As of late, I have needed to generate syslog configurations to monitors log files multiple times. A great example would be generating the syslog configurations for vCAC log files. To save time, I created a quick script to do the work for me. I thought others may find this valuable and wanted to share.
I call the script syslogify and it takes a list of files and generates a syslog configuration for either Linux (rsyslog or syslog-ng) or Windows (datagram). The output can be printed to the screen or in the case of Linux, appended to an existing syslog configuration file.
#!/usr/bin/env sh
#
# Syslogify
# Steve Flanders (steve<at>sflanders<dot>net)
#
# Description - Converts log file locations into validate syslog configuration
# Limitation - Only supports a single tag per configuration file
#
# ***PLEASE DO NOT REMOVE THIS HEADER AND PLEASE CREDIT THE AUTHOR***
#
#PROTOCOL='udp' # default tcp
#PORT='1514' # default 514
######################################
# DO NOT CHANGE ANYTHING BELOW HERE!!!
######################################
# Usage
SCRIPT=`basename $0`
USAGE="\nUsage: $SCRIPT <input> <format> <destination> <tag> [apply]
Where:
* <input> = a new line separated list of absolute path files to monitor
* <format> = rsyslog, syslog-ng, or datagram
* <destination> = FQDN of remote syslog server
* <tag> = tag to apply to messages in files to monitor
* apply = attempt to apply configuration to syslog agent (does not work for datagram)
Examples:
* basename $0 files.txt syslog-ng loginsight.example.com esxi
* basename $0 files.txt syslog-ng loginsight.example.com esxi apply
Notes:
* Configuration defaults to tcp/514 but can be changed via variables within the script.
* In addition to forwarding files in <input>, system logs messages are also forwarded.
* Configuration generated should not conflict with any existing configuration.\n\n"
if [ "$4" == "" -o "$5" != "" -a "$5" != "apply" -o "$6" != "" ]; then printf "$USAGE"; exit; fi
# Set parameters
FILES=$1
FORMAT=$2
DESTINATION=$3
TAG=$4
APPLY=$5
if [ -z "${PROTOCOL}" ]; then PROTOCOL='tcp'; fi
if [ -z "${PORT}" ]; then PORT='514'; fi
# Validate parameters
if [ "${FORMAT}" != "rsyslog" -a "${FORMAT}" != "syslog-ng" -a "${FORMAT}" != "datagram" ]; then
printf "ERROR: Unsupported syslog format specified\n\n$USAGE"; exit
fi
if [ "${PROTOCOL}" != "udp" -a "${PROTOCOL}" != "tcp" ]; then
printf "ERROR: Invalid protocol specified\n\n$USAGE"; exit
fi
# Construct configuration
if [ "${FORMAT}" == "datagram" ]; then
CONFIGURATION="Windows Registry Editor Version 5.00^M
^M
;
; Install Datagram Syslog Agent
; Configure the agent to forward logs to Log Insight
; Save this as vcac-datagram.reg
; Open Registry Editor, on the File menu click Import, find the reg file and select Import
; Be sure to start/restart agent after importing registry file
;
^M
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]^M
^M"
else
CONFIGURATION="#
# ${TAG} log files
#
"
fi
if [ "${FORMAT}" == "rsyslog" ]; then
CONFIGURATION="${CONFIGURATION}\$ModLoad imfile"
elif [ "${FORMAT}" == "syslog-ng" ]; then
CONFIGURATION="${CONFIGURATION}source ${TAG} {"
fi
# file paths may have spaces
IFS=$'\n'
for FILE in $(cat "${FILES}" | sed 's/\\/\\\\\\\\/g'); do
if [ "${FORMAT}" != "datagram" ]; then
# only accept absolute file paths
if [[ ${FILE} == /* ]]; then
if [ ! -z "${APPLY}" ]; then
if [ ! -f "${FILE}" ]; then
echo "WARNING: File \"${FILE}\" not found"
fi
fi
if [ "${FORMAT}" == "rsyslog" ]; then
CONFIGURATION="$CONFIGURATION
\$ModLoad imfile
\$InputFileName ${FILE}
\$InputFileTag ${TAG}:
\$InputFileStateFile stat-${TAG}-`date +%s`
\$InputFileSeverity information
\$InputFileFacility local7
\$InputRunFileMonitor"
elif [ "${FORMAT}" == "syslog-ng" ]; then
CONFIGURATION="$CONFIGURATION
file(\"${FILE}\" follow_freq(1) flags(no-parse) log_prefix(\"${TAG}: \"));"
fi
fi
else
# only accept absolute file paths
if [[ ${FILE} == ?:\\\\* ]] || [[ ${FILE} == \\\\\\\\* ]]; then
CONFIGURATION="$CONFIGURATION
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Datagram\\SyslogAgent\\ApplicationLogs\\${FILE}}]^M
\"FileExtension\"=\"log\"^M
\"Path\"=\"${FILE}\"^M
\"FileName\"=\"\"^M
\"RotateFileName\"=\"\"^M
\"RotatedFileName\"=\"\"^M
\"ParseDate\"=hex:00^M
\"ParseHost\"=hex:00^M
\"ParseSeverity\"=hex:01^M
\"Unicode\"=hex:00^M
\"Severity\"=dword:00000006^M
\"ParseProcess\"=hex:00^M
\"ProcessName\"=\"${TAG}\"^M
\"Facility\"=dword:00000017^M
\"IgnorePrefixLines\"=hex:00^M
\"Prefix\"=\"\"^M
\"IgnoreFirstLines\"=hex:00^M
\"NbrIgnoreLines\"=dword:00000000^M
^M"
fi
fi
done
if [ "${FORMAT}" == "rsyslog" ]; then
CONFIGURATION="$CONFIGURATION
# check for new lines every 10 seconds
\$InputFilePollInterval 10
*.* @@${DESTINATION}"
elif [ "${FORMAT}" == "syslog-ng" ]; then
CONFIGURATION="$CONFIGURATION
};
destination logserver2 { ${PROTOCOL}(\"${DESTINATION}\" port (${PORT})); };
log { source(${TAG}); destination(logserver2); };
log { source(src); destination(logserver2); };"
fi
# Print/Apply configuration
if [ ! -z "${APPLY}" -a "${FORMAT}" != "datagram" ]; then
if [ "${FORMAT}" == "rsyslog" ]; then
if [ -f "/etc/rsyslog.conf" ]; then
printf "${CONFIGURATION}"
/etc/init.d/syslog restart
else
echo "ERROR: Unable to find configuration file, wrong format specified? Exiting..."; exit
fi
else
if [ -f "/etc/syslog-ng/syslog-ng.conf" ]; then
printf "${CONFIGURATION}"
/etc/init.d/syslog restart
else
echo "ERROR: Unable to find configuration file, wrong format specified? Exiting..."; exit
fi
fi
else
printf "${CONFIGURATION}\n"
fi
exit
As an example, let’s say I have a file with the following contents:
# VCO logs /var/log/vmware/vco/app-server/catalina.out # vCAC logs C:\Program Files\vCAC\Test\Logs C:\Program Files\vCAC\Foo\Bar\Logs
I could generate a syslog configuration for the VCO logs by running:
./syslogify.sh files syslog-ng loginsight.local vco
The output would be:
#
# vco log files
#
source vco {
file("/var/log/vmware/vco/app-server/catalina.out" follow_freq(1) flags(no-parse) log_prefix("vco: "));
};
destination logserver2 { tcp("loginsight.local" port (514)); };
log { source(vco); destination(logserver2); };
log { source(src); destination(logserver2); };
I could generate a syslog configuration for the vCAC logs by running:
./syslogify.sh files datagram loginsight.local vcac
The output would be:
Windows Registry Editor Version 5.00^M ^M ; ; Install Datagram Syslog Agent ; Configure the agent to forward logs to Log Insight ; Save this as vcac-datagram.reg ; Open Registry Editor, on the File menu click Import, find the reg file and select Import ; Be sure to start/restart agent after importing registry file ; ^M [HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]^M ^M [HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\C:\\Program Files\\vCAC\\Test\\Logs}]^M "FileExtension"="log"^M "Path"="C:\\Program Files\\vCAC\\Test\\Logs"^M "FileName"=""^M "RotateFileName"=""^M "RotatedFileName"=""^M "ParseDate"=hex:00^M "ParseHost"=hex:00^M "ParseSeverity"=hex:01^M "Unicode"=hex:00^M "Severity"=dword:00000006^M "ParseProcess"=hex:00^M "ProcessName"="vcac"^M "Facility"=dword:00000017^M "IgnorePrefixLines"=hex:00^M "Prefix"=""^M "IgnoreFirstLines"=hex:00^M "NbrIgnoreLines"=dword:00000000^M ^M [HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\C:\\Program Files\\vCAC\\Foo\\Bar\\Logs}]^M "FileExtension"="log"^M "Path"="C:\\Program Files\\vCAC\\Foo\\Bar\\Logs"^M "FileName"=""^M "RotateFileName"=""^M "RotatedFileName"=""^M "ParseDate"=hex:00^M "ParseHost"=hex:00^M "ParseSeverity"=hex:01^M "Unicode"=hex:00^M "Severity"=dword:00000006^M "ParseProcess"=hex:00^M "ProcessName"="vcac"^M "Facility"=dword:00000017^M "IgnorePrefixLines"=hex:00^M "Prefix"=""^M "IgnoreFirstLines"=hex:00^M "NbrIgnoreLines"=dword:00000000^M ^M
© 2014, Steve Flanders. All rights reserved.
