Hello from an avid "Guest" who has just now decided to create an account.
I have received so much help from these forums as an unregistered guest, I would like to give back a little, and I was wondering about the amount of interest there would be in my first full-production tool I developed from the ground up.
What is it? Ive called it (temporarilly at least until I can become more creative) SyslogI and it is a Java program which formats the entries as they are written to the QHST log into proper Syslog messages and then forwards the messages to your centralized Logging server. The need for this program came from my institution's need to satisfy central logging requirements set forth by the auditors. We were already logging messages from all other servers to a central server as well as our network devices, and needed to do the same with the Iseries for things like login failures, system errors and the like.
So I came up with an idea that I would use the syslogD utility included in the Iseries PASE environment. However, this did not fully pan out, as it really didnt log any messages at all due to the iseries not having native 'hooks' into SyslogD.
So I built a Java Syslog daemon as well as a qhst monitor/processor to format what is in the qhst logs properly, assign a severity code based on what IBM assigns (00 - 99) and then forward a proper RFC compliant message to our collector.
I am about to enter into production testing, and as I do this it occurred to me that others might be in need of a similar product, and in a similar situation where their institution is not able to fork over the thousands of dollars which current offerings require.
To be sure, what I have at current is not near as robust as some of the more "Commercial" offerings, however it does offer a step in the right direction, (Adding proper rules in say Kiwi can monitor for specifically login failures to satisfy HIPPA and other compliances) and I was wondering if I were to release it to the community at large, would there be enough interest?
Thanks for your comments and Ideas. I look forward to everyone's response.
Welcome out of the shadows.........Sounds like a great tool
could you post some screen shots?
Thanks for the great welcome.
As soon as I get some messages logged to the central server, I will post a screenshot, however it will just be the resultant log file collected via the central logging host
Screenshot of forwarded messages (obviously sanitized for privacy/security) to the central syslog server. The parts which are "erased" are usernames, the final portion of the IP address , and the name of our Iseries. (which comes after the messages date/time stamp.
As you can see, Im including the MessageID, text of the message, and assigning a syslog severity based off a translation of the IBM severity and also based off some thought of my own. In particular, the challenge is that the Iseres assigns severities based on an idea that every session is an attached device (like the old dumb terminals) so when one simply closes a session without signing off properly and exiting Client access properly, the Iseries sees the event as a critical error for an 'attached device' which of course it isnt.
Anyhow, any ideas on this would be welcomed as I develop the connector further
Now the question is how do you monitor QSYSOPR without locking the message queue? Or is it just polling and dumping QHST?
I would think you would need QSYSOPR and/or QSYSMSG as well?
Has anyone been able to successfully "point" iSeries logs (QHST) to an external syslog server?
I requested info from IBM support and was told they don't support this.
I wrote a commercial product some years back to do that and wound up having to create a TCP/IP sockets programs with RPG. If you download and look at the RFC for syslog you will see it's really straight forward since you just send the messages without any sort of response.
Reading this thread it sounds like you have a piece of code I would be interested in. I'm looking for a program that I can call and pass it the Facality & Serverty code along with a message and have it sent to a GFI SYSLOG Server.
I've tried an RPG program sending message via UDP but most got lost, then I tried sending message via TCP and had it working as long as I control the qty of messages send. Then some updates were put on the GFI server and they turned the logging from the fiewall & SQL server on and now none of my messages make it.
So I'm hoping that your method to send SYSLOG message will work better.
Checkout the RFC for SYSLOG, I think it is RFC 5424 which can be read at the following URL:
Because it uses UDP instead of TCP there are no guarantees, but I never had any problems with missing messages. If your SYSLOG server follows the RFC (and it had better) just make sure your sockets program formats the messages properly.
The program I worked on years ago was a commerical product available from these guys www.trigeo.com
oh, one more thing. To test your messages are being sent correctly from the 400 I would suggest creating a program that opens up a port and just listens. I did this pretty quickly using perl on a Windows box when testing it out originally before formatting the messages.
Would you be interested in creating a little program that I could pass some parms to (syslog IP address, Facility Code, Serverity Code & Message text) and have your program format it and send it to a GFI Syslog server?
If there is interest, I'll toss together some quick doc/install instructions and put it up somewhere downloadable. Let me dust it all off, and I'll get it uploaded somewhere over the next couple...
Ive been running this for around 2 years now without issue, and much to the delight of my peers.
I would find this very helpful if you would post what you have. I've not had any luck getting this to work correctly.
I would also like to see it.....