NAV Wiki

User Tools

Site Tools

Trace: devel installing_from_source_on_debian
sysloganalyzer

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sysloganalyzer [2007/10/07 09:46] faltinsysloganalyzer [2009/03/25 14:00] (current) – update cisco log structure description and add more examples morten
Line 3: Line 3:
 {{tools:syslog-analyzer.png|}} The syslog analyzer lets you browse Cisco syslog messages that {{tools:syslog-analyzer.png|}} The syslog analyzer lets you browse Cisco syslog messages that
 are collected by the syslog deamon. Only Cisco syslog messages are supported. are collected by the syslog deamon. Only Cisco syslog messages are supported.
 +
 +
 +
  
  
Line 9: Line 12:
 A requirement for this tool is that a syslog daemon is running on your NAV machine collecting syslog messages from your Cisco gear. Unfortunately the NAV Syslog Analyzer only supports Cisco syslog messages, other messages will be ignored (an improvement is on our road map). A requirement for this tool is that a syslog daemon is running on your NAV machine collecting syslog messages from your Cisco gear. Unfortunately the NAV Syslog Analyzer only supports Cisco syslog messages, other messages will be ignored (an improvement is on our road map).
  
-We recommend that you in your syslog configuration log syslog messages from your network equipment to **two parallel** files, one that is read (and emptied) by NAV and another that is untouched by NAV. The latter can be inspected as usual from shell (you should rotate as you do with other ever-growing log files). The one that NAV reads and empties is configured in the ''etc/logger.conf'' file. It is the NAV background process [[backendprocesses#the_cisco_syslog_analyzer_logengine|logger]] that does this job. Every minute the log file is checked for new messages. If any, they are removed from the file, parsed and inserted into the NAV logger database. +We recommend that you in your syslog configuration log syslog messages from your network equipment to **two parallel** files, one that is read (and emptied) by NAV and another that is untouched by NAV. The latter can be inspected as usual from shell (you should rotate as you do with other ever-growing log files). The one that NAV reads and empties is configured in the ''nav/etc/logger.conf'' file. It is the NAV background process [[backendprocesses#logengine|logengine]] that does this job. Every minute the log file is checked for new messages. If any, they are removed from the file, parsed and inserted into the NAV logger database.  
  
 ===== Cisco syslog message semantics and the NAV logger database ===== ===== Cisco syslog message semantics and the NAV logger database =====
Line 28: Line 32:
 </code> </code>
  
-For given syslog message a description follow the message type giving further details. Also a time stamp is given and the device the message was received from. An example:+For any given syslog messagethe following are typically found after the syslog server's timestamp
  
 +  * The name of the originating device
 +  * A timestamp
 +  * The Cisco message type descriptor
 +  * The text of the message being logged
 +
 +[[devel:database#the_logger_database|The NAV logger database]] models this structure. 
 +
 +Some valid examples are:
 <code> <code>
 May 27 08:32:58 mtfs-sw.ntnu.no 2002 May 27 08:32:53 MET +02:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 4/2 May 27 08:32:58 mtfs-sw.ntnu.no 2002 May 27 08:32:53 MET +02:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 4/2
 +Feb  8 12:58:40 158.38.0.51 316371: Feb  8 12:58:39.873 MET: %SEC-6-IPACCESSLOGDP: list 112 permitted icmp 158.38.60.10 -> 158.38.12.5 (0/0), 1 packet
 +Mar 25 10:54:25 somedevice 72: AP:000b.adc0.ffee: *Mar 25 10:15:51.666: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
 +</code>
 +
 +Incidentally, the log parsing engine has a bug in NAV versions prior to NAV 3.5.3, which cause it to crash if the following format is used (i.e. a year in the originating device's timestamp):
 +<code>
 +Mar 20 10:27:26 sw_1 607977: Mar 20 2009 10:20:06: %SEC-6-IPACCESSLOGP: list fraVLAN800 denied tcp x.x.x.x(1380) -> y.y.y.y(80), 2 packets
 </code> </code>
  
-See [[devel:database#the_logger_database|details on the NAV logger database]]. 
  
 ===== The Syslog Analyzer front-end tool ===== ===== The Syslog Analyzer front-end tool =====
  
-The Syslog Analyzer presents a search form where you can retrieve information you are interested in. You may in example see all message the last 24 hours that are of severity 3, or that has been received from a given switch. In the result each message type from a given source box is listed with the number of occurrences seen on this particular message type. By clicking on the number of occurrences further details will be listed.+The Syslog Analyzer presents a search form where you can retrieve information of your interest. You may for example see all messages the last 24 hours that are of severity 3, or that has been received from a given switch. In the presented result each message type from a given source box is listed with the number of occurrences seen for this particular message type. By clicking on the number of occurrences further details will be listed.
  
 If there are cases of parsing errors, you can see these (i.e. where the logger process is not able to understand the message). If there are cases of parsing errors, you can see these (i.e. where the logger process is not able to understand the message).
sysloganalyzer.1191750372.txt.gz · Last modified: by faltin
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki