AIX

Hi Team,

We are having a requirement to forward the log file in "/app/t24adm/T24/logs/tsa1/SystemOut.log" path to syslog server. Therefore can perform this task by adding the below entry to the /etc/syslog.conf file ? 

"*"    /app/t24adm/T24/logs/tsa1/SystemOut.log    @<IP address of syslog server>

AIX version - 7.2 TL5 U3

Please advise.

------------------------------
Pasindu Malintha
------------------------------

Hi Tom,

Thanks for the response. As you ask "to the syslog server" means, yes we are trying to send the logs to remote syslog server.

 As I explain in more details on our requirement, we are trying to send WebSphere log files that stored on the above mentioned path (/app/t24adm/T24/logs/tsa1/SystemOut.log) to remote syslog server. In there we want to know can we do the log forwarding using syslog ?

And also can you please explain bit on your last point "Just make a copy of the logs If you're going to something like qradar, or some app that monitors your logs, then you'll need the @IP address option pointing to the qradar server.." because we want to do exactly the same thing. That means we need to forward the WebSphere logs to SIEM tool. 

The syslog daemon does not read files.  If you want an application log to be sent to a remote syslog server, you'll have to configure the local syslog to forward the appropritae facility/level to the remote server, then use logger to forward it, however, logger doesn't tail the file, so you'll get the current messages and no more.

Yes, you can forward the syslog to a remote syslog server.

Use the information in these pages for how to configure this:

https://www.ibm.com/docs/bg/dsm?topic=asdo-configuring-your-aix-server-device-send-syslog-events-qradar.

https://community.graylog.org/t/how-to-put-the-syslog-from-aix-host-into-the-graylog-server/14293
https://static.fortra.com/core-security/web-manuals-help/cts/current/gtthelp/content/resources/configuring_aix_syslog.htm

If you want to send a log file to a remote syslog server there are several options:

1. "Old school" way.

Configure syslog to send logs to remote server something like:

*.debug @my-syslog-server 

Please not that in this case it will send ALL logs to the remote server. If you want to send only part of your logs, decide first which facility you want to use for it.

Send content of the file using logger utility:

logger -f /path/to/my/file

If your file is not rotating, you should rotate it manually using some script. There are many ways to read only new data from a file but to explain it will be too much for a post in the forum.

2. Most correct way

Reconfigure your application to send logs directly to remote syslog server. Most of the application can do it today. Search in Google something like "your application name" + syslog and you will find an answer. Or open a case at your application's vendor and they show you the way.

3. "Modern" way

Install rsyslog on AIX. It can send files to remote log server.

https://www.ibm.com/support/pages/ibm-aix-how-download-install-and-use-rsyslog-place-native-syslog-logging-service

http://emmanuel.iffly.free.fr/doku.php?id=aix:aix_rsyslog