User Guide:Monitoring SYSLOG and Event Logs
From Netmon
Contents |
Using the Event Log Explorer
Netmon's built-in SYSLOG server allows you to manage SYSLOG and event log data from a variety of hosts in a single, integrated console.
Setting Up SYSLOG Clients
In order to manage event log data in Netmon, you must first configure your SYSLOG-capable clients to send log messages to Netmon's IP address.
Important: Netmon expects to receive log data over UDP port 514. Most SYSLOG message systems should be configured by default to send messages over this port. However, if you're not seeing expected SYSLOG data in Netmon, you may want to ensure that your client software is configured to use this protocol/port combination.
Once you have configured your client device(s), take the following steps in Netmon:
1. Click the Manage SYSLOG Clients option in the SYSLOG Explorer window.
2. Click the Add New SYSLOG Client button in the Manage SYSLOG Clients window.
3. Enter the necessary information in each field (as detailed below) and then click the Add Now button.
Netmon requires the following information:
IP The IP address of the SYSLOG client.
Facility The message facility to collect. This option defaults to any (or all) facilities.
Min. Severity The minimum message severity level that Netmon should collect. Netmon will ignore all SYSLOG messages which fall beneath this severity threshold.
Browsing SYSLOG Data in Netmon
You can look for specific kinds of log messages easily with Netmon's Event Log Explorer. You can choose any of these three options:
Browse by Client Using this option, you can browse log messages sorted by each SYSLOG client device.
Browse by Severity With this option, you browse SYSLOG data from any one of 8 different severity levels: INFO, DEBUG, NOTICE, WARNING, ERROR, ALERT, CRITICAL, EMERGENCY.
Browse by Facility This option allows you to search by a wide variety of message facilities, including: KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, FTP, NTP, LOGAUDIT, LOGALERT, and LOCAL0 through LOCAL7.
Monitoring Windows Event Logs
Netmon can monitor Event Logs on Windows systems, and collect these logs in the same way that SYSLOG messages are handled. The same alerting and reporting facilities are also available. A software agent is required to facilitate this task.
Considerations for Event Log Monitoring
SYSLOG is a 'push' oriented format, so most systems that support it are capable of sending log data to a monitoring system with a few small configuration changes.
Windows Event Logs, on the other hand, were not designed to be forwarded to other systems, but are instead are stored only locally in the file system. An agent is therefore required to retrieve these logs and perform the task of sending them to a remote system.
Using the SNARE Windows Agent
Netmon recommends (and distributes with all Netmon products on CD-ROM) the SNARE for Windows Agent, which gathers Event Log data and sends it in a SYSLOG-compatible format to your Netmon system.
The SNARE Windows Agent is highly respected open-source package, which has no licensing costs (so you can deploy it on as many systems as you desire) and is also supported by Netmon technical staff.
Netmon can provide you with a copy of SNARE Agent for Windows at no charge [1]. Contact technical support for more information.
- ↑ Per the License Agreement, we can also supply you with a copy of the source code.
Searching the Log Repository
Netmon provides several quick-search options in the Event Log Explorer, but there are times when you want to perform more finely-grained searches of your log repository.
Using the Event Log Search panel, located on the rightmost side of the Event Log console, you can search the log repository by any (or all) of the following parameters:
- A specific time range (to a granularity of 1 minute);
- A specific facility (or group of facilities);
- A specific severity (or group of severities);
- A specific host (or group of hosts);
- A specific text pattern (or regular expression pattern);
Configuring Log Alerts
Netmon can alert you when a particular type of log message is collected by the system. You can be notified when specific types, severities or payloads appear in a log entry. Netmon can even perform sophisticated pattern matches on incoming log messages through built-in support for regular expressions [2].
To set up an Event Log Alert, take the following steps:
1. Click the Manage Syslog Clients link in the Event Log Explorer window.
2. Locate the client you wish to monitor for incoming alerts, and click the Alerts link next to it.
3. Choose the appropriate matches to associate with the incoming alert. In the Text / Regex field, you can enter a text string (for basic patter matches) or a regular expression (for advanced matching).
4. Click the Add New Alert button.
- ↑ Per the License Agreement, we can also supply you with a copy of the source code.
- ↑ Regular expression are created using a powerful expression language which is capable or preforming very sophisticated text pattern search matching. A discussion of regular expressions is unfortunately outside the scope of this text. For an introduction to regular expressions, visit www.regular-expressions.info.
Navigation
