Syslog Server is central concentrator for syslog messages. Additionally, it provides web user interface for real time monitoring and filtering of log messages.
Server supportes multiple syslog listening TCP and/or UDP sockets. Communication is based on RFC 5425, RFC 5426, RFC 6587. Once message is received, server stores message in predefined database.
Syslog Server is implemented as python hat.syslog.server package which
can be run with
hat-syslog-server script with additional command line
usage: hat-syslog-server [-h] [--log-level LEVEL] [--ui-addr ADDR] [--db-path PATH] [--db-low-size N] [--db-high-size N] [--db-enable-archive] [--db-disable-journal] [--syslog-pem-path PATH] [ADDR ...] Syslog Server listening for TCP and/or UDP messages. If listening addresses are not provided, Syslog Server listens on 'tcp://0.0.0.0:6514' and 'udp://0.0.0.0:6514'. positional arguments: ADDR syslog listening address formated as <prot>://<host>:<port> (<prot> is 'tcp', 'udp' or 'tls'; <host> is host name or IP address; <port> is UDP/TCP port) options: -h, --help show this help message and exit --log-level LEVEL console log level (default INFO) --ui-addr ADDR UI listening address (default http://0.0.0.0:23020) --db-path PATH sqlite database file path (default $XDG_DATA_HOME/hat/syslog.db) --db-low-size N number of messages kept in database after database cleanup (default 1000000) --db-high-size N number of messages that will trigger database cleanup (default 10000000) --db-enable-archive should messages, deleted during database cleanup, be kept in archive files --db-disable-journal disable sqlite journaling --syslog-pem-path PATH certificate PEM path used in case of tls syslog
This application is part of hat-syslog python package.
All incoming syslog messages are stored in single sqlite database. Maximum
number of syslog messages stored in this database can be configured by
0 represents unlimited
number of messages). Once number of messages exceed configured limit,
database cleanup procedure is triggered. During cleanup procedure, oldest
messages are removed from database until number of messages reaches
db_low_size when cleanup procedure stops. Prior
to message deletion, if configuration parameter
is set, new database with unique file name is created and all messages
scheduled for removal are inserted into newly created database. Archive
database has got same structure as original database and can be used in place
of original database for accessing archived syslog messages.