How do I configure Security Manager to monitor a generic single-line text log or Syslog? (NETIQKB8595)

  • Document ID:7708595
  • Creation Date:02-Feb-2007
  • Modified Date:07-Jun-2007
    • Micro Focus Products:
      Security Manager

Resolution

goal
How do I configure Security Manager to monitor a generic single-line text log or Syslog?

goal
How do I configure Security Manager to receive syslog messages?

fact
Security Manager 4.X

fact
Security Manager 5.X

fix

In order to monitor a single-line text log, you must first create a new custom Application Log Monitor Provider and then create a Collection Processing Rule to collect the logs. You can create a data provider for a generic single-line text log and syslog based on the application log data provider. The application log data provider provides a mechanism to parse logs using the following methods:

  • delimiter-based parsing
  • regular expression-based parsing

When you create an application log data provider, you can identify field delimiters, such as the comma character (,), used to separate parameters in the log file. Specifying field delimiters allows Security Manager to retrieve individual parameters from a single-line application log file.

To create a data provider for a generic single-line log file or syslog:

  1. Start the Development Console.
  2. In the left pane, expand 'Security Manager Development Console'.
  3. In the left pane, expand 'Advanced'.
  4. In the left pane, click Providers.
  5. On the 'Action' menu, click New | Provider.
  6. On the 'Select Data Provider Type' window, click Application Log and then click Next.
  7. If you are creating a data provider for syslog, complete the following steps:

    1. On the 'Log Type' window, select Syslog port, and then click Next.
    2. Specify the port number. Syslog uses port 514, by default.

      NOTE:       If you are creating a data provider for syslog from UNIX or firewall, ensure each computer or device sends syslog events to a separate Security Manager agent computer. You can have an agent accept syslog messages for multiple devices ONLY IF each type of device uses a different port. For example, if you have two firewalls from the same manufacturer, you can configure both firewalls to send to the same agent on the same port.  You also need to create and configure different providers to use the same port as your devices. This will require each computer/device to be able to send syslog to a non default port of 514.

  8. If you are creating a data provider for a generic single-line text log, complete the following steps:

    1. On the 'Log Type' window, select Generic single-line log file, and then click Next.
    2. On the 'Directories' window, click Add.
    3. On the 'Directory Edit' window, specify the command location, format, and file pattern, and then click Next.  The file pattern provides Security Manager with the file name convention for each generated log file.  For example, an application may include a sequential number in its log file names, such as error*.log.  For more information about window options, click Help.
  9. If you want to specify parsing instructions, complete the following steps:

    1. On the 'Parsing' window, select Enable Parsing.
    2. If you want to specify delimiter-based parsing instructions, select Use basic parsing instructions, and then complete the appropriate delimiter and log file parameter information.  For more information about window options, click Help.
  10. Click Next.
  11. On the Name window, specify a provider name and then click Finish.

The next step is to create a Collection Processing Rule to collect the logs, .
see NETIQKB33631 to configure Security Manager to process syslog messages.

.


Additional Information

Formerly known as NETIQKB8595