Cannot open Solaris 11 sylog file

Notes, tips, and other usefull things on how to use LogMX

Moderator: admin

Post Reply
kbelunek
Posts: 4
Joined: Tue Jan 07, 2014 5:08 pm

Cannot open Solaris 11 sylog file

Post by kbelunek » Tue Jan 07, 2014 5:13 pm

Hello,

I am new LogMX user (version 4.1.1) and I am using full version of LogMX.
I have problem to open Solaris 11 syslog file, LogMX complains about unrecognized format.
The Syslog messages are stated to be supported by LogMX out of the box.

There is log file example
-------
2014-01-07T08:52:06+02:00 localhost puppet-master[10173]: [ID 702911 daemon.notice] Caught TERM; calling stop
2014-01-07T08:55:00+02:00 localhost puppet-master[10310]: [ID 702911 daemon.notice] Reopening log files
2014-01-07T08:55:00+02:00 localhost puppet-master[10310]: [ID 702911 daemon.notice] Starting Puppet master version 3.3.1
2014-01-07T08:55:24+02:00 localhost puppet-agent[10311]: [ID 702911 daemon.error] Could not request certificate: getaddrinfo: node name or service name not known
2014-01-07T08:55:43+02:00 localhost puppet-master[10341]: [ID 702911 daemon.error] Could not run: Could not create PID file: /opt/msma/puppet-current/working/pid/master.pid
2014-01-07T08:55:51+02:00 localhost puppet-master[10310]: [ID 702911 daemon.notice] Caught TERM; calling stop
2014-01-07T08:56:27+02:00 localhost puppet-master[10379]: [ID 702911 daemon.notice] Reopening log files
---------

Any ideas please?

admin
Site Admin
Posts: 418
Joined: Sun Dec 17, 2006 10:30 pm

Re: Cannot open Solaris 11 sylog file

Post by admin » Tue Jan 07, 2014 6:04 pm

Hello,

Indeed, the Syslog parser embedded by default in LogMX in only compatible with syslogs RFC 3164 (CentOS, RedHat, Fedora, Ubuntu, ...), but Solaris 11 is currently using RFC 5424.
We will see if we can upgrade this LogMX parser or create a new one to be compatible with RFC 5424, since those log formats are very different...
In the meantime, you can use a "Log4j Pattern Parser" to make LogMX understand such logs: simply give your log line pattern (using Log4j pattern syntax) so that LogMX can parse it:
In menu "Tools", item "Options", tab "Parsers", then add a Parser using the green "+" button. Select tab "Log4j Pattern Parser", then type a pattern like:

%d{yyyy-MM-dd'T'HH:mm:ss}%x %u{Host} %c[%u{PID}]: %m
or maybe, if you're sure that all log messages will begin with "[ID ... daemon...]":
%d{yyyy-MM-dd'T'HH:mm:ss}%x %u{Host} %c[%u{PID}]: [ID %x daemon.%p]%m

You can test your parser in real-time by typing two or three lines of your log file at the bottom of the Parser creation window.

I will post a message here if future releases will also handle RFC 5424 syslogs.
Please let me know if you have other questions/issues.

Regards,
Xavier

kbelunek
Posts: 4
Joined: Tue Jan 07, 2014 5:08 pm

Re: Cannot open Solaris 11 sylog file

Post by kbelunek » Wed Jan 08, 2014 1:07 pm

Hello,

thanks for quick reply.
I will check your pattern for sure.

I am currently evaluating LogMX for large project and seamless Solaris 11 Syslog support is crucial. The project will use cca tens of deployed autonomous systems, each system contains some co-operating Redhat 6.4 and Solaris 11.1 machines.
The "merge log" functionality and remote SFTP log view is the main LogMX advantages important for me, the more sophisticated SIEM solution cannot be used due to its resource demands, I need something lightweight.

Please keep me informed if new Syslog RFC is seriously planned to be supported (I think it is only matter of time when other LogMX customer will request the same) and when this support can be implemented.

Thanks and regards

Karel B.

admin
Site Admin
Posts: 418
Joined: Sun Dec 17, 2006 10:30 pm

Re: Cannot open Solaris 11 sylog file

Post by admin » Wed Jan 29, 2014 9:10 pm

Hello Karel,

LogMX v4.1.3 is now released and fully supports RFC 5424 for syslogs (I've just successfully parsed the logs you posted here).
Please let us know if we can be of any further help for your project (on this forum or support@logmx.com)

Regards,
Xavier

kbelunek
Posts: 4
Joined: Tue Jan 07, 2014 5:08 pm

Re: Cannot open Solaris 11 sylog file

Post by kbelunek » Wed Jan 29, 2014 9:44 pm

Thank you very much,

I really appreciate your effort.
In the meantime I have developed my own RFC 5424 compliant parser for educational purposes, the Java API for building custom parsers is straightforward and well documented.
I have already recommend LogMX tool for the project and it will be probably accepted by customer.

Thanks and regards.

Post Reply