Syslog configuration

rsyslog requirements

Before ingesting rsyslog log files, both rsyslog and IBM® Operations Analytics - Log Analysis must be configured to ensure that rsyslog log files are output in a format that can be processed by IBM Operations Analytics - Log Analysis Syslog Insight Pack.

Add the scalaLogFormat template to rsyslog:

• For rsyslog 7 and higher, which support the list format:
  1. Open the /etc/rsyslog.conf for edit.
  2. Add the following template:

     template(name="scalaLogFormat" type="list") {
     		property(name="timestamp" dateFormat="rfc3339")
     		constant(value=" host=")
     		property(name="hostname")
     		constant(value=", relayHost=")
     		property(name="fromhost")
     		constant(value=", tag=")
     		property(name="syslogtag")
     		constant(value=", programName=")
     		property(name="programname")
     		constant(value=", procid=")
     		property(name="procid")
     		constant(value=", facility=")
     		property(name="syslogfacility-text")
     		constant(value=", sev=")
     		property(name="syslogseverity-text")
     		constant(value=", appName=")
     		property(name="app-name")
     		constant(value=", msg=")
     		property(name="msg" )
     		constant(value="\n")
             }

     The generated log record is formatted as

     2013-07-15T21:30:37.997295-04:00 host=co052065, relayHost=co052065, 
     tag=rhnsd[12171]:, programName=rhnsd, procid=12171, facility=daemon, 
     sev=debug, appName=rhnsd, msg= running program /usr/sbin/rhn_check

  3. Associate the scalaLogFormat template with the log files to be ingested by IBM Operations Analytics - Log Analysis. It will log all log entries to <filename> in addition to any other associations in the configuration file. For example:

     *.*           /var/log/<filename>.log;scalaLogFormat

  4. Restart the rsyslog daemon.

     Refer to the rsyslog documentation http://rsyslog.com/doc for more information.

  5. Ensure that the output file created for IBM Operations Analytics - Log Analysis can be read by your IBM Operations Analytics - Log Analysis user, and write that file directly to the monitored logsource directories.

     For example:

     *.* <HOME>/logsources/SyslogInsightPack 
     SCALA.log;scalaLogFormat

• For versions of rsyslog older than version 7:
  1. Open the /etc/rsyslog.conf for edit.
  2. Add the following template (legacy format):

     $template scalaLogFormat,"%TIMESTAMP:::date-rfc3339% host=%HOSTNAME%, 
     relayHost=%FROMHOST%, tag=%syslogtag%, programName=%programname%, 
     procid=%PROCID%, facility=%syslogfacility-text%, sev=%syslogseverity-text%, 
     appName=%APP-NAME%, msg=%msg%\n"

     The generated log record is formatted as

     2013-07-15T21:30:37.997295-04:00 host=co052065, relayHost=co052065, 
     tag=rhnsd[12171]:, programName=rhnsd, procid=12171, facility=daemon, 
     sev=debug, appName=rhnsd, msg= running program /usr/sbin/rhn_check

  3. Associate the scalaLogFormat template with the log files to be ingested by IBM Operations Analytics - Log Analysis. It will log all log entries to <filename> in addition to any other associations in the configuration file. For example:

     *.*           /var/log/<filename>.log;scalaLogFormat

  4. Restart the rsyslog daemon.

     Refer to the rsyslog documentation http://rsyslog.com/doc for more information.

  5. Ensure that the output file created for IBM Operations Analytics - Log Analysis can be read by your IBM Operations Analytics - Log Analysis user, and write that file directly to the monitored logsource directories.

     For example:

     *.* <HOME>/logsources/SyslogInsightPack SCALA.log;scalaLogFormat

For more information about rsyslog configuration files, see: http://www.rsyslog.com/doc/rsyslog_conf.html

Configuration artifacts

Log File Agent configuration

Splitting and annotation AQL modules