How can one save incoming events while tuning Syslog monitor?
Q: I cannot properly filter Syslog events until I see them. Is there any way to log those events?
A: Yes, one can use Python script to save Syslog monitor events (separately for every host). Please follow the instructions below
Download the sample Python script
The below script:
can be used as prototype to save Syslog events and store them for further inspections. The further instructions assume the following:
- Script (store-syslog.py) is placed into C:\Scripts folder
- Log files are written to C:\Scripts\logs folder
Create both folders, or change the corresponding paths in the below instructions. Note: it is important that SYSTEM account may create files and write into C:\Scripts\logs folder.
Unpack store-syslog.py script (1391 bytes) from the above archive and place it into C:\Scripts folder.
Create an alert and alerting rule to process Syslog events
Start IPHost GUI client and open a new Alert editor (“Settings > Alerts”, click “New”):
Click “New > New Simple Action > Execute Python script”.
Enter the new Python script fields like below:
Explanation:
Path: is where the script is placed (it must be readable by SYSTEM account).
Arguments: the only string in arguments is folder name where logs should be created. Please make sure there’s backslash (‘\’) in the end.
Input data: enter two strings, each on new line:
$EventDetails EOF
(press “Enter” after each line). The “$EventDetails” variable will be expanded into actual Syslog data received, before the script is called.
Click “OK”.
Create a new Alerting rule (“Settings > Alerting Rules > New”). Fill the fields like below:
(i.e., only use “Event Alert”, leave other at “do not report”)
Click “OK”.
Assign the alerting rule and test the script
Select a Syslog monitor, open its “Alerting” tab and assign the newly created “Save syslog data” alerting rule:
Click “Save”.
Launch the Syslog monitor (or Stop and Start it). If everything has been set up correctly, in the logs folder (C:\Scripts\logs in the above example) new log file will be created, named “IPaddress.syslog.txt”, where “IPAddress” is numeric IP address of the host that sent the Syslog event.
For example, if host IP is 10.20.30.40, then the log file will be named
10.20.30.40.syslog.txt
The above file will hold entries looking like the one below:
[Entry added: 2018-10-02 11:09:05.315315] IP: 192.168.122.30 Is RFC 5424: 0 Host: hostname Application (tag): Process Id: -1 Message Id: Severity level: INFO Facility: user Date and time: Structured data: Message: root: Test message 3
If you only need some of the above fields, please feel free to edit the store-syslog.py as required.
Note: please change the Syslog monitors to only send you required data (default settings accept all the possible data). Real-life network device can easily send dozens of events a second – make sure your IPHost installation has enough resources to handle the syslog events flow.
Note: if you are debugging Syslog monitor (in case there are problems getting requried events), you also might consider running IPHost monitoring service under account different from SYSTEM (default), in case you would need account with real user profile.
