sysloganalyzer
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
sysloganalyzer [2007/10/07 09:24] faltin |
sysloganalyzer [2007/10/08 20:44] faltin |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| are collected by the syslog deamon. Only Cisco syslog messages are supported. | are collected by the syslog deamon. Only Cisco syslog messages are supported. | ||
| - | See further explanation in [[http://metanav.uninett.no/static/reports/NAVMore.pdf|NAVMore ch 2.4]] (in Norwegian). FIXME. | + | |
| + | |||
| + | |||
| + | |||
| + | ===== The back-end ===== | ||
| A requirement for this tool is that a syslog daemon is running on your NAV machine collecting syslog messages from your Cisco gear. Unfortunately the NAV Syslog Analyzer only supports Cisco syslog messages, other messages will be ignored (an improvement is on our road map). | A requirement for this tool is that a syslog daemon is running on your NAV machine collecting syslog messages from your Cisco gear. Unfortunately the NAV Syslog Analyzer only supports Cisco syslog messages, other messages will be ignored (an improvement is on our road map). | ||
| - | We recommend that you in your syslog configuration log syslog messages from your network equipment to **two parallel** files, one that is read (and emptied) by NAV and another that is untouched by NAV. The latter can be inspected as usual from shell (you should rotate as you do with other ever-growing log files). The one that NAV reads and empties is configured in the ''etc/logger.conf'' file. It is the NAV background process [[backendprocesses#the_cisco_syslog_analyzer_logengine|logger]] that does this job. Every minute the log file is checked for new messages. If any, they are removed from the file, parsed and inserted into the NAV logger database. | + | We recommend that you in your syslog configuration log syslog messages from your network equipment to **two parallel** files, one that is read (and emptied) by NAV and another that is untouched by NAV. The latter can be inspected as usual from shell (you should rotate as you do with other ever-growing log files). The one that NAV reads and empties is configured in the ''nav/etc/logger.conf'' file. It is the NAV background process [[backendprocesses#logengine|logengine]] that does this job. Every minute the log file is checked for new messages. If any, they are removed from the file, parsed and inserted into the NAV logger database. |
| - | The logger database takes advantage of the fact that Cisco syslog messages have a predefined structure. Briefly explained a Cisco message type consists of three elements with hyphen (-) betwwen. The three elements are: | + | |
| - | In your syslog | + | ===== Cisco syslog message semantics and the NAV logger database ===== |
| + | |||
| + | The NAV logger database takes advantage of the fact that Cisco syslog messages have a predefined structure. Briefly explained a Cisco message type consists of three elements interconnected with hyphen (-). The three elements are: | ||
| - Area/topic | - Area/topic | ||
| Line 32: | Line 38: | ||
| </code> | </code> | ||
| - | NAV sysloganalysator utnytter strukturen og splitter opp meldingene og | + | [[devel:database#the_logger_database|The NAV logger database]] models this structure. |
| - | legger dem inn i en database (navlog). Vi har også adoptert samme feilmeldingssystem | + | |
| - | for NAV sine egne feilmeldinger5. Databasen inneholder | + | |
| - | derfor både cisco-meldinger og nav-meldinger (tabellen system indikerer | + | ===== The Syslog Analyzer front-end tool ===== |
| - | opphav). Det er totalt fem tabeller i navlog, de er vist med felter og | + | |
| - | relasjoner på figur 2. | + | The Syslog Analyzer presents a search form where you can retrieve information of your interest. You may for example see all messages the last 24 hours that are of severity 3, or that has been received from a given switch. In the presented result each message type from a given source box is listed with the number of occurrences seen for this particular message type. By clicking on the number of occurrences further details will be listed. |
| + | |||
| + | If there are cases of parsing errors, you can see these (i.e. where the logger process is not able to understand the message). | ||
| + | |||
| + | ===== Configuration ===== | ||
| + | |||
| + | In ''etc/logger.conf'' you can define: | ||
| + | |||
| + | * path to the syslog file. | ||
| + | * character set of syslog file (i.e. ISO-8859-1). | ||
| + | * the number of days messages of a given priority should be stored in the database. | ||
| + | * priority exceptions: This can be useful in cases were you disagree with the predefined severity given by Cisco. A given message type may be given a higher or lower priority, as you define. | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
sysloganalyzer.txt · Last modified: 2009/03/25 14:00 by morten
Page Tools
