Skip to main content
Versa Networks

Export Analytics System Logs to a Syslog Server

 

Versa-logo-release-icon.png For supported software information, click here.

The nodes in an Analytics cluster generate system messages in syslog format. These messages include information about system operations, as described in RFC 5424, and are processed by the Ubuntu rsyslogd daemon on the nodes. You can configure Analytics nodes to export these messages to an external syslog server.

Syslog Selectors

To identify which logs to export to an external syslog server, you configure a list of selectors. A selector is a match criteria that includes a facility and level. The facility is the operating system service that generates the log. The level identifies the severity of the log, as described in RFC 5424. You configure a separate selector list for each external syslog server.

When the rsyslogd daemon receives a log from any facility, it compares the log to the selectors in the lists. If the log matches a facility in any selector, and is set to the listed severity level or higher, rsyslogd exports the log to the syslog server. 

To add a selector to a selector list for a syslog server, issue the set system syslog CLI command. The selector identifies a facility and level of logs to be exported. For example, to export alert level logs from the auth facility to the syslog server at IP address 10.48.189.23, you can configure a selector and assign it ID number 1 by issuing the following command:

admin@Search1% set system syslog server 10.48.189.23 selector 1 facility-list [ auth ] level alert

To display the current selector lists, issue the show system syslog CLI command. Note that in the following example, there is only one selector list.

 admin@Search1% show system syslog
server 10.48.189.23 {
    selector 1 {
        level         alert;
        facility-list [ auth ];
    }
}

You can add more selectors to the list by issuing additional set system syslog commands. The following example adds selector 30 and selector 20 to the list for the server at IP address 10.48.189.23, for a total of three selectors in the list:

admin@Search1% set system syslog server 10.48.189.23 selector 30 facility-list [ ftp ] level emerg
admin@Search1% set system syslog server 10.48.189.23 selector 20 facility-list [ cron kern ] level crit
admin@Search1% show system syslog
server 10.48.189.23 {
    selector 1 {
        level         alert;
        facility-list [ auth ];
    }
    selector 20 {
        level         crit;
        facility-list [ cron kern ];
    }
    selector 30 {
        level         emerg;
        facility-list [ ftp ];
    }
}

To modify selectors, issue the set system syslog CLI command again for an existing selector. For example, to modify selector 20 to use level emerg instead of level crit, issue the following CLI command:

admin@Search1% set system syslog server 10.48.189.23 selector 20 facility-list [ cron kern ] level emerg

You cannot remove a selector from a list, but you can indicate that the selector should be ignored using the negate option. For example, to negate selector 30, issue the following CLI command:

admin@Search1% set system syslog server 10.48.189.23 selector 30 negate true
admin@Search1% show system syslog
server 10.48.189.23 {
    selector 1 {
        level         alert;
        facility-list [ auth ];
    }
    selector 20 {
        level         emerg;
        facility-list [ cron kern ];
    }
    selector 30 {
        negate        true;
        level         emerg;
        facility-list [ ftp ];
    }
}

Export Syslog Messages

To export Analytics system log messages:

  1. Login to a shell account on the Analytics cluster node. 
  2. Enter the following commands to start the Versa CLI and enter configuration mode.
    admin@Search1$ cli
    admin@Search1> configure 
    admin@Search1%
    
  1. Issue the set system syslog command to add selectors to the selector list:
    admin@Search1% set system syslog server server-IP-address port port-number enabled|disabled \
    > selector selector-ID negate negation-setting comparison comparison-setting \
    > facility-list [ facility-list ] level level-name

    Enter the following information in this command:

    Option

    Description

    server server-IP-address (Required)

    IP address of the external syslog server.

    port port-number

    Port number where the external syslog server receives log messages.

    Default: 514

    enabled | disabled

    Indicates whether the exporting of logs to the server is enabled or disabled. 

    Default: enabled

    selector selector-ID 

    Syslog selector ID. 

    Range: 0 to 2147483647

    negate negation-setting

    Indicates whether rsyslogd ignores the selector. Use true to ignore the selector and false to enable the selector.

    Default: false

    facility-list [ facility-list ]

    Space-separated list of facilities included in the selector. For a description of facilities, see RFC 5424.

    The following are the possible facilities:

    • all 
    • auth
    • authpriv
    • cron
    • daemon
    • ftp
    • ftp 
    • local0
    • local1
    • local2
    • local3
    • local4
    •  local5     
    • local6
    • local7
    • lpr
    • mail
    • news
    • security  
    • syslog
    • user
    • uucp

     

     

    comparison comparison-setting

    Indicates which logs to export based on their level. The following are the possible comparison settings:

    • same—Export only the logs that match the severity level from the level option (below).
    • same-or-higher—Export logs that match the severity level or higher levels from the level option.

    Default: same-or-higher

    level level-name

    Log severity level for the facilities included in the selector. For more information about log severity levels, see RFC 5424.

    The following are the possible levels:

    •  alert     
    • all
    • crit
    • debug
    • emerg
    • err
    • info
    • none
    • notice
    • warning

     

     

  1. Commit the changes.
    admin@Search1% commit

Supported Software Information 

Releases 22.1.4 and later support all content described in this article.

Additional Information 

Versa Analytics Configuration Concepts

  • Was this article helpful?