdate> t01:00:00-01:00</creationdate> <!-- Enter the WEL file last modification date and time --> <lastmodifieddate> t03:40:10-01:00</lastmodifieddate> </revision> </general> <!-- Enter log forwarding information --> <forwarding> <!-- Enter the information about the LMI connection necessary to send logs from the UC to the LMI server --> <uldp> <!-- Enter the LMI connection ID without the extension, e.g. uldp-sample --> <connectionid>uldp-samplecommented</connectionid> <!-- Define whether the log message sent to the LMI server remains in a local time zone (false - default value) or is converted into UTC (true) time zone --> <timeinutc>false</timeinutc> </uldp> </forwarding> <!-- Enter log collection information --> <collection> <!-- Enter the domain name to access the Windows server --> <domain>domain.company</domain>

85 85 <!-- Enter the IP address to connect to the Windows server. For local collection, enter only a dot. --> <address> </address> <!-- Enter the login to connect to the Windows server --> <login>jdoe</login> <!-- To connect to the Windows server, enter the password you have encrypted with the UC password encryption tool, for example, "LSKS9bw/t01FqNd4P3l3pgeOy/N/qqqlEzG +QC/kfDq0LVXTPVgziQ==" is the encrypted password for "jdoepassword".--> <password>lsks9bw/t01fqnd4p3l3pgeoy/n/qqqlezg+qc/kfdq0lvxtpvgziq==</password> <!-- Enter the time period (in seconds) after which the UC checks for new Windows events (10 - default value)--> <pollingperiod>10</pollingperiod> </collection> <!-- Enter filtering information --> <filter> <!-- Define the WEL journals to include. It can be either: - all journals = all (default value) - only the journals that are specified in the <journallist> block = only - all journals except those specified in the <journallist> block = all_except--> <includejournal>only</includejournal> <!-- Define the list of journals to include or exclude. Note that the journal name is case sensitive. --> <journallist> <journal>security</journal> <journal>application</journal> </journallist> <!-- Enter the regular expression to filter the WEL event ID. All the logs are collected if.* (default value) is set.--> <eventidfilter>.*</eventidfilter> <!-- EEnter the regular expression to filter Windows journal messages on source field. All the logs are collected if.* (default value) is set. --> <sourcefilter>.*</sourcefilter> <!-- Enter the filter operator for the <eventidfilter> and <sourcefilter> tags, It can be either: - both filters: and (default value) - only one: or --> <filteroperator>and</filteroperator> </filter>

86 86 <!-- Enter a tag to filter, sort and search for log sources. Tags are case sensitive. --> <tags> <!-- You can enter as many tags as you need. The possible values are._a-za-z0-9 and blank space. --> <tag>sample</tag> <tag>commented</tag> </tags> </logsource>

87 87 Regular Expressions Regular expressions provide a concise and flexible means for matching (specifying and recognizing) strings of text, such as particular characters, words, or patterns of characters. They are used when you configure Log Sources. Construct Matches Characters x The character x \ \ The backslash character \0n The character with octal value 0n (0 <= n <= 7) \0nn The character with octal value 0nn (0 <= n <= 7) \0mnn The character with octal value 0mnn (0 <= m <= 3, 0 <= n <= 7) \xhh \uhhhh The character with hexadecimal value 0xhh The character with hexadecimal value 0xhhhh \t The tab character ('\u0009') \n The newline (line feed) character ('\u000a') \r The carriage-return character ('\u000d') \f The form-feed character ('\u000c') \a The alert (bell) character ('\u0007') \e The escape character ('\u001b') \cx The control character corresponding to x Character classes [abc] [^abc] [a-za-z] [a-d[m-p]] [a-z&&[def]] [a-z&&[^bc]] a, b, or c (simple class) Any character except a, b, or c (negation) a through z or A through Z, inclusive (range) a through d, or m through p: [a-dm-p] (union) d, e, or f (intersection) a through z, except for b and c: [ad-z] (subtraction)

88 88 Construct [a-z&&[^m-p]] Matches a through z, and not m through p: [a-lq-z] (subtraction) Predefined character classes. Any character (may or may not match line terminators) \d A digit: [0-9] \D A non-digit: [^0-9] \s A whitespace character: [\t\n\x0b\f\r] \S A non-whitespace character: [^\s] \w A word character: [a-za-z_0-9] \W A non-word character: [^\w] POSIX character classes (US-ASCII only) \p{lower} \p{upper} \p{ascii} \p{alpha} A lower-case alphabetic character: [a-z] An upper-case alphabetic character:[a-z] All ASCII:[\x00-\x7F] An alphabetic character: [\p{lower}\p{upper}] \p{digit} A decimal digit: [0-9] \p{alnum} \p{punct} \p{graph} \p{print} \p{blank} \p{cntrl} \p{xdigit} \p{space} An alphanumeric character: [\p{alpha}\p{digit}] Punctuation: One of!"#$%&'()*+,-./:;<=>?@[\]^_`{ }~ A visible character: [\p{alnum}\p{punct}] A printable character: [\p{graph}] A space or a tab: [\t] A control character: [\x00-\x1f\x7f] A hexadecimal digit: [0-9a-fA-F] A whitespace character: [\t\n\x0b\f\r] Classes for Unicode blocks and categories \p{ingreek} \p{lu} A character in the Greek block (simple block) An uppercase letter (simple category)

89 89 Construct \p{sc} \P{InGreek} [\p{l}&&[^ \p{lu}]] Matches A currency symbol Any character except one in the Greek block (negation) Any letter except an uppercase letter (subtraction) Boundary matchers ^ The beginning of a line $ The end of a line \b A word boundary \B A non-word boundary \A The beginning of the input \G The end of the previous match \Z The end of the input except for the final terminator, if any \z The end of the input Greedy quantifiers X? X, once or not at all X* X, zero or more times X+ X, one or more times X{n} X{n,} X{n,m} X, exactly n times X, at least n times X, at least n but not more than m times Reluctant quantifiers X?? X*? X+? X{n}? X{n,}? X, once or not at all X, zero or more times X, one or more times X, exactly n times X, at least n times

90 90 Construct X{n,m}? Matches X, at least n but not more than m times Possessive quantifiers X?+ X*+ X++ X{n}+ X{n,}+ X{n,m}+ X, once or not at all X, zero or more times X, one or more times X, exactly n times X, at least n times X, at least n but not more than m times Logical operators XY X Y (X) X followed by Y Either X or Y X, as a capturing group Back references \n Whatever the nth capturing group matched Quotation \ Nothing, but quotes the subsequent character \Q Nothing, but quotes all characters until \E \E Nothing, but ends a quote started by \Q Special constructs (non-capturing) (?:X) (?idmsux-idmsux) (?idmsuxidmsux:x) (?=X) (?!X) (?<=X) X, as a non-capturing group Nothing, but turns match flags on - off X, as a non-capturing group with the given flags on - off X, via zero-width positive look ahead X, via zero-width negative look ahead X, via zero-width positive look behind

91 91 Construct (?<!X) (?>X) Matches X, via zero-width negative look behind X, as an independent, non-capturing group

92 92 Event Output Format UC collects Windows Event logs and forwards them in Snare over syslog format. For details about the Snare over Syslog format, see Snare_and_rsyslog. Snare over Syslog format <SYSLOGNUM>CurrentDate<SPACE>HostName<SPACE>MSWinEventLog<TAB>Criticality<TAB>Critic ality<tab>security<tab> SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB> EventLogType<TAB> ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5 checksum (optional) The following table describes the differences between data elements passed in a typical Snare format vs Snare over Syslog format: Field Snare format Snare over Syslog format ID The <SYSLOGNUM> is the appropriate numeric syslog facility/priority combination for the objective, as defined in the snare configuration. Date and Time The CurrentDate is the syslog timestamp. Host name Hostname the assigned hostname of the machine or the override value entered using the Snare front. Hostname The host name for syslog is the syslog IP address. Event Log Type MSWINEventLog MSWINEventLog Fixed value of 'MSWinEventLog'. Criticality Criticality Criticality This is determined by the Alert level given to the objective by the user and is a number between 0 and 4, UC uses fixed value of 0.

93 93 Field Snare format Snare over Syslog format SourceName EventLogSource EventLogSource This is the Windows Event Log from which the event record was derived, In the above example, the event record was derived from the 'security' event log. Snare Event Counter SnareCounter SnareCounter SnareCounter is a sequential event counter, designed to assist the process of determining delivery percentages when using non-guaranteed transmission protocols.globalcount er is the same mean with SnareCounter, uc uses fixed value of 0. DateTime SubmitTime SubmitTime This is the date time stamp of the event record. UC uses the UTC format. EventID EventID EventID This is the Windows Event ID. SourceName SourceName SourceName This is the Windows Event Log from which the event record was derived, In the above example, the event record was derived from the 'security' event log. UserName UserName UserName This is the Window's user name. SIDType SIDType SIDType This is the type of SID used. EventLogType EventLogType EventLogType This can be anyone of 'Success Audit', 'Failure Audit', 'Error', 'Information', or 'Warning'.

94 94 Field Snare format Snare over Syslog format ComputerName ComputerName ComputerName This is the Windows computer name. CategoryStrint Category Category This is the category of audit event, as detailed by the Windows event logging system DataString Data Data This contains the data strings. ExpandedString Expanded EventRecordID This contains the expanded data strings. In UC, it contains the event record id. MD5 Checksum MD5Checksum <Optional> An md5 checksum of the event can optionally be included with each event sent over the network by the Snare for Windows Agent. Note that the application that evaluates each record will need to strip the final delimiter, plus the checksum, prior to evaluating the event. Snare over Syslog format is slightly different than the regular Snare format. The regular Snare format is shown below for reference: HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>S ubmittime<tab>eventid<tab> SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategorySt ring<tab>datastring<tab> ExpandedString<TAB>MD5 checksum (optional)

95 95 IPv6 Support Matrix The IPv6 support matrix is as shown below: Log Source Address UC LMI Supported UC Version IPv4 IPv4 IPv4 v2.7.0 and below IPv6 IPv6 IPv6 v2.6.0 and v2.7.0 IPv4 IPv6 IPv6 v2.6.0 and v2.7.0