OMS – Linux Agent Send Remote Syslog Messages to OMS

image

As you know OMS can receive syslog messages from its Linux agents. Well this is nothing special anymore, but there might be use cases where you cannot install a Linux agent or you might have some network devices which need to send syslog messages to OMS because you want to do some deep inspection of the data. How would you handle such situation? Well, one way would be to configure a centralized syslog server. This means you “promote” a Linux server as syslog server and this will be the “target” node for the other devices / systems. After that, configure the surrounding systems to “shoot” their events to the syslog server. I will show you how to do that in this demo.

overview

The Linux agents supports e.g. rsyslog or syslog-ng uploading all events from all facilities with a severity of warning or higher. In my example I will use SUSE Enterprise Server  12 which hast rsyslog installed. The default collected event configuration looks like this…

image

I have installed two Linux systems, SUSE01 and SUSE02. SUSE01 is acting as syslog server, collecting all the events and sending it to OMS. SUSE02 is configured as “client” which will send the events to SUSE01. How did I do that? Let’s see first we will configure SUSE02 (client).

I will not show you how to install Linux nor how to install the OMS Linux agent, because there are enough posts on the internet. Make sure your firewall is also configured for the required ports.

OMS

First you need to prepare your OMS workspace. In OMS you need to configure what facility you would like to get into your workspace. Make sure you configured your workspace, where you have your agent connected to, according to your need. If you need help, check this article here. In my case I added user and local7 facility to my workspace and deployed it to my agents…imageAfter that, we are ready to configure SUSE02 (client).

SUSE02

There is only one file you need to configure to send the events to a remote computer.

It is located in /etc/rsyslog.d/remote.conf

image

Uncomment the line above and set the IP of your syslog server. In this case it is 192.168.32.18 depending on your requirements, it is also possible to send the messages via TCP which is a more reliable way of  sending a large amount of events. We are using for demo purposes only UDP port 514.

Notice the format is *.* @192.168.32.18:514

Next save the file and restart the syslog daemon…

service rsyslog restart 

Now we are going to configure SUSE01 (syslog server).

SUSE01

Per default the rsyslog daemon is running, we can check running, which process is using the file…

lsof /var/log/messages

image

SUSE01 has already the OMS agent installed and it is up and running…

service omsagent status

image

For receiving syslog messages we need to modify the same file as for SUSE02, it is located in /etc/rsyslog.d/remote.conf. There we need to uncomment just few lines as well. The first lines loads the module and the second line defines the port listing on…

imageNext save the file and restart the syslog daemon…

service rsyslog restart 

Testing

Now we are ready to fire some test events. On SUSE02 we run a test command….

logger –p “user.warning” “I am so cool”

image

Start monitoring the syslog on SUSE01 by running the command…

tail –f /var/log/messages

and immediately the event is written from SUSE02 to SUSE01 log…

image

In OMS we run the following query…

Type=Syslog

…and the result is immediately visible…

image

This is one way how to get syslog data from all sorts of devices into OMS. Cool!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s