A Blog About Syslog

Blog Post created by ketro01 Employee on Oct 16, 2018

Syslog messages are an important source of network messages, in addition to SNMP polling and traps.  For some technologies, such as Cisco PFRv3 (IWAN), critical alerts aren't available as SNMP traps.  It's not surprising that support for ingesting Syslog messages into Spectrum is very popular, as shown by some of these ideas for the Spectrum community: Spectrum - Syslog Server , CA Spectrum - SYSLOG Message filtering , Adding a syslog daemon to Spectrum & the ability to display this syslog messages in the Spectrum OneClick GUI.   For many years, Spectrum has supported ingestion of Syslog sourced events via log match traps from iAgent (SNMP Research CIAgent), CA SystemEDGE, and CA NSM.  While this approach is successfully used by many customers, there are limitations when it comes to scale and matching/filtering capability.  


Adding direct Syslog listening capability directly to SpectroSERVER would be quite the task and introduce significant risk.  Instead, there are existing Syslog servers out there that have the ability to forward messages via other protocols, such as write to database, TCP stream, or SNMP trap. Rsyslog is a popular Syslog server that is also used with CA Digital Operational Intelligence and Log Analytics for CA UIM.  One of the interesting features of Rsyslog is the ability to forward messages as SNMP traps via the omsnmp module.  What this allows you to do is configure something like the following:



In the diagram above, devices are sending Syslog messages to an rsyslog process that then forwards all messages up to DOI/Log Analytics and only a filtered subset (Syslog is very chatty) to Spectrum as SNMP traps.