syslog-ng on solaris as a source

[ucemike]

Is it possible to configure syslog-ng on solaris 10 as a source for NLS?

I poked around the setup-linux.sh script and see some bits of scripting for it but it seems the "automatic configuration" support is not there.

[Box293]

This should be possible, however the standard configuration script may not work but you can manually configure it.

You will need to install syslog on the solaris server first.

Then in Log Server, go to:
Help
Add a Log Source
Click Linux
Click the _Manual tab
This will give you the configuration required for the syslog file.

Does this help?

[ucemike]

I will see if I can put syslog on that system. Currently it's one of 2 primary log hosts that we send all logs to.

I am curious, does NSL just need to have logs directed at it like the loghost listed above? Couldn't I just have syslog-ng use a destinations offsite config entry?

Code: Select all

destination offsite { udp("10.0.0.1" port(514)); };
log { source(src); destination(offsite); };

Or do I not understand how NSL works This appears to be what the automatic rsyslog configs do right now.

[jolson]

Couldn't I just have syslog-ng use a destinations offsite config entry?

This should work fine. If port 514 is up and listening on NLS, it will be able to take logs in properly - keep in mind that by default port 514 is restricted, and to enable it you would need to follow this procedure: http://assets.nagios.com/downloads/nagi ... Server.pdf

You may want to set up a new input for your Solaris server - the input could look something like this:

2015-05-08 10_19_23-Instance Configuration • Nagios Log Server.png

Using the above as an example, you'd have to open port '9001' in your firewall.

You could also use the 'syslog' input, which will apply a syslog filter to all of your inbound logs. If your Solaris logs are in syslog format, I would recommend trying out the syslog input.

Let us know how this goes for you. Thanks!

[ucemike]

I've got it working though it seems I lose fields like "logsource" and "program" and "facility_label". Is that normal?

I tried both solarisin and syslog and both "seem" to give me the same as mentioned above.

[jolson]

I've got it working though it seems I lose fields like "logsource" and "program" and "facility_label". Is that normal?

ucemike, please bear with me as this issue is a little more complicated than it seems at first - I'll try and describe it as clearly as possible.

When Logstash waits for information, it listens on its 'input' - a listener that takes in whatever data remote clients send it. From the input, the data is passed to Logstash filters - and from filters pushed through outputs into the elasticsearch database.

Let's say we set up the following input:

Code: Select all

tcp {
type => 'solarisin'
port => 9001
}

'tcp' is the logstash input - this can also be 'udp' and 'syslog'. These are the three most common inputs. This tcp input by default listens on a tcp port - which is defined by the 'port' parameter. tcp/9001.

The 'type' field is an arbitrary tag that is given to any logs entering the input. This tag is only really used with regards to logstash filters. This is an example of a logstash filter:

Code: Select all

if [type] == "solarisin" {
   then blah blah blah

You can see that 'type' does not mean anything - it can be any string. The main purpose for the 'type' is to match a filter to logs entering through the input.


What you want to change is the logstash input. For example, your input currently might look something like this:

Code: Select all

udp {
type => 'solarisin'
port => 9001
}

If you want to switch it to the syslog input, simply make the following change:

Code: Select all

syslog {
type => 'solarisin'
port => 9001
}

The syslog input is a tcp/udp listener that will apply its own custom 'syslog' filter before any other filters are applied. This custom syslog filter pulls fields like 'logsource' and 'program' out of the raw log data, assuming that your raw logs are in syslog format.

I have made several long write-ups about how logstash operates. If you're interested in reading further about inputs and filters, please do see my below posts:
http://support.nagios.com/forum/viewtop ... 37&t=32221
http://support.nagios.com/forum/viewtop ... 68#p134768

Let me know if you have any questions along the way.

[ucemike]

Ah, my mistake, I was thinking the type was an actual flag that determined how it parsed the input. I see what you're saying now and will experiment.

[jolson]

Sounds good - let us know. Thanks!