Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1019
  • Last Modified:

swatch with syslog-ng

I have syslog-ng server ( linux)  and swatch (AIX) on another server. How can I view both of them together. I have cacti installed on syslog-ng server by which I can view syslog-ng messages. So any ideas...

If I can implement how can this be done..
0
jdenver247
Asked:
jdenver247
  • 2
  • 2
1 Solution
 
Hugh FraserConsultantCommented:
I'm confused about what you're looking for. "suslog-ng" is a syslog server, swatch is a tool for realtime monitoring of event logs, and cacti is an SNMP poller. These are 3 different tools for different purposes. They can certainly be connected, but what exactly do you want the end result to be?
0
 
woolmilkporcCommented:
Hi,
forget about swatch, let the aix syslog send its stuff to syslog-ng (you know how to do that?) and keep on using cacti.

wmp
0
 
jdenver247Author Commented:
hello,
I used Cacti syslog plugin to actually poll all the syslog messages and this is working fine. Now I see that syslog messages can also be sent to swatch and view. I have tried this
http://www.campin.net/newlogcheck.html#swatch
BUt was not quite useful...Any ideas
Thanks
0
 
woolmilkporcCommented:
Hi,
since I'm not familiar with swatch, I can't help you using it.
 
But, as we know, one can concentrate all syslog messages at one host (namely your syslog-ng server).
Why not let all the syslogs of your machines go to one file per host on syslog-ng and use swatch there to view those logfiles? (As I said, swatch is not my thing).
 
Greetings
 
wmp
0
 
Hugh FraserConsultantCommented:
If all you want to do is concentrate your syslog events in one place, syslog on the AIX can be configured to forward messages to the linux box (make sure you configure the syslog-ng server to accept messages from a network connection, and open up the port in the linux firewall).

If you like the Cacti plugin for displaying alerts. If you're interested in some more sophisticated logfile analysis, have a look at Splunk.

If you want incorporate the output from swatch into your logfile views, feed the output to a file and feed that in to Cacti with the "logger" command, which sends alerts to syslog. Use one of the other syslog facilities to kieep the events separate.

I've used swatch many times, but sometimes I need more sophisticated event analysis involving correlation, such as alarming only if a particular alert happens more than 10 times in 60 seconds. For that I've used SEC (Simple Event Correlation), labelling the event source as "synthetic" and feed the results back into syslog via the logger command.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now