Running 42.1 with KDE desktop, I am trying to set up the receipt of syslog messages from wireless aps on my lan.
I thought it would be a simple rsyslog exercise but no, I find this has all changed.
Please can somebody help me or give me a link to How To wiki.
Budgie2
Unless you are trying to import those syslogs into your local machine syslog (Why anyone would want to do this I wouldn’t know), it probably shouldn’t be any different than before except that if your older system wasn’t a systemd system, then now you need to export your journal to syslog files. The file transfers should done with something like rsync.
Or, you can install a log aggregation system and that would depend on how large your network is and what kind of data you’re aggregating.
A leading solution nowadays for very large systems is to install a Big Data analytical system based on Hadoop or Elasticsearch.
A more conventional system would be Nagios and all its spin-offs.
TSU
Hi Tsu,
Thanks for the reply. I am trying to set up my network so that logs from wireless access points and client/bridges which can be sent by the wireless devices in our SOHO setup are received and saved on my main workstation.
Each device seems to use a different approach but either fall into syslog or email. I think I can sort out the email but seek help with syslog. Never done it before, only read up about it but system now changed so I am out of my depth.
Thanks again.
Instead of rolling your own solution,
I’d recommend you look for a guide that fits what you want to do.
As I said earlier, although it’s probably possible to integrate the aggregation of syslogs in your network into your machine’s own main syslog, I don’t think most people would think it’d be a good idea. Depending on the level of logging and other machines, that’s a lot of log data.
Also, you’d be strongly advised to inspect the log format of each machine.
Although they could use the same format, there’s no guarantee of doing so.
So, if you’re talking about raw syslog files, it’s certainly possible to rsync those files to a common location and then use whatever tool that can read those logs to query and analyze, and then now you’re really getting into what separates worthless (and antquated) tools vs what is now possible with today’s technologies.
So, for example one of the first uses of a technology I now use is Elasticsearch, which is a Hadoop-style Big Data analytical technology (Yes, it’s all free and open source). All hadoop type solutions are no-sql, and are infinitely expandable across clusters of machines so you never have to worry about storage limits. Because it’s not a relational database, you can aggregate any variety of formats and types of data including log files, multimedia like video and audio, text, images and more, then query all the data however you wish.
And, like all solutions that support log data analysis, there are numerous tools to aggregate the data including plugins specify to various OS syslogs, and insrting metadata for more efficient querying using aps like Loggerythm.
Additionally, the full solution includes a web interface for ordinary Users to access the data, but frankly you’ll likely need a fairly high level of technical expertise to be able to build your queries.
If you have a little coin to spend or data analytics software, Tableau is a popular, easy to use and learn (relatively speaking) for what I imagine to be your needs, Splunk is also very popular for the next step larger.
TSU
A FYI -
Skimming “What’s New” on 42.2,
It looks like a major new security monitoring app and framework has been added to the default repo, called “Prelude SIEM.”
I’ve been skimming the documentation for the past hour and it looks <very> interesting, promising capabilities found only in commercial apps that cost tens of thousands, maybe over $100,000. It is able to aggregate sensor data from a number of different sources (I would expect syslogs as well), manage and store that data and then generate reports with visualizations(Well, that would <really> be interesting but I’ll have to see exactly what those options are. Bar charts are run of the mill and nice, I would be very surprised if for instance I find stacked charts like in Excel and bubble visuualizations like what D3 can generate).
If this app delivers on just half of what it promises, that’d already be something very significant.
This will definitely be on my list of things to loojk at over the holidays…
Only bugaboo I see is that it’s using a relational database so your data storage is severly limited compared to other Big Data nosql solutions. For this kind of app which is has the potential to suck data like crazy from everywhere, that means that you’re likely going to hit storage limits very quickly, even in a relatively small network… Which is why I guess I see FAQ about purging useless data like heartbeats.
And, the price is right.
Open source and publicly licensed.
TSU
I used to do that, using “rsyslog”. There is/was a configuration for remote logging. And I had to set the firewall to allow remote logging.
I don’t know if that is possible when systemd-journal is handling the logs. I went with the defaults for 42.1, but I didn’t much like them. So, with 42.2, I have installed “rsyslog” (it is in the standard repo). I assume that I could do the remote logging as before, but I haven’t attempted that.
AFAIK the journal does not support aggregating remote logs.
You can view another machine’s logs remotely, though.
You want to aggregate logs, you’ll likely need to install and configure the package to export the journal to legacy syslog files, then you can do whatever works in older openSUSE.
TSU
A FYI.
I took a brief look at prelude-siem and it’s currently thoroughly broken when installed through 42.2 packages.
Only possibility for an immediate look is to try to install from source…
TSU