Export Analytics System Logs to a Syslog Server
For supported software information, click here.
The nodes in an Analytics cluster generate system messages in syslog format. These messages include information about system operations, as described in RFC 5424, and are processed by the Ubuntu rsyslogd daemon on the nodes. You can configure Analytics nodes to export these messages to an external syslog server.
Syslog Selectors
To identify which logs to export to an external syslog server, you configure a list of selectors. A selector is a match criteria that includes a facility and level. The facility is the operating system service that generates the log. The level identifies the severity of the log, as described in RFC 5424. You configure a separate selector list for each external syslog server.
When the rsyslogd daemon receives a log from any facility, it compares the log to the selectors in the lists. If the log matches a facility in any selector, and is set to the listed severity level or higher, rsyslogd exports the log to the syslog server.
To add a selector to a selector list for a syslog server, issue the set system syslog CLI command. The selector identifies a facility and level of logs to be exported. For example, to export alert level logs from the auth facility to the syslog server at IP address 10.48.189.23, you can configure a selector and assign it ID number 1 by issuing the following command:
admin@Search1% set system syslog server 10.48.189.23 selector 1 facility-list [ auth ] level alert
To display the current selector lists, issue the show system syslog CLI command. Note that in the following example, there is only one selector list.
admin@Search1% show system syslog server 10.48.189.23 { selector 1 { level alert; facility-list [ auth ]; } }
You can add more selectors to the list by issuing additional set system syslog commands. The following example adds selector 30 and selector 20 to the list for the server at IP address 10.48.189.23, for a total of three selectors in the list:
admin@Search1% set system syslog server 10.48.189.23 selector 30 facility-list [ ftp ] level emerg admin@Search1% set system syslog server 10.48.189.23 selector 20 facility-list [ cron kern ] level crit admin@Search1% show system syslog server 10.48.189.23 { selector 1 { level alert; facility-list [ auth ]; } selector 20 { level crit; facility-list [ cron kern ]; } selector 30 { level emerg; facility-list [ ftp ]; } }
To modify selectors, issue the set system syslog CLI command again for an existing selector. For example, to modify selector 20 to use level emerg instead of level crit, issue the following CLI command:
admin@Search1% set system syslog server 10.48.189.23 selector 20 facility-list [ cron kern ] level emerg
You cannot remove a selector from a list, but you can indicate that the selector should be ignored using the negate option. For example, to negate selector 30, issue the following CLI command:
admin@Search1% set system syslog server 10.48.189.23 selector 30 negate true
admin@Search1% show system syslog
server 10.48.189.23 {
selector 1 {
level alert;
facility-list [ auth ];
}
selector 20 {
level emerg;
facility-list [ cron kern ];
}
selector 30 {
negate true;
level emerg;
facility-list [ ftp ];
}
}
Export Syslog Messages
To export Analytics system log messages:
- Login to a shell account on the Analytics cluster node.
- Enter the following commands to start the Versa CLI and enter configuration mode.
admin@Search1$ cli admin@Search1> configure admin@Search1%
- Issue the set system syslog command to add selectors to the selector list:
admin@Search1% set system syslog server server-IP-address port port-number enabled|disabled \ > selector selector-ID negate negation-setting comparison comparison-setting \ > facility-list [ facility-list ] level level-name
Enter the following information in this command:
Option
Description
server server-IP-address (Required)
IP address of the external syslog server.
port port-number
Port number where the external syslog server receives log messages.
Default: 514
enabled | disabled Indicates whether the exporting of logs to the server is enabled or disabled.
Default: enabled
selector selector-ID Syslog selector ID.
Range: 0 to 2147483647
negate negation-setting Indicates whether rsyslogd ignores the selector. Use true to ignore the selector and false to enable the selector.
Default: false
facility-list [ facility-list ]
Space-separated list of facilities included in the selector. For a description of facilities, see RFC 5424.
The following are the possible facilities:
- all
- auth
- authpriv
- cron
- daemon
- ftp
- ftp
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
- lpr
- news
- security
- syslog
- user
- uucp
comparison comparison-setting Indicates which logs to export based on their level. The following are the possible comparison settings:
- same—Export only the logs that match the severity level from the level option (below).
- same-or-higher—Export logs that match the severity level or higher levels from the level option.
Default: same-or-higher
level level-name Log severity level for the facilities included in the selector. For more information about log severity levels, see RFC 5424.
The following are the possible levels:
- alert
- all
- crit
- debug
- emerg
- err
- info
- none
- notice
- warning
- Commit the changes.
admin@Search1% commit
Supported Software Information
Releases 22.1.4 and later support all content described in this article.