The BSD syslog Protocol
The rules language used by the products can route messages to BSD syslog daemons. The syslog protocol was originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations. Over time, the syslog protocol has been ported to many other operating systems as well as being embedded into many network devices. Syslog servers are now the event log collectors used for many hardware and software products.
With very little setup, copies of messages originating from the products and/or customer rules can be forwarded to a PC running a syslog server. For example, a copy of all SRS recovery messages can be logged to a syslog service running on a storage administrator’s PC. When used sensibly, a syslog server can be run on a standard Windows PC.
For more information about syslog servers, use the following link to read the syslog RFC:
http://community.roxen.com/developers/idocs/rfc/rfc3164.html
Install a syslog server
The Syncsort Storage Management team developed the syslog interface using the freeware version of the Kiwi Syslog Daemon for use on Windows NT4/2000/XP/2003. Both standard and service versions are available from Kiwi. The service version is currently in use, to monitor nine routers, an email spam gateway, and support development work for the DIF syslog interface. No noticeable overhead has been observed on a typical PC running Windows XP Pro. The following link can be used to obtain Kiwi:
http://www.kiwisyslog.com/software_downloads.htm
Configuration procedure for Kiwi - recommendations for setting up a Kiwi syslog server:
- Download and install the service version. The Kiwi syslog server will run in the background as a Windows Service on the PC — as long as the PC is booted, the syslog server will capture records.
- Modify the archiving parameters to spin off logs on a
Dailyinterval. Open the Kiwi application GUI, then use to display the Kiwi Syslog Daemon Setup dialog. Right-click on Archiving, and then select the Add new archive schedule option. In the “Dated files/folders options:” area, select “use dated file names”. The current log is kept inC:\Program Files\Syslogd\Logs. The daily archived logs are found inC:\Program Files\Syslogd\Dated logs.
How to route messages to a syslog server
The DIF interface to a syslog server is very easy to establish and can
be completely transparent to the SCC product rules already developed by
your installation. To route messages and/or records to the system log,
establish a connection with the DEFCONN command or
DEFCONN statement. While the statement can be
placed in a product’s rules language, it would normally be executed
external to the rules with the EXEC CONNECT statement
used in DIFINIT.
For example, use the DTS.R71.PARMLIB(DIFINIT) member
to execute an EXEC(CONNECT(<member>)) command.
The DEFCONN commands processed by EXEC
CONNECT establish the connection to reroute messages and
records to an MVS system logger stream name. For example,
DIFINIT might contain:
INITOPT EXEC(CONNECT(SYSLOGD))
The SYSLOGD member should contain the
DEFCONN statements used to reroute log data being
written to a DIF DD statement (for example, SYSLOGD) —
instead of being written to the DD statement, the records are routed to
the syslog server.
LOG option can be added to the
DEFCONN statement to copy syslog records to both
the DIF SYSLOG DD statement as well as the syslog
server. A sample DTS.R71.PARMLIB(SYSLOGD) member follows:
DEFCONN SYSLOGD TCPIP(192.168.0.13 514) SYSLOGD(PRIORITY(141)) CONVERT
DEFCONN SYSLOGD TCPIP(stgad.company.com 514) SYSLOGD(PRIORITY(141)) CONVERT
Messages can be routed to multiple syslog servers by adding multiple
DEFCONN statements in the SYSLOGD
member — one for each syslog server. For more information, examine
“DEFCONN” on page 5-11.
Firewall access to the syslog server - The
standard internet port used for syslog servers is UDP
514. You may want to talk with your network
administrators if syslog records are not flowing between the mainframe
and the server. An administrator may need to open UDP port
514 on a firewall.
How to copy SRS recovery messages to a syslog server
Product messages can be copied to a syslog server by
using DEFENV statements to forward product messages to
the SYSLOGD DD statement. The DEFCONN
statements in the previous section can be used to intercept the
SYSLOGD requests and route them to the syslog
server. For example, the following statements can be added to the SRS
rules (typically ACCRULES) to route SRS recovery
messages having a level of action (A) or higher.
DEFENV REDUCEP LOG(SYSLOGD LEVEL(A))
DEFENV SETSEC LOG(SYSLOGD LEVEL(A))
DEFENV REDUCES LOG(SYSLOGD LEVEL(A))
DEFENV INCSEC LOG(SYSLOGD LEVEL(A))
DEFENV ADDVOL LOG(SYSLOGD LEVEL(A))
Restart DIF and refresh the rules language - Terminate the DIF started task with the DIF Z operator command. This will leave all products active but terminate the DIF started task. After restarting DIF, the refresh command must be issued to activate message logging.
F DIF,Z S DIF
F DIF,REF SRS
How to copy user messages to a syslog server
The LOG parameter on the DEFMSG
statement can be used by the rules language to route a copy of the
message to a syslog server — simply specify
LOG(SYSLOGD) on the DEFMSG
statement. The DDNAME(SYSLOGD) parameter on a
DEFREC statement can be used to format a record for
a syslog server. For more information about the statement definitions,
examine the DEFMSG“LOG( ddname )” on page 5-54 and the DEFREC“DDNAME( ddname )” on page 5-84.
LOG parameter. By default, the records are limited
to 500 bytes. For more information, examine “LOG” on page 6-10 in the
Product Installation Guide.