Using Sentinel Collectors as Syslog Servers



By: coolguys

November 14, 2007 4:49 am

Reads: 301

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“Are the Sentinel collectors are capable of acting as a syslog server to collect the log? Or do we need a 3rd-party syslog server to perform that activity?”

And here’s the reply from Oscar Castro …

Solution

Sentinel 5.1.3 has a Syslog server that is actually a syslog proxy. You can find it on SENTINEL_HOME/wizard/syslog, but you have to install it by running the appropriate command:

syslog-server.sh (install for Linux or Solaris)
syslog-server.bat (install for windows

Additionally, you have to configure SyslogConnectorAgent.sh or SyslogConnectorAgent.bat for communication. This process is the one you configure on the port on the collector manager. Don’t forget to start the service “Sentinel Syslog Server” after the installation, because it doesn’t start automatically on either UNIX or Windows. In the wizard documentation you can find more information about the
syslog server.

If you are using Sentinel 6, the syslog server installs itself by importing a syslog connector plug-in and configuring a new collector that uses a syslog connector, with all the parameters put there.

In the live view you can see the syslog server, and you can start it and stop it as you want.

David Corlette adds:

Technically speaking, the Sentinel v6 Syslog Connector has two parts: the syslog server (called an “Event Source Server” [ESS]) and the Connector itself. When you deploy the Connector, you are also asked to deploy an ESS. The Server listens on a configurable UDP, TCP, or SSL port (it’s actually a generalized socket server), and you can have more than one ESS if you have multiple streams of inbound data. Events received on that port are placed in a buffer.

The Connector connects to the buffer and requests events that match a specific filter, defined when you configure the Connector. Note that in some cases if you “mix” events from different sources (SLES and Solaris, say) into one Syslog ESS, it can be difficult to separate the streams again and send them to the appropriate Collector. To solve this, set up multiple ESS’s listening on different ports and configure each type of Event Source to send data to a different ESS/Connector/Collector.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment