IBM Support

Monitoring SYSLOG with LFA on recent versions of SLES/RHEL

Technical Blog Post


Abstract

Monitoring SYSLOG with LFA on recent versions of SLES/RHEL

Body

Log File Agent can easily be enabled to parse and show entries from SYSLOG, as also described in this DWAnswer post:

https://developer.ibm.com/answers/questions/204416/how-to-setup-itm-log-file-agent-to-monitor-the-sys.html

Anyway, if you perform the suggested steps on a LFA running on RHEL 7 or SLES 12, you might not get the expected results, and no records are matched and showed on TEP.
This happens because on those distributions, the default timestamp format has been changed to use high-precision timestamp instead  of the traditional timestamp.

Basically in the latest RHEL versions (and derivated Distro), the rsyslog by default use the high-precision timestamp unless the target  
file definition includes a

";RSYSLOG_TraditionalFileFormat"  
   
It would be enough to add the above string at the end of the pipe name and restart the rsyslogd to have back the traditional file format.  
In this way you can continue using the same fmt file currently working on the older Linux versions. 
   
The rsyslog.conf line should look like:  
   
*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info |/tmp/.tivoli/KLO_oslogs_pro_syslog_LogfileProfileEvents.pipe;RSYSLOG_TraditionalFileFormat  
   
After you added the ";RSYSLOG_TraditionalFileFormat", and restarted the rsyslog service, the timestamp matches the one from /var/log/messages  
and so you can use the existing fmt file.

You have another option to enable RSYSLOG using the old timestamp template for pipe files..

When the rsyslog.conf contains
 
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

 

all the generated output streams use the old-style timestamp.
Anyway this occurs for all the pre-defined log files, as also confirmed by the
timestamps in /var/log/messages, but it does not occur in case the messages are piped into a fifo.

As you know LFA uses a pipe file as input, so the above parameter would not help as it is only expected to work for normal files, not for fifo files.
 
For pipes, RSYSLOG process uses a different module.
 
In order to have pipe files using the old timestamp template you need to add:
 
module (load="builtin:ompipe" template="RSYSLOG_TraditionalFileFormat")
 
in the rsyslog.conf file.
 
It tells RSYSLOG to use traditional timestamp format for all the pipe files, so you no longer need to add the template name after the name of the pipe as previously suggested.
 
Once you performed one of the suggested changes, restart RSYSLOG and then verify LFA is able to recognize syslog records correctly.

Hope it helps.

 

Best regards

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/TLfMoF
Academy Google+:https://goo.gl/HnTs0w
Academy Twitter :https://goo.gl/AhR8CL


image

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11085151

Page Feedback