Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Miran Arsalan Sleman Trusted Contributor.
Trusted Contributor.
193 views

pulling Linux Syslog from many remote servers

Hello,

 

I want to pull Syslog from Linux machines, i have 10 Linux remote servers i just want to create a single connector to get all the logs. i need an idea to have all the Linux servers logs with pulling method instead of pushing to the connector.

I appreciate your supports.

 

Regards,

Miran .

0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: pulling Linux Syslog from many remote servers

Hi
what part of pushing the logs is not acceptable / possible for you? knowing that may give some options.

You could look at mounting the target /var/log/ folders via NFS / SCP etc and grabbing the events that way - but i would worry you would need to be connecting with Root equivalent permissions to make it work.

Alternatively you could mount the target servers logging directory onto a SAN / shared area and pick it up from there?

none of these are great solutions though and would require more work /  permissions than either configuring Syslog to send to a remote server or installing an ArcSight or other agent to do the work.

mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: pulling Linux Syslog from many remote servers

Hi Miran,

If your issue is to do not loose events if the connector is down, you could use now the LB ArcSight Solution.

What we have internally is a syslog server repository that receive all Unix logs of all servers and from there we send them to a Syslog LB of 3, 4, or 5 Syslog Connectors in TCP.

It works perfectly.

If you have any question do not hesitate to contact me.

A similar solution would be to use your Balabit syslog server (that you manage) with a specific retention and then you push logs to the Syslog LB SmartConnectors. You could resend logs if necessary!

For pulling Unix logs, I don't think it would be easy but you could try a file reader of the message logs.
In Linux everything is a file thus you could do it but it won't be easy as you should build a very complex flex parser compare what already exist in using Syslog.

I am also interested to know why you absolutely need to pull those logs?

Thanks
Regards

Michael

0 Likes
Miran Arsalan Sleman Trusted Contributor.
Trusted Contributor.

Re: pulling Linux Syslog from many remote servers

Hello Michael,

Good to hear from you.

I want to pull the logs because the Linux servers will face performance impact if we enable Syslog on them. That is why i want to pull the Syslog from some of the Linux servers.

I wanted to user the SCP command with Cron scheduled job to copy the file and override it each 3 min. also i have one more options to use NFS to mount the directory.

 

Regards,

Miran.

 

mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: pulling Linux Syslog from many remote servers

Hi Miran,

 

A good alternative that we have tried for other Syslog logs form SSO Unix Servers is to use the Snare Epilog Agent.

Very easy to install and configure, it is a file reader that forward logs in syslog directly to a Syslog Daemon ArcSight SmartConnector. Very low resources impact. You have a WEB GUI that can be enabled/disabled to access the config or to see the logs forwarded in real-time.

We have used this solution because the system owner used already the internal default syslog and it didn't want we use it. This is why we are using the epilog agent.

If you are interested by this solution, do not hesitate to ask me.

Thanks
Regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.