LoriotPro Home Page

Syslog Collector
A Windows syslog agent and server

Introduction to syslog collector

The goal of the Syslog Collector architecture designed by LUTEUS is to provide a scalable solution for handling huge quantities of syslog messages and to help administrators to filter and browse them. Alarms can be sent on critical or severe messages.With the syslog collector agent you can collect syslog messages, filter them in real time, browse and search log files. With the syslog manager provided in LoriotPro you can apply filters rules on syslog agents from a single location.

The Syslog system provides the transport and storage mechanisms for event notification messages, in the form of Logs. Syslog is a de-facto standard defined by RFC3164 for logging system events. It was commonly and initially used by Unix systems (The unix syslog daemon syslogd), later on by network devices (router syslog, switch syslog, firewall syslog). It will be very efficient in a Cisco device architecture for the collection of PIX syslog and Cisco syslog generated by routers and switches)

The product has been designed based on the following issues:

bulletThe main issue that system and network managers have to face is the collection and processing of huge quantities of Syslog messages.
bulletThey need to have detailed information of what is happening in their system and network devices by turning on in-depth logging facilities.
bulletThey want to receive critical messages immediately but also want to retrieve non-critical messages at a later time.
bulletThey want to keep a trace of Syslog messages and be able afterwards to research specific events that could have occurred.
bulletThey want to have a centralized system that can collect Syslog messages or Syslog files without using too much network bandwidth.
bulletThey want to manage their Syslog infrastructure from a centralized manager.
bulletThey want to have access security and control of the management solution.

Overview of the syslog console and the syslog file browser

syslog collector

Syslog collector architecture description

The architecture is built around two components: the syslog agents and the syslog manager. The syslog manager is a program running exclusively on our LoriotPro monitoring solution.

Syslog messages are collected by syslog agents called, in our terminology Syslog Collector Agents. Syslog agents are designed to collect a large throughput of Syslog messages and to process them according to advanced filtering rules. Filtered messages can then be displayed on a viewer, the agent taking on the role of a simple Syslog server. Messages can be stored locally in files or forwarded to the central management system. Critical messages can be sent to the centralized management system either as LoriotPro proprietary-formatted event messages or as Syslog-formatted messages. Syslog agents can be cascaded to build a hierarchical architecture of Syslog message relays.
Syslog agents can be used as a standalone solution and act as a Syslog server or Syslog relay. Our LoriotPro NMS and the Syslog manager are not necessary in this case. Syslog filtering rules can be defined from the syslog agent GUI and applied. Actions taken on conditions defined in the syslog filtering rules can be displayed on a viewer, stored in files or forwarded to another Syslog server.

The Syslog Collector Manager is responsible for the management of the agents from a centralized location. Syslog filtering rules are defined on the manager and pushed to the agent. The manager is also able to retrieve a filter rule previously loaded onto an agent. Syslog filtering rules are stored in local text-only files.
The syslog agent manager is also able to upload Syslog files previously stored on the agent. The syslog files can be compressed on the fly during uploading, sparing precious bandwidth of WAN links or on-demand links. The manager works on top of our LoriotPro NMS as a Plug-In Service.
As we have stated previously, the messages sent by the Syslog Collector Agents can be in the LoriotPro event format. The LoriotPro Event Manager receives them and processes them. They are first displayed in the Event Log window and if necessary, they trigger actions based on predefined conditions. Actions can send messages, start programs, play sounds, etc.

A simple view of the concept behind our solutions is presented below.

Syslog collector concept

Devices with Syslog capabilities (routers, Unix systems, etc.) are configured to send their Syslog messages to the closest Syslog Collector Agent. The syslog agent filters syslog messages and forwards them either to the LoriotPro console or to a Syslog server. LoriotPro is necessary in order to have centralized management of filter rules. Filter rules are pushed to the agent after authentication.

The hierarchical and/or distributed concept of agents allows the administrator to design an architecture that fits their topological and network constraints. As in our example below with a two-level hierarchy of agents, Syslog messages are collected for a predefined area on the second level agents, then the most critical ones are forwarded to the first level agent for each country and finally they are forwarded to the central Syslog Server or LoriotPro Manager. Traffic is optimized and adapted to the network topology, WAN bandwidth is preserved and unnecessary messages having local significance are not forwarded to upper levels but stored locally.

  
   

About filter rules applied to Syslog Collector Agents

Filter rules are sets of filters gathered in a filter list. Each rule in the list is sequentially processed from top to bottom. A rule contains conditions and actions.

Possible conditions are :

bulletIP source and mask of the Syslog message sender. You can filter a single host or hosts pertaining to an IP network or sub-network.
bulletThe facility type of the Syslog message. 23 types are defined by the RFC3164.
The level of the message that helps to classify its severity.
bulletA first character string found anywhere or at a specified offset in the Syslog message body..
And/or a second character string found anywhere or at a specified offset in the Syslog message body.

Possible actions are :

bulletNo action is performed.
bulletThe message is color customized and displayed in the agent’s local Syslog Viewer.
bulletThe message is saved on the agent’s hard disk in a local file.
bulletThe message is customized with a LoriotPro event number and severity level and forwarded to a LoriotPro event console.
bulletThe message is simply forwarded to another Syslog Collector agent or a standard Syslog server.
bulletThese last two actions could be triggered by a cumulative count of the same message.

The filter editor :

syslog filters

The security issue
Security is a concern in a distributed solution. Agents should be managed and logs should be collected only by the authorized manager. Our solution provides a proprietary system-based authentication for preventing eavesdropping and piracy.

Prerequisite
If only one or a few collection points are needed and no hierarchically distributed management is necessary, agents performing as simple Syslog servers are sufficient. The Agent is Microsoft Windows-compatible software that runs on a simple PC. If you do not already own the LoriotPro supervision system from us, you will not have to buy one. You should choose the power of the PC according to your needs. If the quantity of Syslog messages to receive is huge, the PC must be adapted so that the throughput of the network interface can support it, the processor has to be fast and the memory well sized. If you are going to store the logging of messages in files, the hard disk space should be calculated according to the size of files generated daily.

If you want to benefit from the hierarchical concept of our product you will need the LoriotPro supervisor software and the Syslog Collector Manager. LoriotPro software runs on the Microsoft Windows operating system and provides a full management solution. The Syslog Collector Manager is a plug-in program of LoriotPro. A powerful workstation is necessary, 512 MB of RAM, gigabytes of disk space and a high-speed Pentium Pro processor or equivalent.

Licensing
The licensing of the Syslog Collector solution is quite simple. Each agent should have a license key. This key is also used for authentication in the Manager-to-Agent protocol. The manager is a free Plug-In available with LoriotPro. The Syslog Collector Manager works only with LoriotPro. LoriotPro is a complete but low-cost solution for system and network administration and supervision.

For Sales enquiry, please send email to sales@sstl.com.hk, or call us at +852 2152 8966.

 
web hit counter HSBC Purchasing Card

We Accept

 HSBC Purchasing Card

&

Citibank Purchasing Card

Contact us for details
Send mail to support@sstl.com.hk with questions or comments about this web site.
Last modified: 09/13/13