Script to dump at syslog server (1563 Views)
Reply
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 1 of 24 (1,563 Views)
Accepted Solution

Script to dump at syslog server

Hi ,

 

Say we have a windows server where we would like to dump syslog line by line as it gets logged in our hpux server ,is there any script for the same ???

 

 

 

Acclaimed Contributor
Dennis Handly
Posts: 25,063
Registered: ‎03-06-2006
Message 2 of 24 (1,524 Views)

Re: Script to dump at syslog server

Dump it where?

I suppose you could use "tail -f" on the file.

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 3 of 24 (1,516 Views)

Re: Script to dump at syslog server

Hi ,

 

We have a windows server of 200gb space on g: drive

we would like to dump syslog.log from one hpux server to this windows server g:drive , but it must be spontaneus.

As soon as entry in syslog.log comes it must ftp the same on this windows server.

Acclaimed Contributor
Dennis Handly
Posts: 25,063
Registered: ‎03-06-2006
Message 4 of 24 (1,507 Views)

Re: Script to dump at syslog server

>As soon as entry in syslog.log comes it must ftp the same on this windows server.

 

It appears you are trying to reinvent a syslog server?

Try google to look for: syslog server windows

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 5 of 24 (1,496 Views)

Re: Script to dump at syslog server

Hi ,

I just want to dump entries coming in my hpux box to say to windows server mayb everyday at end of day.

Acclaimed Contributor
Torsten.
Posts: 23,285
Registered: ‎10-02-2001
Message 6 of 24 (1,493 Views)

Re: Script to dump at syslog server

I don't see a real purpose here, but consider this: map a windows share to the server, logrotate the file and move/copy it to the share per cron in the evening.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 7 of 24 (1,490 Views)

Re: Script to dump at syslog server

Hi ,

 

Its an audit requirement.

 

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 8 of 24 (1,479 Views)

Re: Script to dump at syslog server

If the audit requirement is that the log messages are sent to the windows server as soon as they are generated, then copying the log files at the end of a day won't satisfy the spirit of the requirement.

 

The HP-UX syslog daemon can already send the log messages to other host(s): you just need to configure it, to tell it what messages it should send and where to. You don't need a separate script for that.

 

On the Windows side, you need to set up a syslog server (a very small and simple program) to catch the incoming syslog messages.

Here's one free alternative (the first hit from Google on "windows syslog server"):

http://sourceforge.net/projects/syslog-server/

 

Once the Windows syslog server is running, you can edit HP-UX /etc/syslog.conf to choose the log messages to send.

For example, to send all the log messages to the host at IP address 1.2.3.4, you would add this line to /etc/syslog.conf:

*.*             @1.2.3.4

 Note: there should be TAB characters between the message selector "*.*" and the destination specification "@1.2.3.4", not spaces. If you use spaces, the syslog daemon will ignore the line and the messages won't be sent.

 

Once you've modified /etc/syslog.conf, send a HUP signal to the syslog daemon to make the change effective:

kill -HUP `cat /var/run/syslog.pid`

 

You can use the HP-UX command "logger" to send your own syslog messages. That might be useful when testing the syslog message forwarding, for example.

 

Please see "man syslogd" and "man logger" for details.

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 9 of 24 (1,464 Views)

Re: Script to dump at syslog server

Hi Matti ,

 

How do we add host entry in syslog configuration of windows.

i downloaded setup and souble clicked it, i cans ee service is running in windows.

have also made entries in my hp box , restarted syslog daemon , how do i incorporate hpux ost with  this server.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 10 of 24 (1,459 Views)

Re: Script to dump at syslog server

You don't have to "add a host entry in Windows": as soon as the syslog server receives a message from a given host, a host entry should appear automatically.

 

The syslog messages are transmitted using UDP port 514: if the Windows system is protected by a firewall, you should make sure incoming traffic to port 514/UDP is accepted.

 

In the Settings menu of the Syslog server, there is a "Logging threshold" setting: it can be used to ignore low-priority syslog messages. When testing the Windows syslog server, make sure it is set to "debug" so that no messages are ignored.

 

In the HP-UX /etc/syslog.conf file, make sure you used TAB characters instead of spaces when writing the new entry. A common mistake is to use spaces (or to use an editor which silently changes the TABs to spaces for you).

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 11 of 24 (1,452 Views)

Re: Script to dump at syslog server

Hi Matti ,

windows firewall is off.

Am not able to telnet from my hux box ;

 

 

root #/ >telnet 10.34.32.142 514
Trying...
telnet: Unable to connect to remote host: Connection refused

 

Just downloaded syslog server from link , double clicked accepted the agreemt and its running in task bar below ; still m getting no input in windows .

 

What am i missing out ??

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 12 of 24 (1,434 Views)

Re: Script to dump at syslog server

The syslog protocol uses a UDP port, not a TCP port, so it is not possible to test it with the telnet command.

 

The telnet command can be used to test TCP ports only.

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 13 of 24 (1,422 Views)

Re: Script to dump at syslog server

Hi ,

 

Still am not able to get my syslog contents to be viewed in windows  syslog server.

Have made all the config's on windows server 2003 , found in help contents of syslog software .

 

 

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 14 of 24 (1,414 Views)

Re: Script to dump at syslog server

[ Edited ]

Hi ,

 

How do i check for udp protocol then ?

Whether it is listening on port 514 or not ?

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 15 of 24 (1,408 Views)

Re: Script to dump at syslog server

You can run "netstat -a" in the Windows command prompt and see if the UDP port 514 is active or not. If the port appears in the listing, then the application has activated the port. But neither UDP nor the syslog protocol include any standard responses at all: there is no way to confirm that a syslog server has received a particular message, other than seeing it logged at the syslog server.

 

You could use something like Wireshark on the Windows system to see if there is any incoming traffic to UDP/514, while using the "logger" command on the HP-UX to generate syslog messages. Likewise, you could use tcpdump or the HP-UX built-in network trace functionality (see http://www.compute-aid.com/nettl.html for that) to see that syslog messages are in fact being sent out from your HP-UX host.

 

The lack of any universal standard responses in UDP-based protocols is also a problem for port scanning tools like nmap. When scanning UDP ports, it actually must operate in a tricky way: if it sends a probe to an UDP port and receives an ICMP message saying "this port is not available, go away", it knows the port is closed for sure. If the port responds with an UDP packet (most likely containing some protocol-specific message) then the port is clearly active. But not all UDP-based protocols do that. So if there is no response at all, the UDP port may be opened by a syslog-like service... or the port might be firewalled and the firewall is dropping the incoming packet without sending any answer at all.

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 16 of 24 (1,405 Views)

Re: Script to dump at syslog server

Hi ,

 

 

netstat -ano on windows server ;

 

UDP    0.0.0.0:514            *:*                                    3860

 

Its not in listening mode.

started servcies many times , but still same.

 

 

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 17 of 24 (1,393 Views)

Re: Script to dump at syslog server

UDP ports do not really have a specific "listening mode", so the display is different than on TCP ports.


If the UDP port is listed in the netstat output, the port has been activated and the application using the port can pass traffic both ways if it wants to. But a syslog server has no need to send anything at all: it just waits for incoming packets to arrive. If the UDP port is not listed in netstat output, then the UDP port is closed.

 

Yes, this looks like the service is active.

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 18 of 24 (1,390 Views)

Re: Script to dump at syslog server

[ Edited ]

Hi Matti ,

 

Then what could be the reaason , why am not able to see syslog messages here .

Debug level messages already selected.

PFA screenshot.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 19 of 24 (1,384 Views)

Re: Script to dump at syslog server

From your screenshot, I see you have restarted syslogd on 10.1.1.31.

 

Have you edited the /etc/syslog.conf file on 10.1.1.31 correctly?

 

Please run "cat -t /etc/syslog.conf". It should output something like this:

 

$ cat -t /etc/syslog.conf
# @(#)B11.23_LR 
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug^I^I/var/adm/syslog/mail.log
*.info;mail.none^I/var/adm/syslog/syslog.log
*.alert^I^I^I/dev/console
*.alert^I^I^Iroot
*.emerg^I^I^I*

*.debug^I@10.11.22.33

 

The "cat -t" command replaces the normally space-like TAB characters with "^I"s. There should be at least one ^I on each non-blank non-comment line between the message selector part and the log destination part. You should have the IP address of your Windows server instead of 10.11.22.33.

 

The *.* syntax works with most syslog daemons, but you might try using *.debug instead... maybe I'm confusing HP-UX with Linux or some other Unix, and HP-UX requires using *.debug to mean "absolutely everything". The above file is copied from a HP-UX 11.23 system that is successfully sending syslog messages to a remote destination.

 

After you've verified this (and restarted the syslog daemon again if you had to make any changes), you should use the "logger" command to generate a new syslog message or two. For example:

logger -i "test syslog message"

 

MK
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 20 of 24 (1,379 Views)

Re: Script to dump at syslog server

Hi Matti ,

 

As pointed by you , and my mistake for not checking earlier , i found ^I separator was not set correctly in syslog.conf;

 

 

root #/ >cat -t /etc/syslog.conf
# @(#)B11.23_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug^I^I/var/adm/syslog/mail.log
*.info;mail.none^I/var/adm/syslog/syslog.log
*.alert^I^I^I/dev/console
*.alert^I^I^Iroot
*.emerg^I^I^I*
*.*                     @10.1.x.x

 

I changed this line to ;

 

 

root #/ >cat -t /etc/syslog.conf
# @(#)B11.23_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug^I^I/var/adm/syslog/mail.log
*.info;mail.none^I/var/adm/syslog/syslog.log
*.alert^I^I^I/dev/console
*.alert^I^I^Iroot
*.emerg^I^I^I*
*.*^I@10.1.xx.xx

 

REstarted syslog , but still am nt able to c syslog messages in windows server...

pfa screenshot of win syslog server;

 

 

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 21 of 24 (1,378 Views)

Re: Script to dump at syslog server

PFA shot

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 22 of 24 (1,371 Views)

Re: Script to dump at syslog server

Thanks Matti .

Very much grateful to you.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 23 of 24 (1,355 Views)

Re: Script to dump at syslog server

If it still does not work, try replacing "*.*" with "*.debug" in /etc/syslog.conf, as I suggested on Thursday.

 

In an editor (vi or similar) or when viewed with "cat /etc/syslog.conf", the line should now look like this:

*.debug     @10.1.xx.xx

 And when viewed with "cat -t /etc/syslog.conf":

*.debug^I@10.1.xx.xx

 

The requirement to use TAB characters (those whitespace-like ^I:s) in /etc/syslog.conf is a very old Unix legacy. Newer syslog daemon replacements (like rsyslog or syslog-ng) are usually more forgiving in their configuration syntax.

 

Newer syslog daemons understand "*.*" to mean "all log facilities and all priority levels". But older daemons might require "*.debug", which means "all log facilities, priority 'debug' or above". Since 'debug' is the lowest priority level, it means exactly the same thing as "*.*". Apparently HP-UX syslog belongs to the "older" category...

MK
Acclaimed Contributor
Dennis Handly
Posts: 25,063
Registered: ‎03-06-2006
Message 24 of 24 (1,348 Views)

Re: Script to dump at syslog server

>when viewed with "cat -t /etc/syslog.conf"

 

You can also see that in vi with:

:set list

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.