Skip to content

Generating Syslog Configurations with syslogify

As of late, I have needed to generate syslog configurations to monitors log files multiple times. A great example would be generating the syslog configurations for vCAC log files. To save time, I created a quick script to do the work for me. I thought others may find this valuable and wanted to share.

I call the script syslogify and it takes a list of files and generates a syslog configuration for either Linux (rsyslog or syslog-ng) or Windows (datagram). The output can be printed to the screen or in the case of Linux, appended to an existing syslog configuration file.

#!/usr/bin/env sh
#
# Syslogify
# Steve Flanders (steve<at>sflanders<dot>net)
#
# Description - Converts log file locations into validate syslog configuration
# Limitation - Only supports a single tag per configuration file
#
# ***PLEASE DO NOT REMOVE THIS HEADER AND PLEASE CREDIT THE AUTHOR***
#
#PROTOCOL='udp' # default tcp
#PORT='1514' # default 514
######################################
# DO NOT CHANGE ANYTHING BELOW HERE!!!
######################################
# Usage
SCRIPT=`basename $0`
USAGE="\nUsage: $SCRIPT <input> <format> <destination> <tag> [apply]
Where:
 * <input> = a new line separated list of absolute path files to monitor
 * <format> = rsyslog, syslog-ng, or datagram
 * <destination> = FQDN of remote syslog server
 * <tag> = tag to apply to messages in files to monitor
 * apply = attempt to apply configuration to syslog agent (does not work for datagram)
Examples:
 * basename $0 files.txt syslog-ng loginsight.example.com esxi
 * basename $0 files.txt syslog-ng loginsight.example.com esxi apply
Notes:
 * Configuration defaults to tcp/514 but can be changed via variables within the script.
 * In addition to forwarding files in <input>, system logs messages are also forwarded.
 * Configuration generated should not conflict with any existing configuration.\n\n"
if [ "$4" == "" -o "$5" != "" -a "$5" != "apply" -o "$6" != "" ]; then printf "$USAGE"; exit; fi
# Set parameters
FILES=$1
FORMAT=$2
DESTINATION=$3
TAG=$4
APPLY=$5
if [ -z "${PROTOCOL}" ]; then PROTOCOL='tcp'; fi
if [ -z "${PORT}" ]; then PORT='514'; fi
# Validate parameters
if [ "${FORMAT}" != "rsyslog" -a "${FORMAT}" != "syslog-ng" -a "${FORMAT}" != "datagram" ]; then
    printf "ERROR: Unsupported syslog format specified\n\n$USAGE"; exit
fi
if [ "${PROTOCOL}" != "udp" -a "${PROTOCOL}" != "tcp" ]; then
    printf "ERROR: Invalid protocol specified\n\n$USAGE"; exit
fi
# Construct configuration
if [ "${FORMAT}" == "datagram" ]; then
    CONFIGURATION="Windows Registry Editor Version 5.00^M
^M
;
; Install Datagram Syslog Agent
; Configure the agent to forward logs to Log Insight
; Save this as vcac-datagram.reg
; Open Registry Editor, on the File menu click Import, find the reg file and select Import
; Be sure to start/restart agent after importing registry file
;
^M
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]^M
^M"
else
    CONFIGURATION="#
# ${TAG} log files
#
"
fi
if [ "${FORMAT}" == "rsyslog" ]; then
    CONFIGURATION="${CONFIGURATION}\$ModLoad imfile"
elif [ "${FORMAT}" == "syslog-ng" ]; then
    CONFIGURATION="${CONFIGURATION}source ${TAG} {"
fi
# file paths may have spaces
IFS=$'\n'
for FILE in $(cat "${FILES}" | sed 's/\\/\\\\\\\\/g'); do
    if [ "${FORMAT}" != "datagram" ]; then
        # only accept absolute file paths
        if [[ ${FILE} == /* ]]; then
            if [ ! -z "${APPLY}" ]; then
                if [ ! -f "${FILE}" ]; then
                    echo "WARNING: File \"${FILE}\" not found"
                fi
            fi
            if [ "${FORMAT}" == "rsyslog" ]; then
                CONFIGURATION="$CONFIGURATION
\$ModLoad imfile
\$InputFileName ${FILE}
\$InputFileTag ${TAG}:
\$InputFileStateFile stat-${TAG}-`date +%s`
\$InputFileSeverity information
\$InputFileFacility local7
\$InputRunFileMonitor"
            elif [ "${FORMAT}" == "syslog-ng" ]; then
                CONFIGURATION="$CONFIGURATION
file(\"${FILE}\" follow_freq(1) flags(no-parse) log_prefix(\"${TAG}: \"));"
            fi
        fi
    else
        # only accept absolute file paths
        if [[ ${FILE} == ?:\\\\* ]] || [[ ${FILE} == \\\\\\\\* ]]; then
            CONFIGURATION="$CONFIGURATION
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Datagram\\SyslogAgent\\ApplicationLogs\\${FILE}}]^M
\"FileExtension\"=\"log\"^M
\"Path\"=\"${FILE}\"^M
\"FileName\"=\"\"^M
\"RotateFileName\"=\"\"^M
\"RotatedFileName\"=\"\"^M
\"ParseDate\"=hex:00^M
\"ParseHost\"=hex:00^M
\"ParseSeverity\"=hex:01^M
\"Unicode\"=hex:00^M
\"Severity\"=dword:00000006^M
\"ParseProcess\"=hex:00^M
\"ProcessName\"=\"${TAG}\"^M
\"Facility\"=dword:00000017^M
\"IgnorePrefixLines\"=hex:00^M
\"Prefix\"=\"\"^M
\"IgnoreFirstLines\"=hex:00^M
\"NbrIgnoreLines\"=dword:00000000^M
^M"
        fi
    fi
done
if [ "${FORMAT}" == "rsyslog" ]; then
    CONFIGURATION="$CONFIGURATION
# check for new lines every 10 seconds
\$InputFilePollInterval 10
*.* @@${DESTINATION}"
elif [ "${FORMAT}" == "syslog-ng" ]; then
    CONFIGURATION="$CONFIGURATION
};
destination logserver2 { ${PROTOCOL}(\"${DESTINATION}\" port (${PORT})); };
log { source(${TAG}); destination(logserver2); };
log { source(src); destination(logserver2); };"
fi
# Print/Apply configuration
if [ ! -z "${APPLY}" -a "${FORMAT}" != "datagram" ]; then
    if [ "${FORMAT}" == "rsyslog" ]; then
        if [ -f "/etc/rsyslog.conf" ]; then
            printf "${CONFIGURATION}"
            /etc/init.d/syslog restart
        else
            echo "ERROR: Unable to find configuration file, wrong format specified? Exiting..."; exit
        fi
    else
        if [ -f "/etc/syslog-ng/syslog-ng.conf" ]; then
            printf "${CONFIGURATION}"
            /etc/init.d/syslog restart
        else
            echo "ERROR: Unable to find configuration file, wrong format specified? Exiting..."; exit
        fi
    fi
else
    printf "${CONFIGURATION}\n"
fi
exit

As an example, let’s say I have a file with the following contents:

# VCO logs
/var/log/vmware/vco/app-server/catalina.out
# vCAC logs
C:\Program Files\vCAC\Test\Logs
C:\Program Files\vCAC\Foo\Bar\Logs

I could generate a syslog configuration for the VCO logs by running:

./syslogify.sh files syslog-ng loginsight.local vco

The output would be:

#
# vco log files
#
source vco {
file("/var/log/vmware/vco/app-server/catalina.out" follow_freq(1) flags(no-parse) log_prefix("vco: "));
};
destination logserver2 { tcp("loginsight.local" port (514)); };
log { source(vco); destination(logserver2); };
log { source(src); destination(logserver2); };

I could generate a syslog configuration for the vCAC logs by running:

./syslogify.sh files datagram loginsight.local vcac

The output would be:

Windows Registry Editor Version 5.00^M
^M
;
; Install Datagram Syslog Agent
; Configure the agent to forward logs to Log Insight
; Save this as vcac-datagram.reg
; Open Registry Editor, on the File menu click Import, find the reg file and select Import
; Be sure to start/restart agent after importing registry file
;
^M
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]^M
^M
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\C:\\Program Files\\vCAC\\Test\\Logs}]^M
"FileExtension"="log"^M
"Path"="C:\\Program Files\\vCAC\\Test\\Logs"^M
"FileName"=""^M
"RotateFileName"=""^M
"RotatedFileName"=""^M
"ParseDate"=hex:00^M
"ParseHost"=hex:00^M
"ParseSeverity"=hex:01^M
"Unicode"=hex:00^M
"Severity"=dword:00000006^M
"ParseProcess"=hex:00^M
"ProcessName"="vcac"^M
"Facility"=dword:00000017^M
"IgnorePrefixLines"=hex:00^M
"Prefix"=""^M
"IgnoreFirstLines"=hex:00^M
"NbrIgnoreLines"=dword:00000000^M
^M
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\C:\\Program Files\\vCAC\\Foo\\Bar\\Logs}]^M
"FileExtension"="log"^M
"Path"="C:\\Program Files\\vCAC\\Foo\\Bar\\Logs"^M
"FileName"=""^M
"RotateFileName"=""^M
"RotatedFileName"=""^M
"ParseDate"=hex:00^M
"ParseHost"=hex:00^M
"ParseSeverity"=hex:01^M
"Unicode"=hex:00^M
"Severity"=dword:00000006^M
"ParseProcess"=hex:00^M
"ProcessName"="vcac"^M
"Facility"=dword:00000017^M
"IgnorePrefixLines"=hex:00^M
"Prefix"=""^M
"IgnoreFirstLines"=hex:00^M
"NbrIgnoreLines"=dword:00000000^M
^M

© 2014, Steve Flanders. All rights reserved.

Published inSystem Administration

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *