Syslog Server#

Syslog Server is central concentrator for syslog messages. Additionally, it provides web user interface for real time monitoring and filtering of log messages.

Server supportes multiple syslog listening TCP and/or UDP sockets. Communication is based on RFC 5425, RFC 5426, RFC 6587. Once message is received, server stores message in predefined database.

_images/syslog_server.png

Running#

Syslog Server is implemented as python hat.syslog.server package which can be run with hat-syslog-server script with additional command line arguments:

usage: hat-syslog-server [-h] [--log-level LEVEL] [--ui-addr ADDR]
                         [--db-path PATH] [--db-low-size N] [--db-high-size N]
                         [--db-enable-archive] [--db-disable-journal]
                         [--syslog-pem-path PATH]
                         [ADDR ...]

Syslog Server listening for TCP and/or UDP messages. If listening addresses
are not provided, Syslog Server listens on 'tcp://0.0.0.0:6514' and
'udp://0.0.0.0:6514'.

positional arguments:
  ADDR                  syslog listening address formated as
                        <prot>://<host>:<port> (<prot> is 'tcp', 'udp' or
                        'tls'; <host> is host name or IP address; <port> is
                        UDP/TCP port)

options:
  -h, --help            show this help message and exit
  --log-level LEVEL     console log level (default INFO)
  --ui-addr ADDR        UI listening address (default http://0.0.0.0:23020)
  --db-path PATH        sqlite database file path (default
                        $XDG_DATA_HOME/hat/syslog.db)
  --db-low-size N       number of messages kept in database after database
                        cleanup (default 1000000)
  --db-high-size N      number of messages that will trigger database cleanup
                        (default 10000000)
  --db-enable-archive   should messages, deleted during database cleanup, be
                        kept in archive files
  --db-disable-journal  disable sqlite journaling
  --syslog-pem-path PATH
                        certificate PEM path used in case of tls syslog

This application is part of hat-syslog python package.

Data backend#

All incoming syslog messages are stored in single sqlite database. Maximum number of syslog messages stored in this database can be configured by configuration parameter db_high_size (value 0 represents unlimited number of messages). Once number of messages exceed configured limit, database cleanup procedure is triggered. During cleanup procedure, oldest messages are removed from database until number of messages reaches configuration parameter db_low_size when cleanup procedure stops. Prior to message deletion, if configuration parameter db_enable_archive is set, new database with unique file name is created and all messages scheduled for removal are inserted into newly created database. Archive database has got same structure as original database and can be used in place of original database for accessing archived syslog messages.