lsyslog

Description:

lsyslog is a syslog daemon that accepts incoming syslog messages (rfc 3164) and applies a rule set to them. If incomming syslog messages "pass" the rules engine, they can be redirected to a file, a web page, (HP OpenView) ITO console, the local syslog daemon, a remote syslog daemon or SOC (Systems Operations Console).

The rules engine reads in a set of rules from a text file and applies them to incoming syslog messages. Messages can be filtered (in or out) based upon facility, priority, hostname, message content, or combination thereof.

Several reasons for using lsyslog over a local syslog sniffer or other means of gathering syslog data:

• Your rulesets are centralized in a rule file rather than distributed in the actual code of the parsing scripts on the hosts. Rules are maintained in a clear text format readable by individuals who may not have programming skills.
• Rulesets can be changed for the entire organization by changing the rules file and HUP-ing the running daemon. It is not necessary to touch code to change what messages you get. It is not necessary to place these changes on the hosts.
• Local syslog files are pre-filtered for priority and facility. (This is set in your syslog.conf file). Remote messages include priority and facility values and can therefore be included in the ruleset. Local syslog sniffers do not have access to these values (unless significant changes are made to the syslog daemon and/or the standard syslog configuration.)
• lsyslog is not platform dependent. lsyslog can process events from different OS's as long as they conform to the syslog RFC. Local syslog sniffers will need to account for platform specific idiosycranicities.
• Because lsyslog is centralized, it can filter for hostnames (as well as message content, facility, and priority).
• lsyslog code is mature and *intensively* tested in a production environement.
• A *simple* modification is required on the watched hosts. You only need to add a remote syslog server as a target for all messages (*.*) in your syslog.conf file on the hosts. No (additional) daemon or cron job is required on the monitored hosts.

The Distribution:

The distribution is in source tar archive. I have successfully compiled and used it on BSD, OS X, Solaris, and Linux systems.

Production: lsyslog-0_12_0.tar.gz - This version has been extensively tested in a production environment with no known issues.

Development: lsyslog-0_22_3.tar.gz - This version is largely similar to 0.12.0 but now has SOC support, (local and remote) syslog support, additonal rule zero options, alternate location (more than one) support, as well as a number of other enhancements. This code is currently used in a production environment but does not have the extensive testing that 0.12.0 does. lsyslog-0_22_3.tar.gz is a cantidate for the 1.0 version.

The man page for lsyslog has details for it's use.

This code is released under the GPL.

Application Notes:

The code here is tested code that processes the syslogs of over 100 servers in a production environment that generates a significant amount of syslog traffic.

Significant syslog traffic: Approx 12 Meg of syslog traffic in about 24 hours is average. lsyslog has handled significantly more during peak periods. (During a system disk failure on a server every failed write was logged to syslog. lsyslog captured every message and successfully passed them on to ITO.)

The relevance of such and application was first questioned by (even) myself as I wrote it. But once it was placed into our production ITO environment, it provided invaluable information that was missed by the default OpC agents.

If you experience problems installing this application, feel free to contact me for assistance you may need.