×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Network Automation 8.8 ... Installing Configuring after installation

Configuring existing syslog servers to forward events

Syslog events trigger BMC Network Automation to automatically archive configuration files as they change, report who made configuration changes, correlate events to prior configuration changes, and send SNMP or email notifications based the on type of event received. This topic describes how to configure syslog servers to forward events.

All syslog messages are passed through the BMC Network Automation External Event filters. Events matching a filter are logged to the Event Log and processed by the Policy Manager.

If syslog events are currently processed by one or more Linux syslogd or syslog-ng servers, you can relay these events to BMC Network Automation by following these installation instructions.

Each device agent (listed under Admin > Device Agents) runs a syslog listener and has a set of parameters to configure syslogging, as shown in the following figure. The device agent named Local is present by default and refers to the device agent running on the BMC Network Automation application server.

Back to top

To configure an existing Kiwi Syslog Server

Existing syslog servers can be configured to send events directly to the the local device agent on the application server or to a BMC Network Automation remote device agent. The advantage of using a remote device agent is that it performs additional filtering on the events and only forwards those events that match the External Event Filters to the server. This reduces the syslog traffic being processed by the application server. You can optionally set up a Kiwi filter to forward particular messages like PIX-6-111005 or SYS-5-CONFIG. Perform the following steps to configure BMC Network Automation for Kiwi-forwarded events:

  1. Go to Admin > Device Agents.
  2. Select the remote device agent (or local device agent for the application server).

  3. In Syslog Relays list, add the IP address of the Kiwi server. Configure the Kiwi Forwarding as shown in the following table:

    Parameter

    Description

    Destination IP address or hostname

    IP address or host name of the BMC Network Automation application server or remote device agent

    Protocol

    UDP

    New Facility

    (no change)

    New Level

    (no change)

    Port

    514

    Send with RFC 3164 header information

    (selected)

    Retain the original source address of the message

    (not selected)

    Note

    The last two fields are not the default values.

Back to top

To configure an existing Linux syslogd server

To forward events from a Linux syslogd server to BMC Network Automation, install the syslog-ng application on the same host that has syslogd, as shown in the following figure:

If the BMC Network Automation application server or the remote device agent is co-located with syslogd, ensure that syslog-ng forwards events on a port other than 514 (for example, 1514). The default syslog-ng and device agent syslog port is 514. Modify this default port in both syslog-ng.conf file and in the Admin > Device Agents page when co-locating BMC Network Automation with syslogd.

Back to top

Installing syslog-ng

Follow these directions when forwarding syslog events from an existing Linux syslogd server. The Linux syslogd server is configured to forward events to syslog-ng, which in turn forwards events to the application server or a remote device agent.

  1. Download and install the latest syslog-ng. Syslog-ng is available from http://www.balabit.com/downloads/files/syslog-ng/sources. Follow the instructions on that website to install syslog-ng on your system.
    Select the location in which you want to install syslog-ng; for example: /usr/local/syslog-ng.

  2. Copy the sample syslog-ng.conf file to the install directory:

    cd  _BCAN_HOME_
/public/syslog-ng
cp syslog-ng.conf /usr/local/syslog-ng
Sample syslog-ng.conf file
# make sure hostnames are preserved from the source message
options {
        keep_hostname (yes);
        };
# connect FIFO from syslogd source to BCA-Networks destination
source syslogdOutput  {
     fifo("/usr/local/syslog-ng/syslogdOutput.fifo"); };
destination BCAN      { udp("10.1.1.144"  port(514)
     template("$HOST $MSG\n")); };
log                   { source(syslogdOutput); destination(BCAN); };
# uncomment to catch internal messages to a local file
#source local          { internal(); };
#destination logfile   { file("/usr/local/syslog-ng/messages"); };
#log                   { source(local); destination(logfile); };

    Note

    If your device records have an IP address value in the Hostname/IP Address field as opposed to a host name value, BMC recommends that you change $HOST to $SOURCEIP in the destination BCAN line of syslog-ng.conf.

  3. Make the FIFO for passing syslogd messages into syslog-ng:
    mkfifo -m 600 /usr/local/syslog-ng/syslogdOutput.fifo
  4. Edit syslog-ng.conf. Adjust any paths for your install. Adjust the destination BCAN line to use your BMC Network Automation server IP address (and syslog port number).
  5. If you do not plan to reboot the system, start syslog-ng manually:
    /usr/local/syslog-ng/syslog-ng.sh start

  6. Edit /etc/syslog.conf to send messages into the FIFO. Add the following line to the end of the syslog.conf file. Be sure to use at least one Tab after the facility.severity parameter (for example, local7.info ).

    local7.info |/usr/local/syslog-ng/syslogdOutput.fifo

    The facility of local7 is used here as an example. The facility must match the facility used by the device. As an example, say you have Cisco (IOS), Cisco (PixOS), Extreme, and Juniper devices. Assuming that Cisco IOS and Juniper are sending to local0, Cisco PixOS is sending to local4 and Extreme is sending to local7, the line to add to /etc/syslog.conf would look like the following example:
    local0.notice;local4.notice;local7.info | /usr/local/syslog-ng/syslogdOutput.fifo

    Correspondingly, for this example, the facility needs to be configured on the devices with the commands listed in the following table:

    Syslog server FIFO configurations

    OS

    Example

    IOS

    logging facility local0

    JunOS

    set system syslog host IP address facility-override local0 interactive-commands notice

    PixOS (16 to 23 correspond to local0 to local7)

    logging facility 20

    Extreme

    config syslog IP address local7 info

  7. If you do not reboot, restart syslogd manually:
    /etc/init.d/syslog restart
  8. Define the syslog relay on the Admin > Device Agents page.
    1. Modify the record for the application server (that is, local device agent) or the remote device agent.
    2. Add the IP address of the syslog-ng server.
    3. Update the port to match the port on which syslog-ng sends events

Back to top

To configure an existing syslog-ng server

To forward events from an existing syslog-ng server to the BMC Network Automation application server or a remote device agent, addi the required destination, source, and optionally filter lines in the syslog-ng configuration file. The destination setting is dependent on whether BMC Network Automation is co-located with the syslog-ng server.

To configure a co-located syslog-ng server

Perform these steps when the application server or remote device agent is co-located with the syslog-ng server

  1. Add lines similar to the following to the syslog-ng.conf file substituting the IP address of the local computer for IP address. Note the non-default port value where syslog events is sent (for example, 1514):

    destination BCAN { udp("IP address" port(1514)
     template("$HOST $MSG\n")); };
log { source(net); destination(BCAN); };

    Recommendation

    If your device records have an IP address value in the Hostname/IP Address field as opposed to a host name value, BMC recommends that you change $HOST to $SOURCEIP in the destination BCAN line of syslog-ng.conf.

  2. Modify the record on the Admin > Device Agents page for the application server (that is, local device agent) or the remote device agent to use a syslog port value of 1514.
  3. Force syslog-ng to reread the configuration file:
    # kill -HUPsyslog-ng_pid

Back to top

To configure a syslog-ng server that is on a separate computer

Perform these steps when the application server or remote device agent is on a separate computer from the syslog-ng server.

  1. Add lines similar to the following to the syslog-ng.conf file, substituting the IP address of the application server for IP address. Note the default port value where syslog events is sent (for example, 514):

    destination BCAN { udp("IP address" port(514)
     template("$HOST $MSG\n")); };
log { source(net); destination(BCAN); };
  2. Force syslog-ng to re-read the syslog-ng configuration file:
    # kill -HUPsyslog-ng_pid

Back to top

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Apr 15, 2016
linux_syslogd_server syslog_server kiwi_syslog_server syslog_servers configuration

Comments

Log in or register to comment.

Enabling the Virtual Data Center
Configuring enhanced security
© Copyright 2013 - 2016 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.