Configuring existing syslog servers to forward events
Syslog events trigger BMC Network Automation to automatically archive configuration files as they change, report who made configuration changes, correlate events to prior configuration changes, and send SNMP or email notifications based the on type of event received. This topic describes how to configure syslog servers to forward events.
All syslog messages are passed through the BMC Network Automation External Event filters. Events matching a filter are logged to the Event Log and processed by the Policy Manager.
If syslog events are currently processed by one or more Linux syslogd or syslog-ng servers, you can relay these events to BMC Network Automation by following these installation instructions.
Each device agent (listed under Admin > Device Agents) runs a syslog listener and has a set of parameters to configure syslogging, as shown in the following figure. The device agent named Local is present by default and refers to the device agent running on the BMC Network Automation application server.
To configure an existing Kiwi Syslog Server
Existing syslog servers can be configured to send events directly to the the local device agent on the application server or to a BMC Network Automation remote device agent. The advantage of using a remote device agent is that it performs additional filtering on the events and only forwards those events that match the External Event Filters to the server. This reduces the syslog traffic being processed by the application server. You can optionally set up a Kiwi filter to forward particular messages like PIX-6-111005 or SYS-5-CONFIG. Perform the following steps to configure BMC Network Automation for Kiwi-forwarded events:
- Go to Admin > Device Agents.
- Select the remote device agent (or local device agent for the application server).
In Syslog Relays list, add the IP address of the Kiwi server. Configure the Kiwi Forwarding as shown in the following table:
Parameter
Description
Destination IP address or hostname
IP address or host name of the BMC Network Automation application server or remote device agent
Protocol
UDP
New Facility
(no change)
New Level
(no change)
Port
514
Send with RFC 3164 header information
(selected)
Retain the original source address of the message
(not selected)
Note
The last two fields are not the default values.
To configure an existing Linux syslogd server
To forward events from a Linux syslogd server to BMC Network Automation, install the syslog-ng application on the same host that has syslogd, as shown in the following figure:
If the BMC Network Automation application server or the remote device agent is co-located with syslogd, ensure that syslog-ng forwards events on a port other than 514 (for example, 1514). The default syslog-ng and device agent syslog port is 514. Modify this default port in both syslog-ng.conf file and in the Admin > Device Agents page when co-locating BMC Network Automation with syslogd.
Installing syslog-ng
Follow these directions when forwarding syslog events from an existing Linux syslogd server. The Linux syslogd server is configured to forward events to syslog-ng, which in turn forwards events to the application server or a remote device agent.
- Download and install the latest syslog-ng. Syslog-ng is available from http://www.balabit.com/downloads/files/syslog-ng/sources. Follow the instructions on that website to install syslog-ng on your system.
Select the location in which you want to install syslog-ng; for example: /usr/local/syslog-ng. Copy the sample syslog-ng.conf file to the install directory:
cd _BCAN_HOME_ /public/syslog-ng cp syslog-ng.conf /usr/local/syslog-ng Sample syslog-ng.conf file # make sure hostnames are preserved from the source message options { keep_hostname (yes); }; # connect FIFO from syslogd source to BCA-Networks destination source syslogdOutput { fifo("/usr/local/syslog-ng/syslogdOutput.fifo"); }; destination BCAN { udp("10.1.1.144" port(514) template("$HOST $MSG\n")); }; log { source(syslogdOutput); destination(BCAN); }; # uncomment to catch internal messages to a local file #source local { internal(); }; #destination logfile { file("/usr/local/syslog-ng/messages"); }; #log { source(local); destination(logfile); };
Note
If your device records have an IP address value in the Hostname/IP Address field as opposed to a host name value, BMC recommends that you change
$HOST
to$SOURCEIP
in thedestination BCAN
line of syslog-ng.conf.- Make the FIFO for passing syslogd messages into syslog-ng:
mkfifo -m 600 /usr/local/syslog-ng/syslogdOutput.fifo
- Edit syslog-ng.conf. Adjust any paths for your install. Adjust the
destination BCAN
line to use your BMC Network Automation server IP address (and syslog port number). - If you do not plan to reboot the system, start syslog-ng manually:
/usr/local/syslog-ng/syslog-ng.sh start
Edit /etc/syslog.conf to send messages into the FIFO. Add the following line to the end of the syslog.conf file. Be sure to use at least one Tab after the facility.severity parameter (for example, local7.info ).
local7.info |/usr/local/syslog-ng/syslogdOutput.fifo
The facility of local7 is used here as an example. The facility must match the facility used by the device. As an example, say you have Cisco (IOS), Cisco (PixOS), Extreme, and Juniper devices. Assuming that Cisco IOS and Juniper are sending to local0, Cisco PixOS is sending to local4 and Extreme is sending to local7, the line to add to /etc/syslog.conf would look like the following example:local0.notice;local4.notice;local7.info | /usr/local/syslog-ng/syslogdOutput.fifo
Correspondingly, for this example, the facility needs to be configured on the devices with the commands listed in the following table:Syslog server FIFO configurations
OS
Example
IOS
logging facility local0
JunOS
set system syslog host IP address facility-override local0 interactive-commands notice
PixOS (16 to 23 correspond to local0 to local7)
logging facility 20
Extreme
config syslog IP address local7 info
- If you do not reboot, restart syslogd manually:
/etc/init.d/syslog restart
- Define the syslog relay on the Admin > Device Agents page.
- Modify the record for the application server (that is, local device agent) or the remote device agent.
- Add the IP address of the syslog-ng server.
- Update the port to match the port on which syslog-ng sends events
To configure an existing syslog-ng server
To forward events from an existing syslog-ng server to the BMC Network Automation application server or a remote device agent, addi the required destination
, source
, and optionally filter
lines in the syslog-ng configuration file. The destination
setting is dependent on whether BMC Network Automation is co-located with the syslog-ng server.
To configure a co-located syslog-ng server
Perform these steps when the application server or remote device agent is co-located with the syslog-ng server
Add lines similar to the following to the syslog-ng.conf file substituting the IP address of the local computer for IP address. Note the non-default port value where syslog events is sent (for example, 1514):
destination BCAN { udp("IP address" port(1514) template("$HOST $MSG\n")); }; log { source(net); destination(BCAN); };
Recommendation
If your device records have an IP address value in the Hostname/IP Address field as opposed to a host name value, BMC recommends that you change
$HOST
to$SOURCEIP
in thedestination BCAN
line of syslog-ng.conf.- Modify the record on the Admin > Device Agents page for the application server (that is, local device agent) or the remote device agent to use a syslog port value of 1514.
- Force syslog-ng to reread the configuration file:
# kill -HUP
syslog-ng_pid
To configure a syslog-ng server that is on a separate computer
Perform these steps when the application server or remote device agent is on a separate computer from the syslog-ng server.
Add lines similar to the following to the syslog-ng.conf file, substituting the IP address of the application server for IP address. Note the default port value where syslog events is sent (for example, 514):
destination BCAN { udp("IP address" port(514) template("$HOST $MSG\n")); }; log { source(net); destination(BCAN); };
- Force syslog-ng to re-read the syslog-ng configuration file:
# kill -HUP
syslog-ng_pid
Comments
Log in or register to comment.