The Syslog channel allows the logging server to log events to a specific syslog facility on any syslog host or to a remote syslog daemon.
It is also capable of creating localized logs. If the logging applications have localized Log Schema files and if those files are added to their respective Application objects, the Syslog channel can write the log files in the language designated in the Syslog Channel object.
The Log Schema catalogs the events that can be logged for a given application. It can also provide event descriptions and labels for the event fields. For more information, see Section A.4, Log Schema Files.
The logging server can use the Syslog channel to write to the central data store or to create filtered log files.
IMPORTANT:On the SUSE® SLES platform, the syslog daemon must be restarted with the -r option before it can accept log events, even when logging locally.
At startup, the Syslog driver, lgdsyslg, loads each application’s log schema. If a logging application has multiple language versions of its log schema, the Syslog channel loads the schema for the language designated in the Syslog Channel object.
Nsure Audit stores log schema files as attributes in their respective Application objects. For further information, see Section A.4, Log Schema Files.
NOTE:If the File and Syslog Channel objects reference the same language, the drivers independently load the log schema in their own memory. The only time the log schema is shared is between multiple instances of the same driver. For example, if you have two Syslog channels configured to write log files in English, the English log schema for each application is loaded only once.
When it writes events to the syslog facility, the Syslog driver uses the Event ID to look up each event in the corresponding application’s log schema and then it writes the event description to the data store. If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the Syslog channel defaults to the following format:
$DC $TC,$SO,$NI,$NL,$NG,$N1,$N2,$SS,$ST\n
(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, Value3, Text1, Text2, Text3.) See Section A.3, Managing Event Data for an explanation of each field and format variable.
Because it uses the log schema to log events, the Syslog driver is also capable of creating localized logs. If a logging application has localized log schema files and if those files are added to the Application object, the Syslog driver uses the log schema for the language designated in the Syslog Channel object to write the event descriptions.
For more information on the Syslog channel’s language attribute, see Syslog Channel Object. For information on localized log schema files, see Localized Log Schema Files.
The Syslog Channel object stores the information the Syslog driver needs to write events to syslog.
The following table provides a description of each Channel object attribute.
IMPORTANT:You must restart the logging server to effect any changes in Channel object configuration. For more information, see Section G.3, Secure Logging Server Startup Commands
Table 7-15 Syslog Channel Object Attributes
|
Attribute |
Description |
|---|---|
|
Configuration |
|
|
|
The host name or IP address of the syslog server. If a host name is specified, only the first address associated with that name is used. The syslog server must be running a syslog daemon that allows remote connections for log drop-off. UNIX syslog daemons accept remote connections by default; however, Linux system daemons do not. Therefore, the startup script for Linux syslog daemons must be altered to explicitly allow remote connections. This is done using the -r switch on syslogd. |
|
|
The syslog facility to which the logging server writes events. |
|
|
The language in which events are written to syslog. If a logging application has localized Log Schema files and if those files are added to the Application object, the Syslog channel can write log files in the selected language. If there isn’t a log schema for the selected language, the channel defaults to English. Log Schema files (*.lsc) catalog the events that can be logged for a given application. They can also provide event descriptions and labels for the event fields. For more information, see Section A.4, Log Schema Files. If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the Syslog channel defaults to the following format: $DC $TC,$SO,$NI,$NL,$NG,$N1,$N2,$SS,$ST\n (EventID, Log Level, Group ID, Value1, Value2, Value3, Text1, Text2, Text3) Technically, only English is allowed because syslog is a 7-bit protocol. However, most syslog implementations support 8-bit, so all 8-bit languages can be selected. However, some 8-bit languages, such as Russian, are not very usable in syslog. No 16-bit languages are allowed. You can create parallel logs in multiple languages by defining multiple Syslog Channel objects with different languages and having a single notification filter pass all events to those channels. |
|
Status |
Allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This means that the logging server loads the Channel object’s configuration in memory at startup. The Channel object must be located in a supported Channel container for the logging server to use it. For more information on the logging server’s Channel Container property, see Logging Server Objects . If you select the option, you must restart the Secure Logging Server for the setting to become effective. Thereafter, the logging server cannot load the object’s configuration until you select . For information on unloading the logging server, see Section G.3, Secure Logging Server Startup Commands. |