Friday, December 30, 2011

Remote SYSLOGD from AS400 to UNIX or Linux Servers.

3:35 PM  Andrés Colodrero  14 comments

I started this blog at the same time im wondering how to integrate AS400 system logs with a centralized log system. In my study im going to use SPLUNK, but the purposals of this post could apply to every log system.

For my proyect, i´d like to send all kind of logs to Splunk: system logs, audit logs and application logs.

What do i need?
To send system logs via tcp or udp to the centralized log system in real-time, where i can query or analyze or simple keep the data.

For system logs i heard about "syslog" as a standard for computer data logging. Syslog can be used for computed system management, debugging, analysis or audit security. In most of the cases, the implementation of Syslog came because some internal audit wants to keep all log form all systems in the same format and centralized.

Syslog is integrated in most of the system inside the O.S. Unfortunately is does not log any system operator messages, ftp, tcp, login or QAUDJRN. AS400 "per se" has a wonderful loggin system like QSYSOPR message queue, QHST logs and QAUDJRN, so i guess, that´s the point of IBM to dont implement Syslog.

Somehow, im tired of the "you cant do this with AS400" and the AS400 is not "out of the box" system.

But in the wonderful PASE for System i, we have the choice to install  the Syslog / Syslogd API to log messages from CL or RPG programms, and it could be posible to build several "Exit Points" programs to log into Syslog.

Installing Syslog.
Syslog is included into the Licensed Program 5761SS1, Option 33 Portable App Solutions Enviroments.

To check the correct installation:

STRQSH -> cd /QOpenSys/usr/sbin
 syslogd -h                                                                             
 /QOpenSys/usr/sbin/syslogd: illegal option -- h                                        
 usage: syslogd [-d] [-s] [-n] [-N] [-r] [-mmarkinterval] [-ppath] [-fconffile] [-Mall] 

Syslogd is the daemon that needs to be run to start loggin into the system. But first, we have to configure syslog editing the syslog.conf file. In most of the unix dedicated pages to Syslog , you could check how to configure syslog (rotating logs files,device or file to put the logs, etc).

Syslog has different facilities to configure for logging (mail server, kernel, authorization) but this will not work with AS400. The only now that i already now is using the parse command "logger" that i will explain later.

Configuring syslog.conf.
In Unix system, syslog.conf is allocated in: /etc/syslog.conf, but in AS400 we need to create it  in /QOpenSys/etc:

syslog.conf
 *.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info  /var/adm/messages

With this entry, i will send logs to the file /var/adm/messages (note: create the file messages with the command: touch messages).

After that, you could start SYSLOGD daemons in batch:
SBMJOB CMD(STRQSH CMD('/QOpenSys/usr/sbin/syslogd'))

and check the file to see what happends. You should see and entry like:
Dec 29 14:27:40 SYSTEM-NAME syslog:info syslogd: restart

Adding entries to syslog.

The only way i found is using the command "logger". If you need something better, please feedback :). Logger will send an event to the syslog daemon that we have running on batch.

strqsh
logger "some text"

check /var/adm/messages
Dec 29 14:27:40 SYSTEM-NAME syslog:info syslogd: restart
Dec 29 14:28:40 SYSTEM-NAME user:notice qsecofr: some test.


So, my idea now is how to use this API to log what i need from AS400 to Syslog: login, system errors, ftp access, odbc access, etc.

The cool thing: sending the logs to a remote server.
I have installed Splunk in a unix server. I told Splunk to get data from syslog coming from the file in Unix allocated in:
/var/adm/messages

The cool thing is that Syslog can send logs via tcp or udp. For testing purposal, i configured syslog for UDP (by default), but the problem os UDP is to lose some logs if network error happends.

Once i started syslog in UNIX or Linux (i thing for Windows you could use Winsyslog), i can change the configuration of syslog.conf in AS400 like:
 *.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info  @my-loggingserver   
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info  /var/adm/messages

With this config, i can see the logs in local and send the logs to a remote server.

End the Syslogd job and start it again and test sending some data with logger :)



Posted in: , , , , , , ,

14 comments:

Hello,
've found another method to send logs to a remote server or are you still with this method?

Hello, any word on another method by Mauro?

This comment has been removed by the author.

Mauro, can you share your method, please?

brillant piece of information, I had come to know about your web-page from my friend hardkik, chennai,i have read atleast 9 posts of yours by now, and let me tell you, your webpage gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a million once again, Regards,splunk training in hyderabad

I'm getting an error when starting syslogd. The job log says:
syslogd: unknown priority name "": errno = 2
I think it is because it can't read the syslog.conf file.
How must it be created? What CCSID are you using?

Hi,
please check my new post http://ibmiopensource.blogspot.is/2016/10/configure-ssh-logging-on-ibmi.html

syslog.conf should be in /QOpenSys/etc/syslog.conf

Post a Comment