Nimsoft Monitor. sysloggtw Guide. v1.4 series

Nimsoft Monitor sysloggtw Guide v1.4 series

Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and is subject to being changed, without notice, in future editions. Further, to the maximum extent permitted by applicable law, Nimsoft LLC disclaims all warranties, either express or implied, with regard to this manual and any information contained herein, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. Nimsoft LLC shall not be liable for errors or for incidental or consequential damages in connection with the furnishing, use, or performance of this document or of any information contained herein. Should Nimsoft LLC and the user have a separate written agreement with warranty terms covering the material in this document that conflict with these terms, the warranty terms in the separate agreement shall control. Technology Licenses The hardware and/or software described in this document are furnished under a license and may be used or copied only in accordance with the terms of such license. No part of this manual may be reproduced in any form or by any means (including electronic storage and retrieval or translation into a foreign language) without prior agreement and written consent from Nimsoft LLC as governed by United States and international copyright laws. Restricted Rights Legend If software is for use in the performance of a U.S. Government prime contract or subcontract, Software is delivered and licensed as "Commercial computer software" as defined in DFAR 252.227-7014 (June 1995), or as a "commercial item" as defined in FAR 2.101(a) or as "Restricted computer software" as defined in FAR 52.227-19 (June 1987) or any equivalent agency regulation or contract clause. Use, duplication or disclosure of Software is subject to Nimsoft LLC s standard commercial license terms, and non-dod Departments and Agencies of the U.S. Government will receive no greater than Restricted Rights as defined in FAR 52.227-19(c)(1-2) (June 1987). U.S. Government users will receive no greater than Limited Rights as defined in FAR 52.227-14 (June 1987) or DFAR 252.227-7015 (b)(2) (November 1995), as applicable in any technical data. Trademarks Nimsoft is a trademark of CA. Adobe, Acrobat, Acrobat Reader, and Acrobat Exchange are registered trademarks of Adobe Systems Incorporated. Intel and Pentium are U.S. registered trademarks of Intel Corporation. Java(TM) is a U.S. trademark of Sun Microsystems, Inc. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Netscape(TM) is a U.S. trademark of Netscape Communications Corporation. Oracle is a U.S. registered trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of the Open Group. ITIL is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Contact Nimsoft For your convenience, Nimsoft provides a single site where you can access information about Nimsoft products. At http://support.nimsoft.com/, you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads Nimsoft Support policies and guidelines Other helpful resources appropriate for your product Provide Feedback If you have comments or questions about Nimsoft product documentation, you can send a message to support@nimsoft.com.

Contents Chapter 1: sysloggtw 1.4 7 sysloggtw Overview... 7 Chapter 2: sysloggtw Probe Deployment 9 Supported Platforms... 9 System Requirements... 9 Software Requirements... 9 Probe Deployment Information... 9 Chapter 3: sysloggtw Configuration 11 Probe Defaults... 11 Probe Configuration Interface Installation... 12 Probe Configuration... 12 Properties... 12 Using logmon and sysloggtw... 14 Regular Expressions... 17 Chapter 4: sysloggtw QoS Metrics 19 Contents 5

Chapter 1: sysloggtw 1.4 This description applies to sysloggtw probe version 1.4. This section contains the following topics: sysloggtw Overview (see page 7) Documentation Changes (see page 8) sysloggtw Overview The sysloggtw acts as a gateway from the Syslog "world" into Nimsoft. Most network-devices, such as routers, switches, bridges and so on, reports events using SNMP as well as using the well-known syslog format. The sysloggtw will listen to port 514/udp when running in a receive mode. All incoming syslog messages will be acted upon using the defined receive mode: Generate Alarm Generate SYSLOG-IN (for post-processing) messages Log to file The sysloggtw is also capable of receiving Nimsoft alarm messages from e.g. the NAS auto-operator that will be converted to a syslog message and passed onto remote syslog daemons. Chapter 1: sysloggtw 1.4 7

sysloggtw Overview Documentation Changes This table describes the version history for this document. Version Date What's New? 1.4 December 2012 Fixed issue where log files were not getting deleted after the correct number of days set. 1.3 September 2010 Related Documentation Added Probe Defaults for the probe. Added support for Windows 64, Linux 32/64 and Solaris platforms. Added proper configuration file reading mechanism on probe restart. Documentation for other versions of the sysloggtw probe (../../sysloggtw.html) The Release Notes for the sysloggtw probe Getting Started with CA Nimsoft Probes Monitor Metrics Reference Information for CA Nimsoft Probes 8 sysloggtw Guide

Chapter 2: sysloggtw Probe Deployment This section contains the prerequisites, system requirements and deployment information for the sysloggtw probe. This section contains the following topics: Supported Platforms (see page 9) System Requirements (see page 9) Software Requirements (see page 9) Probe Deployment Information (see page 9) Supported Platforms The sysloggtw probe supports the same set of operating systems and databases as supported by the Nimsoft Server solution. Please refer to the Nimsoft Compatibility Support Matrix for the latest information on supported platforms. System Requirements The sysloggtw probe should be installed on systems with the following minimum resources: Memory: 2-4GB of RAM. Probe's OOB configuration requires 256MB of RAM' CPU: 3GHz dual-core processor, 32-bit or 64-bit Software Requirements The sysloggtw probe requires the following software environment. Nimsoft Monitor Server 5.1.1 or later. Nimsoft Robot 5.23 or later. Probe Deployment Information There are two ways to distribute archive packages. You can distribute the package within Infrastructure Manager or use the standalone Nimsoft Distribution application. See Probe Deployment for more information on deploying probes. Chapter 2: sysloggtw Probe Deployment 9

Chapter 3: sysloggtw Configuration The Nimsoft Syslog Gateway acts as a gateway both from the Syslog "world" into Nimsoft as well as from Nimsoft to the Syslog "world". Most network devices, such as routers, switches, bridges and so on, report events using SNMP as well as using the well-known Syslog format. The sysloggtw will listen to port 514/udp when running in a receive mode. Note: The administrator of the network-devices must configure the network devices to send Syslog messages to that port (514). The Nimsoft Syslog Gateway acts upon all incoming Syslog messages according to the selected mode(s): Generate Nimsoft Alarm Generate SYSLOG-IN (for post-processing) messages Send to log-file The Nimsoft Syslog Gateway is capable of relaying or forwarding incoming syslog messages as well as Nimsoft messages to other syslog daemons. You may combine the Nimsoft Syslog Gateway with the Log Monitoring Probe (logmon) to post-process incoming Syslog messages. Some devices, for example cisco routers, may add an index to each message. Use logmon to reformat the text and severity levels instead of having sysloggtw determining the alarm level according to the syslog priority. This section contains the following topics: Probe Defaults (see page 11) Probe Configuration Interface Installation (see page 12) Probe Configuration (see page 12) Probe Defaults At the time of deploying a probe for the first time on robot, some default configuration will get deployed automatically. These probe defaults could be alarms and syslogin messages which save time to configure the default settings. These probe defaults will be seen on a fresh install, that is no instance of that probe is already available on that robot in activated or deactivated state. Chapter 3: sysloggtw Configuration 11

Probe Configuration Interface Installation Probe Configuration Interface Installation The probe configuration interface is automatically downloaded and installed by the Nimsoft Infrastructure Manager when the probe is deployed on a robot. Probe Configuration This section contains specific configuration information for the sysloggtw probe. Properties The sysloggtw probe is configured by double-clicking the line representing the probe in the Infrastructure Manager. This brings up the configuration tool for the probe. 12 sysloggtw Guide

Probe Configuration The fields in the above dialog are explained below: Message format Defines the format of the Syslogd messages that are generated when SYSLOG-OUT messages are found. The default format is [$hostname] $subsys - $message. Remote syslog daemons Lists the Syslogd hosts to which relayed syslog messages of messages from the SYSLOG-OUT queue are sent. Activate syslogd Activates the receive mode of the sysloggtw probe where syslogd messages are received and processed according to one or more of the following options: Generate Nimsoft Alarm Generates alarm messages based on the incoming Syslog messages. Generate SYSLOG-IN message Generates SYSLOG-IN messages based on the incoming Syslog messages. These can be post-processed by the logmon probe or stored away by the adogtw probe. Send to log-file Allows you to save the incoming Syslog messages to the log file specified in the File Name box. File Name Specifies the file name in the box. You can also use the variable "$" and select either date or logsource, and specify the file name as a regular expression. Rotate logfile after (x) KBytes Allows you to take a backup of the current log file when its size will reach to the value specified, and a new log file will be created with the same as specified in the File Name box. Rotate logfile after (x) days Allows you to take a backup of the current log file after the specified number of days, and a new log will be created with the same as specified in the File Name box. Keep files for (x) days Deletes the backed up log files one by one after the specified number of days. For example, a file created on 11:00 pm Friday will only be deleted after 11:00 pm Saturday if x is equal to 1 day. Note: The probe will check for backed up files after every 10 min and then delete them one by one once their deletion criteria is met. Chapter 3: sysloggtw Configuration 13

Probe Configuration Logging Log level Defines the level of details logged to the specified log file. Increases the amount of detail when debugging. Log File Size Specifies the maximum size of the log file in Kilo Bytes. Using logmon and sysloggtw You can use the logmon and sysloggtw probes for post-processing of Syslog messages. Follow these steps: 1. Open the hub configuration tool, select the Queues tab. 2. Create an attach queue collecting the subject SYSLOG-IN. 14 sysloggtw Guide

Probe Configuration 3. Open the logmon configuration tool and add a profile that attaches to the named queue. 4. Select the Watchers tab and add watchers (see the logmon configuration tool) according to your requirements. Chapter 3: sysloggtw Configuration 15

Probe Configuration You can use the logmon and sysloggtw probes for sending log events to the Syslog World. 1. Open the logmon configuration tool and add a profile that sends using the specified subject. 2. Select the Watchers tab and add watchers (see the logmon configuration tool) according to your requirements. 3. In sysloggtw probe, specify the remote syslog daemon hosts that will receive the messages. 16 sysloggtw Guide

Probe Configuration Regular Expressions You can also directly use the regular expressions (regexp) to parse the syslog messages. Regular Expression: /(\S+)\s(\S+)\s+(\S{3}\s\d+\s\d+:\d+:\d+)\s(\S+)\s+(.*)/ Format: level hostname/ip date source message The variables are explained below: Level Defines the Alarm Level (for example information warning error). Hostname/IP Address Specifies the Computer name or IP address. Date Indicates the date when the event has occurred. Source Specifies the hostname or IP address of the source. Message Defines the text for the message. Chapter 3: sysloggtw Configuration 17

Chapter 4: sysloggtw QoS Metrics The sysloggtw probe does not generate any QoS. Therefore there are no probe checkpoint metrics to be configured for this probe. Chapter 4: sysloggtw QoS Metrics 19