Sample Syslog Device Configurations

Step-By-Step Guides

Article created 2003-05-09 by Rainer Gerhards.

Sample Syslog Device Configurations

MonitorWare Agent can receive vital network status information from a variety of devices. As these devices are from many different vendors and have many different applications, it is impossible to provide detailed configuration information for all of them.

We provide configuration information for some well-known devices. Hopefully, the samples will provide some idea of how other devices might be configured.

NetGear RT314 Syslog Configuration

The RT314 supports syslog. Unfortunately, syslog messages cannot be enabled using web interface. It must be done using telnet, a command line interface.

To the best of our knowledge, the NetGear RT314 is compatible to ZyXEL Prestige 314. As far as we know, both of them operate with a version of the ZyNOS operating system that supports a menu system via telnet. As such, the description here does also apply to the ZyXEL product. There might be other routers available that base on the same operating system. If in doubt, start a telnet session to your router and check if this step-by-step guide applies to your device.

In our example, we assume the router has address 172.16.0.100. The syslog server has the address 172.16.0.4.

First, open a command prompt (“DOS box”). Then, type “telnet 172.16.0.100” as shown in this sample:

The router will prompt you for the password. Enter it and the following and the main menu will appear:

The syslog server’s address can be configured under “System Maintenance”. As such, enter 24 and press enter. The system maintenance menu appears:

There, enter 3 (as shown below) and press enter:

Now enter 2 and press enter. The syslog properties appear:

The screen shot displays the correct configuration for maximum logging. To change the properties, press enter. Each time you press enter, you will move from field to field. Once you are at the beginning of a field, you can simply type the value you would like to change. Follow the instructions on the lower left to change the configuration.

Make sure that you set “Active” to “Yes”, otherwise the RT314 will not generate syslog messages. Under “Syslog IP Address”, type the IP Address of the MonitorWare Agent. Please note that you must use an IP address – the computer name will not work. Under “Log Facility”, select the facility(Syslog Facility) the messages will be sent with. The RT314 does support only LOCAL_1 to LOCAL_7 – other facilities are not supported. If in doubt, leave this setting at “Local 1”.

Under types, select which events will be sent via syslog. All those with “Yes” configured will be sent.

Please see the RT314 manual for details.

Finally, press enter to confirm your configuration choice. This will store and active the new configuration and return you to the “Log and Trace” menu. There, press, ESC to return to the “System Maintenance” menu and ESC once again to return to the main menu. There type “99” and enter to exit the RT314 configuration utility.

Please note that telnet will display a “Connection to host lost” message – this is no error but the expected behavior.

This procedure concludes the configuration of the RT314. It will now generate syslog messages that can be received by the MonitorWare Agent.

HP JetDirect Interfaces

JetDirect interfaces are network print server. They are used internally in printers like the successful HP LaserJet series. They JetDirect is also available as external boxe to connect any brand of printer to the network.

The HP JetDirect interfaces support syslog protocol. To the best of our knowledge, they send status as well as print job information via syslog protocol. Status notifications include things like toner low or out of paper. Print job information includes data on completed an aborted print jobs.

The JetDirect Interface can be configured via the so-called HP JetAdmin program. In our sample, we use the web-based JetAdmin tool (HP is actively promoting the web version today).

In our sample, we have a very basic configuration. The HP Web JetAdmin is installed on a server with the surprising name “SERVER”. The printer we are configuring has the also surprising name “HP LaserJet 4000”. The syslog server service is running on a machine with IP 10.0.0.1. In the sample, we configure the JetDirect interface to send syslog messages to this central server. We assume that you are already familiar with the HP Web JetAdmin program. Please note that the menus shown below can be slightly different depending on the HP Web JetAdmin version and the actual printer or JetDirect Interface model.

First, start the HP Web JetAdmin by pointing your browser to http://server:8000. This is the default address for Web JetAdmin. This will bring up the HP web interface.

Click on the jetadmin logo and click the continue button that pops up. Please note that depending on your browser settings a number of Java security warnings pop up. You need to allow execution of the applets, otherwise JetAdmin does not work. Continue until you reach the main menu:

Double-click the printer. A screen like to following appears:

Click on the “configuration” tab. Then, select “network” in the left-hand menu.

Find the “System Log Server” entry. Here, you must enter the IP address of the system the syslog server service is running on.

After doing so, press “Apply”. You will be directed to a “success” page:

The syslog server address is now set and syslog message logging activated. You can now either return to the configuration menu or select any option in the menu available.

This procedure concludes the configuration of the HP JetDirect Interface. It will now generate syslog messages that can be received by the syslog server service.

Cisco PIX

Cisco’s PIX is a well known firewall appliance. It is highly scalable, from a small office or home environment to an enterprise environment. PIX is very widely used.

Cisco’s PIX supports syslog over both TCP and UDP. While WinSyslog supports both of these protocols, we will focus on UDP in our step-by-step guide as this is the standard protocol. Therefore, if you would like to consolidate logs from multiple devices and one of them is PIX, you will probably take the syslog over UDP route.

PIX can be configured using either a command line interface or the so-called PIX Device Manager (PDM), an HTML configuration application that comes with the PIX. Typically, PDM is used and as such we focus on it in our step-by-step guide.

First, start PDM by pointing your Java-Enabled web browser to the PIX. Important: Use a HTTPS URL. This is badly documented by Cisco. Using http instead of https will cause your connection to fail! If, for example you PIX has the internal IP address of 172.16.0.1, use the following URL:

https://172.16.0.1

Once this is done, the PDM opens. Most probably, a number of Java security and certificate related questions open. Please allow the product to proceed. Also, a number of browser windows open. Finally, you should see a window similar to the following:

PDM Start Screen

Now, switch to the system properties tab:

Next, expand “Logging” in the treeview and then select “Logging Setup”. A screen similar to this one appears:

Make sure the “Enable Logging” box is checked as in the screenshot. Then, select “Syslog” in the treeview. This brings you to the page where syslog servers can be configured:

In the above example, no server is configured so far. This is the default setting for a freshly installed PIX. We will now configure a syslog server at IP 172.19.0.2. Press “Add” and the following dialog appears:

Typically, your syslog server will reside on the internal network. As such, leave the interface at “inside”. Then enter the IP Address of your syslog server into the field “IP Address”. In the screenshot, this has already been done. Next, make sure UDP is selected as protocol. The port value of 514 is the default and also the standard. There should be little need to modify it. If you do, make sure you fully understand the implications as a wrong port can disrupt traffic.

Of course, if you would like to use TCP logging, you can do so. However, in this case MonitorWare Agent must be configured to have at least one syslog listener running at the specified TCP port. Also, please note that other products do typically not support syslog over TCP and as such, messages from these devices cannot be received by a syslog over TCP receiver.

After configuring the syslog settings, be sure to press OK to return to the PDM main screen:

Here, you can modify the syslog facility and level as well as include a PIX timestamp – see settings on the right.

Important: the configuration you have created has not been saved so far! To save it, you must press the “Apply to PIX” button. Depending on your configuration and PIX model, the “Apply” can take some time.

Once the “Apply” is finished, you see the following screen:

Please note the new “Save to Flash Needed” button. This one can easily be overlooked. When it is present, a new PIX configuration has been created but not permanently saved on the PIX. So you need to press “Safe to Flash Needed” in order to complete your configuration! If you forget the step, the PIX will either not forward syslog messages at all or stop doing so after the next PIX reboot.

Make sure that you see the following dialog before continuing:

This concludes the basic configuration of your PIX. You should now receive syslog messages on the configured syslog server. You can now close Cisco’s PDM. Of course, you can return at any time to change configuration settings or enable syslog messages to additional syslog servers you have created.

Other Cisco Products

All Cisco products we know support logging via syslog. This article covers all devices that use IOS (e.g. routers and switches). Unfortunately, this is not a full step-by-step guide as the others are. We are working to create a more verbose version of the Cisco guide – but we still decided to leave it in here, as it possible is useful for many users.

Syslog logging needs both to be configured as well as turned on. To configure, you must be in enable mode (see your Cisco documentation on how to enter enable mode). Then switch to configuration mode (the command is “configure terminal” or “conf t” as abbreviation). First of all, you need to specify the syslog host that the messages should be send to. This is the name or IP address of the system MonitorWare Agent is running on. Though a DNS-resolvable name can be used, we strongly recommend using the IP address directly. If your machine has the address “195.123.45.6” then the command is “logging 195.123.45.6”. Next, logging needs to be turned on. This command is “logging on”. Then exit from configuration mode and save the new configuration.

This setting enables syslog logging for common messages (e.g. router configuration and startup). If you would like to have traffic-related logging activated, you need to create traffic filter rules that specify the “log” option and apply them to the interface you are interested in.

More and detailed information can be found at Cisco’s web site under the “logging” command. Please note: this link is to one of Cisco’s product documentation areas. You might want to search the Cisco site to find information specific to the product (router, switch, firewall, etc.) you are using.

MonitorWare Agent 4.x – Database Structure Advantages

Created 2003-05-05 by Wajih-ur-Rehman.
Last Updated 2006-06-21 by Timm Herget.

What are the advantages of this new Database Structure for MonitorWare Agent 4.x?

Since most of the important information about any event is present in the message content and since the new MonitorWare Agent parses out this information and stores them in the form of name value pairs in SystemEventsProperties Table, the biggest advantage of this new schema is the ability of defining more meaningful and powerful Filters. In addition to this, it will also give Adiscon an opportunity to generate more intelligent reports (for MonitorWare Console) for analysis purposes.

Creating a simple Syslog Server

Step-By-Step Guides

Article created 2003-04-30 by Rainer Gerhards.

Creating a simple Syslog Server

In this scenario, a simple syslog server will be created. No other services are configured. The syslog server will operate as a standard syslog server on the default port of 514/UDP. All incoming data will be written to a single text file.

Step 1 – Defining a Rule Set for File Logging

The rule set specifies what action to carry out. You might be tempted to define the service first, but starting with the rule set makes things easier as it already is present when the service will be defined later and needs to be bound to a rule set.

To define a new rule set, right click “Rules”. A pop up menu will appear. Select “Add Rule Set” from this menu. On screen, it looks as follows:

Then,a wizard starts. Change the name of the rule set to whatever name you like. We will use “Write Syslog Log File” in this example. The screen looks as follows:

Click”Next”. A new wizard page appears:

There,select file logging. Do not select any other options for this example. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”.

This is just a confirmation page. Click “Finish” to create the rule set.

The wizard closes and the client shows a newly created rule set.

As you can see, the “Write Syslog Log File” rule set is now present. Please expand it in the tree view until you have the following screen contents:

As you can see, we have a “File Logging” action configured. We will review the settings just for your information. Click on “Filter Conditions”:

As you can see, none of the filter conditions are enabled. This means that the all information units (incoming messages) will be matched by these filter conditions. As such, the rules for the “File Logging” action will always be carried out.

Please note that this also means that all syslog priorities and facilities will be written to the same file.

Now let us check the “File Logging” action itself. Please select it in the tree view:

As you can see, it has been created with the default parameters. Each day, a file will be created in the C:\temp directory and its base name will be MonitorWare. It will include all information items in the file.

If you would like to store it into a separate directory or change the file name, here is the place to do it. Important: please make sure the directory you specify exists! If it does not yet exist, please create it before you start the service. If the directory does not exist, the service is not able to store any files.

In our example, we would like to save it to “c:\logfiles” with a base name of “syslog”. Therefore, we change these properties:

After doing so, you will notice the yellow text on top of the window. It tells you that the configuration changes have not yet been applied. To do so, press “save”.

Now you have a workable rule set for logging incoming messages to a text file.

Step 2 – Create a Syslog Server Service

Now we need to define a syslog server service. A syslog server is also sometimes called a “syslog daemon”, “syslogd” or “syslog listener”. It is the process that receives incoming messages.

To define it, right click on “Services”, then select “Add Service” and the “Syslog Server”:

Once you have done so, a new wizard starts:

Again, you can use either the default name or any one you like. We will use “My Syslog Server” in this example. Leave the “Use default settings” selected and press “Next”:

As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client. There, you will see the newly created service beneath the “Services” part of the tree view:

To check its parameters, select it:

As you can see, the service has been created with the default parameters. As such, it operates as a RFC compliant standard syslog server.

Please note that the “Write Syslog Log File” has been automatically assigned as the rule set to use. This is the case because we already created it and it is the only rule set. By default, the wizard will always assign the first rule set visible in the tree view to new services. If another one is to be used, you need to change it to the correct one here in the service definition.

Also, ote that the wizard uses the default properties from the “Service Defaults”. Obviously, if these are changed, the default properties for new services will differ.

This procedure completes the configuration of the syslog server.

Step 3 – (Re-) Start the MonitorWare Agent Service

MonitorWare Agent cannot dynamically read changed configurations. As such, it needs to be restarted after such changes. In our example, the service was not yet started, so we simply need to start it. If it’s already running, you need to restart it.

Service control can be done with both the respective operating system capabilities (like service manager MMC) or with the configuration client. These are shown in the red surrounded area in the following screen shot:

The buttons resemble Windows service manager – start, stop and restart. In this example, stop and restart are grayed out because the service is not running.

After service restart, the new definitions are active and MonitorWare Agent is ready to accept and store incoming messages.

Step 4 – Configure your Syslog-Enabled Devices

Even though MonitorWare Agent is now ready, it can only receive messages if some devices send them. Remember, syslog is a protocol where the server is passively waiting for incoming messages. As long as no device sends message, the syslog server will not log anything.

Since there are a large variety of devices, we unfortunately cannot provide device specific instructions. However, almost all devices need to be configured with their specific configuration tool. Typically, only two settings need to be made: one to activate syslog messages at all and one with the syslog server IP address or name.

For some devices, we have step-by-step guides. Please read “Sample Syslog Device Configurations” for further details.

Remember: the computer running MonitorWare Agent now acts as a syslog server. As such, you need to find out its IP address or name and supply it to the device as the syslog server. Please note that not all devices can operate with computer names. Use the IP address, if in doubt.

400-201 Study Guides   ,
70-980 Study Guides   ,
640-911 exam   ,
SSCP certification   ,
70-177 Brain dumps   ,
220-901 pdf   ,
2V0-621 test   ,
70-410 Brain dumps   ,
640-916 certification   ,
1Z0-051 Study Guides   ,
220-801 Exam   ,
LX0-104 certification   ,
1Y0-201 pdf   ,
OG0-093 certification ,
1V0-601 certification   ,
LX0-104 test   ,
350-060 exam   ,
200-101 pdf   ,
1z0-808 Study Guides   ,
300-209 dumps   ,
PMP certification ,
EX300 test   ,
JN0-102 certification   ,
70-177 pdf   ,
640-916 pdf ,
000-104 test   ,
CAS-002 dumps   ,
300-075 certification   ,
350-001 test   ,
100-101 test   ,
70-533 certification   ,
2V0-621D test   ,
070-461 test   ,
640-692 Study Guides   ,
70-413 Study Guides   ,
70-411 test ,
1Z0-051 dumps ,
200-310 pdf   ,
70-463 Study Guides   ,
700-501 certification   ,
1Z0-804 exam   ,
810-403 dumps   ,
70-347 pdf ,
OG0-093 dumps   ,
352-001 pdf ,

2003-04-24 Adiscon Products run under Windows Server 2003

Adiscon Products run under Windows Server 2003

As our customers expect, all Adiscon Windows based products run under Windows 2003. Among others, this includes EventReporter, WinSyslog and MonitorWare Agent.

Product testing has been performed during Micorosoft’s beta release cycle. In fact, there were no
code modifications necessary to make the Adiscon products perform well under the new operating system
version. Continue reading “2003-04-24 Adiscon Products run under Windows Server 2003”

Numeric values for event severity levels

Created 2003-04-14 by Lutz Koch.

What are the numeric values for event severity levels?

The severity of an event describes the importance of an event. These severity levels are represented by numeric values. Those values are:

Severity	Numeric value
SUCCESS	1
ERROR	2
WARNING	4
INFORMATION	8
AUDIT_SUCCESS	16
AUDIT_FAILURE	32

70-417 pdf ,
352-001 pdf ,
300-209 pdf ,
220-902 pdf ,
LX0-103 pdf ,
LX0-104 pdf ,
VCP550 pdf ,
220-801 pdf ,
70-462 pdf ,
ADM-201 pdf ,
400-201 pdf ,
101 pdf ,
EX200 certification   ,
9A0-385 certification   ,
000-105 certification   ,
OG0-093 certification   ,
JN0-102 certification   ,
220-901 certification   ,
70-243 certification   ,
70-246 certification   ,
220-902 certification   ,
70-487 certification   ,
PEGACPBA71V1 certification   ,
640-916 certification   ,
MB2-704 certification   ,
300-209 certification   ,

How to set the Windows 2000 event log size?

Created 2003-04-14 by Rainer Gerhards.

I know that the Windows event log size settings are not optimal. So how can I change them and what are better values?

Indeed, the default settings are just 512 KB and overwrite after 7 days. While the 512 KB settings do not actually pose a problem the 7 day overwrite does. Effectively, this means that no new records will be added to the event log as long as records younger than 7 days fill up the log. They can not be overwritten with this setting. As such, the new ones are simply lost.

With MonitorWare Agent and EventReporter, event log records are quickly picked up from the Windows event logs and forwarded to a central server. As such, there is no concern with older records being overwirtten. For that reason, we recommend to set the log setting to “overwrite as needed”. Just as a general idea, we also recommend setting the log size to 4096 KB, as this allows for some local storage on the system in question (but this is not critical).

If you would like to see how these settings can be made, you can watch a short video sequence demoing this.

MonitorWare Agent as Syslog and SETP Server

Created 2003-04-04 by Wajih-ur-Rehman.

If I am forwarding the data from different MonitorWare Agents via SETP to a central MonitorWare Agent acting as a SETP Server, will I be able to send Syslog messages to this central server too?

Yes you will be able to send the Syslog Messages to the same MonitorWare Agent as well. The reason is that MonitorWare Agent has the capability of acting as a Syslog Server as well as the SETP Server simultaneously. So not only your Windows machines can forward the events via SETP protocol but also any other machine that generates syslog messages can forward the data using Syslog. Both kind of messages (SETP and Syslog) will be picked up by the Central MonitorWare Agent (but obviously you would need to configure it in such a way that it can do this)

Configurations for SETP and Syslog Server

Created 2003-04-04 by Wajih-ur-Rehman.

I want to have a MonitorWare Agent acting as a Central Server such that it can accept both SETP as well as Syslog Messages and log them to a database. What configurations should i make?

You will create the following configuration settings for MonitorWare Agent that will be acting as the central server for collecting all the messages:

Right click on “Services” node and add “Syslog Server”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
Right click on “Services” node and add “SETP Server”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
When you install MonitorWare Agent, it creates one RuleSet automatically. Right click on it, go to Rules and add a new Rule. You will see a new Rule under the Rule Set.
When you expand this newly created Rule, you will see two nodes under it. One is “Filter Condition” (by default, “No Filter” is selected.) and the other is “Actions”.
Right click on Actions, and add “Write to Database” action. and set the settings.
Go back to the Service that you created in Step 1 and Step 2 and make sure that the RuleSet under which you have defined your own Rule in step 3 is bound to both of these services.

Configurations for Forwarding the Events

Created 2003-04-04 by Wajih-ur-Rehman.

I have MonitorWare Agents running on various Windows Machines/Servers. I want to forward all the Windows Event Log messages to the central MonitorWare Agent. What configurations should i make?

For all the Window machines, which are forwarding the data to the central server, following should be the configurations for MonitorWare Agents running on them:

Right click on “Services” node and add “Event Log Monitor Service”. A new node will be added under the Services node. Click on this newly added node and change the settings according to your requirements.
When you install MonitorWare Agent, it creates one RuleSet automatically. Right click on it, go to Rules and add a new Rule. You will see a new Rule under the Rule Set.
When you expand this newly created Rule, you will see two nodes under it. One is “Filter Condition” (by default, “No Filter” is selected.) and the other is “Actions”.
Right click on Actions, and add “Send SETP” action. (You can also send via Syslog but SETP is recommended)
You will see a new node under the newly created node. Click on it and set the settings. Note that if you are interested in only specific events to be sent to the central server, you can define a Filter condition as well. With the current settings (no filter) all the events will be sent to the central server.
Go back to the Service that you created in Step 1 and make sure that the RuleSet under which you have defined your own Rule in step 2 is attached to this service. In other words, if you go to the properties of Event Log Monitor Service that you created in step 1, you will see a combo box at the bottom “Rule Set to use”. Make sure that the The Rule Set under which you have defined your own rule in step 2 is selected over there.

1V0-601 exam   ,
350-029 Study Guides   ,
AWS-SYSOPS exam   ,
EX300 exam   ,
70-487 test   ,
350-080 certification   ,
1Z0-144 pdf   ,
MB2-704 Study Guides   ,
HP0-S42 certification   ,
1Z0-061 pdf   ,
MB5-705 test   ,
70-488 dumps ,
VCP550 dumps ,
400-051 certification ,
ITILFND exam   ,
70-534 exam   ,
400-051 pdf   ,
70-486 exam   ,
300-135 certification   ,
300-206 dumps   ,
HP0-S42 dumps   ,
JN0-102 Exam   ,
70-463 dumps   ,
c2010-657 certification   ,
350-060 pdf ,
300-209 exam   ,
000-080 exam   ,
1V0-601 dumps   ,
9L0-012 test   ,
000-017 dumps   ,
70-346 exam ,
300-101 dumps   ,
1z0-808 Exam   ,
210-060 test ,
ICGB test ,
070-461 test   ,
300-135 exam   ,
MB6-703 pdf   ,
3002 test   ,
210-060 exam   ,
70-462 exam   ,
SY0-401 test   ,
70-534 exam ,
1Y0-201 pdf ,
N10-006 certification   ,
70-347 exam   ,
70-413 exam ,
AWS-SYSOPS test   ,
JK0-022 exam   ,

My license key seems not to work – what to do?

Created 2003-03-28 by Wajih-ur-Rehman.

I entered my license information through the client interface but it still says that it is a “trial version”. How to solve this problem?

Following are some of the reasons for your problem:

If your license name does not have a space at the end, make sure that you dont put the space at the end.
license name is case sensitive.
Your license name would be entered without the double quotes at the start and end.
We recommend that you copy the characters present within the double quotes of the license name that was sent to you (but without the double quotes) and paste it in the required field.

Even after going through the above 4 mentioned points, the problem is not solved, kindly send us your license information that you recieved.