September 19 2018 Wednesday
Domino logging to Syslog
First off....I know right, a *blog post*! Who knew.......
So you have Domino.
And you have a syslog server where everything except Domino is logged to.
You want Domino to play along with everything else. What can you do?
For starters there is this event handler type in events4.nsf:
But in typical IBM fashion the documentation for the above is practically non-existent on how this works . Nor does there seem to be a way to specify a remote syslog server. So I would presume (and dear reader feel free to leave a comment with links, etc if you know them) that this only works with a Domino server running on Linux and AIX. Now with Linux I could syslog locally and then punt my logs to another syslog server. So theoretically this could do what we want on Linux platforms.
But what about Windows I hear you ask? Well here we need to use a combination of things. Specifically this event handler:
That puts my Domino server logs into the Windows Event viewer like so:
First stage ignition completed! Now to punt this over to a syslog server. For this I use NXLog Communty Edition installed on the Windows servers and configure this to throw Windows Events out to my syslog server (in my case Nagios Log Server which is free for <500MB/day although I have used GrayLog before as well that has an free version and an Enterprise with is free <5GB/day and also IBM's QRadar with also has a community edition).
With NXLog conifgured to send Windows Event Logs to my syslog server I now have my Domino logs (from Windows Domino servers at least) in an infinitely more usable format (any my security folks maybe happier too. Final stage ignition complete!
So from this (Domino console and log.nsf):
To this (Nagios Log Server):
And with the use a quick elastic search, all my Domino server logs in one place:
So there you have it. Domino logging to a syslog server.
So you have Domino.
And you have a syslog server where everything except Domino is logged to.
You want Domino to play along with everything else. What can you do?
For starters there is this event handler type in events4.nsf:
But in typical IBM fashion the documentation for the above is practically non-existent on how this works . Nor does there seem to be a way to specify a remote syslog server. So I would presume (and dear reader feel free to leave a comment with links, etc if you know them) that this only works with a Domino server running on Linux and AIX. Now with Linux I could syslog locally and then punt my logs to another syslog server. So theoretically this could do what we want on Linux platforms.
But what about Windows I hear you ask? Well here we need to use a combination of things. Specifically this event handler:
That puts my Domino server logs into the Windows Event viewer like so:
First stage ignition completed! Now to punt this over to a syslog server. For this I use NXLog Communty Edition installed on the Windows servers and configure this to throw Windows Events out to my syslog server (in my case Nagios Log Server which is free for <500MB/day although I have used GrayLog before as well that has an free version and an Enterprise with is free <5GB/day and also IBM's QRadar with also has a community edition).
With NXLog conifgured to send Windows Event Logs to my syslog server I now have my Domino logs (from Windows Domino servers at least) in an infinitely more usable format (any my security folks maybe happier too. Final stage ignition complete!
So from this (Domino console and log.nsf):
To this (Nagios Log Server):
And with the use a quick elastic search, all my Domino server logs in one place:
So there you have it. Domino logging to a syslog server.
Discussion for this entry is now closed.
Comments (4)
Hi Darren,
as usual also this post is extremely valuable so I sincerely thank you for sharing your experience.
Besides I'm curious about GrayLog, because you mentioned it and in these days I'm approaching the "free" version, could you be so kind to share also your feelings about Graylog?
@2, I've actually used GrayLog a bit. What seems to happen for me (at least for "free" syslog servers) is that I use them until the stop working. Graylog has always eventually stopped working for some reason and another so I just switch to another vendor. I do need to go back to Graylog and check out their new Enterprise offering. I'll add that to the ever growing to-do list ;)
Sweet!