Syslog refers to system logs or records and is a standard for transmitting log messages in internet protocols. It is supported by network routers, switches, firewalls, and Unix/Linux servers. Syslog monitoring and management are important for every organization, helping reduce system downtime, improve network performance, and enhance corporate security policies.
2. In the left sidebar, click Overview to access the overview page.
3. In Fast Integration, locate and click Syslog collection configuration under Server and application.
4. On the create log topic page, enter the log topic name, configure the log retention period and other information based on your actual requirements, then click Next.
2. In the left navigation bar, click Log Topic, select the log topic you wish to post to, and enter the log topic management page.
3. Select the Collection Configuration tab, click add under the Loglistener Collection Configuration section, and find Syslog collection configuration in the list.
Procedure2: Machine Group Configuration
On the Machine Group Management page, check the machine group to bind with the current log topic, click Next to enter the configuration phase. For more details, see manage machine group.
Procedure 3: Syslog Collection Configuration
On the Syslog collection configuration page, configure the following information:
Configuration Item
Type
Description
Collection Rule Name
Input Box
Input the name of this collection rule.
Network type
Radio
Specify the Syslog transport protocol: UDP/TCP.
Resolution Protocol
Radio
Specifies the protocol for log parsing. It is empty by default, indicating no parsing. where:
rfc3164: specifies the use of RFC3164 protocol to parse log.
rfc5424: specifies the use of RFC5424 protocol to parse log.
auto: automatically select the appropriate parsing protocol.
Listening Address
Input Box
The specified Syslog forwarding address and port are in the format [ip]:[port].
Collect local machine scenario: configure forwarding address as 127.0.0.1, port can be a random idle port, such as 127.0.0.1:9000.
Specify the operation upon parsing failure. If enabled, return the full text of the log based on the input key. Configure as false to discard logs when parsing fails.
Key Name of Parsing-Failed Logs
Input Box
Specified key name of failed parsing.
Procedure4: Index Configuration
1. On the index configuration page, configure the following information. For details, see index configuration.
Note:
Index configuration should be enabled for retrieval; otherwise, retrieval is not available.
Index rules are effective only for newly written logs after being edited; existing data will not be updated.
2. Click Submit to complete the configuration.
Viewing Syslog Log
After configuring Syslog collection in the current log topic, click Retrieve to enter the Search and Analysis page of this topic and view Syslog.
Log Field Explanation
Field
Description
HOSTNAME
Host name. The current host name will be obtained if it is not provided in the log.
program
tag field in the protocol.
priority
priority field in the protocol.
facility
facility field in the protocol.
severity
severity field in the protocol.
timestamp
Timestamp of the log.
content
Log content, which will contain all the content of unparsed logs if parsing fails.
SOURCE
IP of the current host.
client_ip
Client IP address for log transfer.
Using rsyslog to Forward
If you need to use rsyslog forwarding (supports collection scenarios across hosts), just configure the process as follows:
On the server where Syslog resides, modify rsyslog's configuration file /etc/rsyslog.conf and add a forwarding rule at the end of the file. After adding the forwarding rule, rsyslog will forward Syslog to the specified IP and port.
If collecting local Syslog via current server, configure forwarding address as 127.0.0.1, port can be a random idle port.
If collecting local Syslog via other server, configure forwarding address as the public network IP of other servers, port can be a random idle port.
For example, the following configuration indicates to forward all logs to 127.0.0.1:1000 over TCP. For more information on the configuration file, see RSyslog Documentation.
*.* @@127.0.0.1:1000
Run the following command to restart rsyslog for the log forwarding rule to take effect.
sudoservice rsyslog restart
Subsequently, when configuring the collection configuration, fill in the specified Syslog forwarding address and port from the rsyslog configuration file in the Listening Address.
