Log File Agent can easily be enabled to parse and show entries from SYSLOG, as also described in this DWAnswer post:
Anyway, if you perform the suggested steps on a LFA running on RHEL 7 or SLES 12, you might not get the expected results, and no records are matched and showed on TEP.
This happens because on those distributions, the default timestamp format has been changed to use high-precision timestamp instead of the traditional timestamp.
Basically in the latest RHEL versions (and derivated Distro), the rsyslog by default use the high-precision timestamp unless the target
file definition includes a
It would be enough to add the above string at the end of the pipe name and restart the rsyslogd to have back the traditional file format.
In this way you can continue using the same fmt file currently working on the older Linux versions.
The rsyslog.conf line should look like:
After you added the ";RSYSLOG_TraditionalFileFormat", and restarted the rsyslog service, the timestamp matches the one from /var/log/messages
and so you can use the existing fmt file.
You have another option to enable RSYSLOG using the old timestamp template for pipe files..
When the rsyslog.conf contains
# Use default timestamp format
all the generated output streams use the old-style timestamp.
Anyway this occurs for all the pre-defined log files, as also confirmed by the
timestamps in /var/log/messages, but it does not occur in case the messages are piped into a fifo.
As you know LFA uses a pipe file as input, so the above parameter would not help as it is only expected to work for normal files, not for fifo files.
For pipes, RSYSLOG process uses a different module.
In order to have pipe files using the old timestamp template you need to add:
module (load="builtin:ompipe" template="RSYSLOG_TraditionalFileFormat")
in the rsyslog.conf file.
It tells RSYSLOG to use traditional timestamp format for all the pipe files, so you no longer need to add the template name after the name of the pipe as previously suggested.
Once you performed one of the suggested changes, restart RSYSLOG and then verify LFA is able to recognize syslog records correctly.
Hope it helps.
Subscribe and follow us for all the latest information directly on your social feeds: