I have a linux server that can send syslog .
1) There are different Data source vendor and data source model at GUI
a) Syslog, Advanced Syslog Parser
b) UNIX, Linux ASP
c) UNIX, UNIX OS (Redhat , solaris ..)
Which one should I use for a linux system and what are the difference of these 3 ?
2) there is standart syslog and there is ASP (Advanced syslog parser) What is the difference between these two
3) Say that I send all the logs and this syslog contains both linux logs, sshd logs , web server logs, asterisk logs (etc..) So what should i do to add this data source? Only adding one data source is enough to handle both system logs, sshd logs, apache logs and asterisk logs? If not should I add a new DS for all logs to be processed but as different Data Source Vendor/Model?
Before I answer your specific questions, I wanted to give you a little information that will hopefully add context to my answers. We have 2 types of parsers on our recevier. We have code based parsers and we have rules based parsers. The code based parsers require a code update for us to make any changes to them. The rules based parser can be updated at anytime by downloading rules from our rule server. The rules based parser is called the Advanced Syslog Parser (ASP). When you are adding a data source, if the data source model ends in (ASP) it uses the rules based parser. If it does not have the (ASP) it is a code based parser.
Now, to answer your specific questions.
The data source vendor and model that you choose will depend on what Linux OS you are running. If you are running Solaris, Red Hat Linux, HP-UX, or IBM AIX then you will need to choose the data source vendor of "Unix" and the Model of "UNIX OS (Solaris, Red Hat Linux, HP-UX, IBM AIX)". If you are running any other version of Linux, you will need to choose the data source vendor of "Unix" and the Model of "Linux (ASP).
The vendor of "Syslog" and model of "Advanced Syslog Parser" is designed to be used when a customer wants to write their own custom rules on a syslog data source that we do not currently support. It is not very often that Vendor and Model will get used.
Both of the Unix rule sets are built to handle all of the standard Unix logs. This includes most of the standard services that can run on linux like sshd, smartd, etc. Many Applications that run on linux also will log their logs to the standard linux syslog feed. A good example of that would be an Apache Web Server. We have a seperate data source that covers these logs. However, you can set them up under one data source. You would simply setup the data source to collect the linux logs and then in the policy, you can manually enable the apache rules as well for that data source. Below are the instructions how to do that.
1. Select your data source in the device tree and then click on the policy button to open the policy editor.
2. Once the policy editor opens, delete the value that is in the device type filter on the right and then select the filter button so that we can find the apache device type.
3. Browse through the list and select the Apache Web Server, Once you have selected it, click OK at the bottom.
4. Enable the rules by clicking the word Action in the header. Then select Enabled.
5. Once you have enabled the rules, you will need to roll policy to the device. At this point this data source will parse both Linux logs and Apache logs.
One addition to that if we are to enable both standart Linux rules + HTTP rules on one data source we have to do following at policy editor of related data source
113: Means UNIX , UNIX (red hat ...)
280: Apache ASP
Message was edited by: omerfsen on 2/2/13 4:13:16 AM CST
In my cases, I prefer to add another "match on type" client data source.
- Linux (ASP) [parent]
- Apache Web Server (ASP) [client]
To do it this way allowed you to filter events easier later on. If my memory serve me right, in "device type" display type do this will allowed you to see parent and client data source as diffrent data sources. Nevertheless, one might found out a problem with "match on type" client data source in 9.1.3. Things should be better in 9.2.0, I hope.
I am in a similar position about it. Right now I have a Netscaler which send both uniform syslog and CEF syslog. I have tried to add both but when I add a child so I can match on CEF instead of uniform syslog which is parent I get an error that this IP address already added.
My question is this actually: How can I add 2 data sources which have same IP but different syslog format. Netscaler Web Application component sends CEF format syslog and standart syslog also used for other netscaler activites which can be found at:
The information was very helpful. I have same issue but with different vendor. I have oracle installed on Soloaris system. I need the logs from both.
For Oracle: When I select Oracle Audit( ASP) I can see the logs but can't add another DS(Solaris) as both have same IP.
when I select Oracle Audit I am not seeing the logs. when query further I get that I have to
enable the rules for the "other" DS.
Now from where I can achieve this .........................? because
when I click on your Oracle DS in the tree then click on policy editor icon in the top left bar. In the advanced section, click on the Device Type ID Icon and select Oracle Audit (ASP).Here at this point I am suppose to see the rules but I am not seeing any rules.
You should see some rules for Oracle ASP as per the screen shot below. If you dont see those then I recommend you do a manual rules update to make sure you have the latest ruleset installed.