Add Hosts

Add a host in the user interface, using any one of the following menu options:

• Home tab > Hosts > +Hosts
• Tabs: +Add > Hosts
• Settings tab > Manage Hosts: Add

Note: The default Host Types are Windows, UNIX, IBM AS/400, Cisco Device and Syslog Device. For adding custom/new host types click on the '+' icon and enter the new host type name.

Adding Host Groups

You can also group your hosts into a particular Host Group. The default host groups available are Windows Group, Unix Group and Default Group (which contains all the hosts). To add a new host group, click on + button beside the Host Group field in Add New Host page.

Note: You cannot add a single host in two or more host groups, since it creates conflict.

Adding different host types

• Adding Windows Host
• Adding UNIX Host
• Adding Cisco Devices (Switches and Routers), Hypervisor, and VMware, or any other Syslog devices
• Adding IBM iSeries (AS/400) Host
• Adding VMware Host
• Adding Oracle Host
• Adding Print Server
• Enabling Terminal Services log
• Enabling Microsoft Windows Firewall logging
• Enabling Hyper V logs
• Enabling Stackato logging
• Configuring the Syslog Service on a UNIX Host
• Configuring the Syslog Service on a HP-UX/Solaris/AIX Host
• Configuring the Syslog Service on VMware
• Configuring the Syslog on Cisco Switches

Add Windows host

In all Windows hosts, ensure that WMI, DCOM are enabled; logging is enabled for respective module/ object. To forward the Windows event logs in the syslog format use the third party utility like SNARE.

1. Select the host type as Windows. Optionally, use the '+' icon to create new host type for your host

2. Enter the host name(s). Enter multiple host names separated by comma.

   Tip: you can also copy the comma separated host names from a text file and paste in this field

3. If you have logged in as an Administrator, you will see the Pick Hosts option. Use the Pick Hosts link to select one or multiple host(s) from a Domain/ Workgroup

Pick Hosts

                                                   

• Select the domain or workgroup from which you want to choose the host(s).

• Use Select All option to select all the hosts of the workgroup or domain listed in the box below. Alternatively, use the search box to search for the required host(s).

• The box lists all the hosts of the selected domain/workgroup or host(s) of the search result

• Use the Login as Domain User option to access the all selected host(s) with domain user credentials

• Click Update button to add the hosts using Pick Host option

• If you cannot find host(s) of your interest listed in the selected domain or workgroup, use the Re-Scan the <domain or workgroup> link to scan the selected domain or workgroup

• If you cannot find host(s), domain(s), OU(s), work group(s) of your interest, listed in the whole network, use the Re-Scan the complete network link to scan the complete network

4. Select the host group. For Windows host type, Windows Group will be the default selection. Optionally, use the '+' icon to create new host group to assign the configured host(s).

5. The Domain Name field is optional only if the host machine is in the local workgroup. Ensure to manually type-in the domain name of the host(s). If Pick Hosts menu is used, Domain Name field will be filled automatically

6. Enter the Login Name (refers to user name) and Password to access the configured host(s). The user account should have admin privileges to fetch the logs. Use the Verify Login link to validate the credentials. If multiple hosts are selected, ensure that the credentials are valid for all the hosts

7. Enter the Monitor Interval to configure the frequency at which EventLog Analyzer should fetch the log from the hosts. By default, 10 minutes is the minimum monitor interval.

8. Click Save button to add the host(s). Use Save & Add More button to add more hosts

Caution: If EventLog Analyzer has been installed on a UNIX machine, it cannot collect event logs from Windows hosts. However, third party applications can be used to convert the Windows event logs to Syslog and forward it to EventLog Analyzer.

Note: Collect Logs: If you want to collect historic logs present in the Windows event viewer, click the Collect Logs 'folder' icon on the top right side of the Add New Host screen. The Collect Logs window pops down. In that, select the check box 'Collect Historic Logs present in EventViewer' to collect the historic logs. If the check box is selected, EventLog Analyzer will collect all the historical logs present in the Windows Event Viewer. If the check box is unselected, EventLog Analyzer will collect only the logs of the past one hour. Caution: Historic Log collection activity is CPU and Memory resource intensive. We suggest you to use it judiciously.

Add UNIX host / Cisco devices / Syslog devices

UNIX/ Linux hosts configured to send Syslog data to the EventLog Analyzer on either of the default Syslog ports (513 & 514) need not be added as UNIX hosts in EventLog Analyzer and they will be automatically added to the list of hosts. Troubleshoot if UNIX/ Linux hosts/ devices not automatically added to the list of hosts. If the hosts, devices are not added in the Hosts list, follow the troubleshooting procedure given below.

• Check the connectivity between the EventLog Analyzer server and the UNIX/ Linux host or device. Use the 'ping' command and check if UNIX/ Linux machine is reachable from Eventlog Analyzer server and vice-versa
• Logon to EventLog Analyzer user interface, click on Show Listener Port(s) Details and check if the ports 513, 514 are up and getting listened
• In case, the default port is down, meaning the port is occupied by some other application, then you can forward the syslog to any other port which is free and ensure that you add that port in EventLog Analyzer product or free the port by stopping the application which uses it
• Check whether the packets are forwarded in the default UDP ports 513, 514 or the custom configured port from the UNIX/ Linux machines
• If the machine is not getting added still, check if any firewall (like Windows Firewall or any other services) is blocking the port. If so, unblock the port
• If the issue persists, use any packet capturing tool like Wireshark or Ethereal and ensure that syslogs are forwarded from the UNIX/ Linux machine

Cisco Devices (Switches and Routers), Hypervisor, and VMware, or any other Syslog devices

In the case of these devices, you have add them as UNIX hosts in EventLog Analyzer. Before adding them as hosts, ensure that Syslog Daemon is configured in those hosts or devices.

1. Select the host type as UNIX. Optionally, use the + icon to create new host type for your host

2. Enter the host name(s). Enter multiple host names separated by comma. Tip: you can also copy the comma separated host names from a text file and paste in this field

3. Select the host group. For UNIX host type, UNIX Group will be the default selection. Optionally, use the + icon to create new host group to assign the configured host(s)

4. Enter the Syslog Listener Port through which the UNIX host(s) will be sending the syslog

5. Click Save button to add the host(s).

6. Use Save & Add More button to add more hosts

Note: In Linux hosts, ensure that the syslog daemon is running and verify the port number to configure in EventLog Analyzer.

Adding IBM iSeries (AS/400) Host

Keep the ports 446-449,8470-8476,9470-9476 open in EventLog Analyzer to receive IBM AS/400 machine logs.

1. From the Add New Host page, choose IBM AS/400 as the Host Type

2. Use the Host Name box to type a single host name, or a list of host names separated by commas

3. Select the Host Group to which the hosts need to be added. Click the '+' icon to create a new host group

4. Enter the admin previlage 'Login Name' and 'Password'. Verify the login using the 'Verify Login' link beside the password text

5. Specify the Monitor Interval field, to configure the frequency at which EventLog Analyzer should fetch the log from the IBM AS/400 machines. By default, 10 minutes is the minimum monitor interval.

6. Select the Date Format and the Delimiter Date Format in the log. This is the date format used in the logs that will be collected from the IBM AS/400 hosts

If you are done, click Save to add this host and return to the list of hosts monitored. If you want to add more hosts, click Save and Add More to add this host, and then add more hosts

The user account with which the EventLog Analyzer is logging in to AS400 must have the authority level of 50. Otherwise, the application will not be able to login to fetch History logs.

Adding VMware Host

1. From the Add New Host page, choose UNIX as the Host Type and add the VMware host as UNIX host as per the steps given above.

2. Configure the syslog in the VMware as per the steps given below.

3. After the EventLog Analyzer starts receiving the syslogs from the VMware host, edit the VMware host details and make host type as Hypervisor. Follow the steps given below:

   • Click the Edit Host Details icon of VMware host, Edit Host Details page opens up.
   • In that, choose Hypervisor as the Host Type.
   • Click Save Host Details to make this host as VMware host and return to the list of hosts monitored.

Adding Oracle Application

To configure hosts for which you want to monitor Oracle logs carry out the procedure given below.

• In the Add New Host page

Add the Oracle Application server as a new Windows Host (if the Oracle application is running on a Windows machine) as per the procedure given or as a new Linux Host (if the Oracle application is running on a UNIX machine) as per the procedure given.

• In the Settings page

After adding as Windows or Linux Host, select Settings > Configurations: Manage Applications: Add: Oracle menu or or Home tab > Applications > Actions: +Oracle menu. The Configure Oracle Hosts page opens up. In the Add Host text field, enter the host name of the Oracle application server. Click the Save icon besides the text field. Existing Oracle Application hosts are listed below the text field as Existing Hosts.

After Configuring Oracle Hosts in EventLog Analyzer, carry out the configuration given below in Oracle server.

Oracle Server Configuration

• Oracle server - Windows platform
• Oracle server - Linux platform

Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

For Oracle server installed in Windows platform

connect to sqlplus

• Change audit parameter using below query

ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

• Restart the Oracle server to get the changes effected.

For Oracle Server installed in Unix platform

To enable Oracle syslog auditing, follow the procedure given below:

1. Assign a value of OS to the AUDIT_TRAIL initialization parameter, as described in 'Enabling or Disabling the Standard Audit Trail'

For example: ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

2. Manually add and set the AUDIT_SYSLOG_LEVEL parameter to the initialization parameter file, initsid.ora.

Set the AUDIT_SYSLOG_LEVEL parameter to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.

facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

The local0–local7 values are predefined tags that enable you to sort the syslog message into categories. These categories can be log files or other destinations that the syslog utility can access. To find more information about these types of tags, refer to the syslog utility MAN page.

priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and emerg.

The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter with the syslog.conf file to determine where to log information.

For example, the following statement identifies the facility as local1 with a priority level of warning:

AUDIT_SYSLOG_LEVEL=local1.warning

See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.

3. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.

4. Add the audit file destination to the syslog configuration file /etc/syslog.conf.

For example, assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:

local1.warning /var/log/audit.log

This setting logs all warning messages to the /var/log/audit.log file.

5. Restart the syslog logger:

$/etc/rc.d/init.d/syslog restart

Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.

6. Restart the Oracle server so that changes are effected.

Adding Print Server

To configure Print Servers for which you want to monitor the logs carry out the procedure given below.

• In the Add New Host page

Add the Print Server as a new Windows Host as per the procedure given.

• In the Settings page

After adding as Windows, select Settings > Configurations: Manage Applications: Add: Print Server menu or Home tab > Applications > Actions: +Print Server menu. The Configure Print Server page opens up. In the Add Host text field, enter the host name of the Print Server. Click the Save icon besides the text field. Existing Print Servers are listed below the text field as Existing Hosts.

After Configuring Print Server in EventLog Analyzer, carry out the configuration given below in Print Server.

Print Server Configuration

Enable Print Server Log

Open Event Viewer > Application and Service Logs > Print Service, right click and select 'Enable Log'. This will enable logging for the corresponding 'Admin', 'Debug' or 'Operational' processes. The logs will be available under Event Viewer.

Enabling Terminal Services Logs

To monitor logs from the Terminal Server, you need to configure it as below,

• In the Add New Host page

Add the Terminal Service as a new Windows Host as per the procedure given.

• In the Settings page

After adding the host as the Windows host, go to Settings > Configuration > Manage Applications > Add: Terminal menu. alternatively you can also use the following navigation Home Tab > Applications > Add Live host option.

 

Now Configure App Server page opens up. In the Add Host text field, enter the host name of the Terminal Server which is already added. Click the Save icon beside the text field. Select theApplication type as Terminal. Existing Print Servers are listed below the text field as Existing Hosts

 

After Configuring Terminal Services in EventLog Analyzer, carry out the configuration given below in your Terminal Server

Configuring Terminal Server

Open Event Viewer > Application and Service Logs > Terminal Logs, right click and select 'Enable Log'. This will enable logging for the corresponding 'Gateway'' or 'Operational' processes. The logs will be available under Event Viewer

Enabling Windows Firewall Logs

To monitor the Windows Firewall logs, you need to initially add the Windows host from which the Firewall logs are to be collected.

For EventLog Analyzer to collect Windows Firewall logs, follow the below procedure to enable Windows Firewall logging

1. Open your Event Viewer.

2. Go to Application and Service Logs > Microsoft > Windows > Windows Firewall With Advance Security > Firewall

3. Right Click in Firewall and select 'Enable Log'

This will enable the logging for Windows Firewall and the logs will be available under Event Viewer.

To perform search and generate report out of these logs,carry out the following registry configuration

1. Open your registry editor, 'regedit' of your Windows host in Command Line window

2. Navigate to ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog

3. Right click on 'eventlog' and create a new key as Microsoft Windows - Windows Firewall With Advanced Security/Firewall

Enabling Hyper V logs

To monitor Hyper V Logs, add the Windows Server from which the Hyper V logs are to be collected.

For EventLog Analyzer to collect Hyper V logs, follow the below procedure

1. Open your Event Viewer

2. Go to Application and Service Logs>Microsoft>Windows

3. Right click on the following options and select 'Enable Log'
   • Hyper-V-Config
   • Hyper-V-High-Availability
   • Hyper-V-Hypervisor
   • Hyper-V-Integration
   • Hyper-V-SynthFC
   • Hyper-V-SynthNic
   • Hyper-V-SynthStor
   • Hyper-V-VID
   • Hyper-V-VMMS

This will enable the logging for Hyper V Logs and the logs will be available under Event Viewer.

To perform search and generate report out of these logs,carry out the following registry configuration

1. Open your registry editor, 'regedit' of your Windows host in Command Line window

2. Navigate to ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog

3. Right click on 'eventlog' and create new keys with the following name
   • Microsoft-Windows- Hyper-V-Config
   • Microsoft-Windows-Hyper-V-High-Availability
   • Microsoft-Windows-Hyper-V-Hypervisor
   • Microsoft-Windows-Hyper-V-Integration
   • Microsoft-Windows- Hyper-V-SynthFC
   • Microsoft-Windows-Hyper-V-SynthNic
   • Microsoft-Windows- Hyper-V-SynthStor
   • Microsoft-Windows- Hyper-V-VID
   • Microsoft-Windows- Hyper-V-VMMS

Enabling Stackato Logging

EventLog Analyzer automatically adds and collects your stackato logs upon executing the following command in your tty console,

$kato config set logyard drainformats/<Format Name>[<PRI>{{.Text}}]
$kato drain add <Drain Name>udp://EventLog Analyzer Server>:<udp_port> -f <Format Name>

Note:<Format Name>,<Drain Name> and PRI are user defined values. Example: $kato config set logyard drainformats/systail-ela-local[{<13>{{.Text}}] $kato drain add ela udp://ELA:514 -f systail-ela-local By default, EventLog Analyzer uses 513 and 514 as default UDP ports. In case if you have changed the UDP port number, specify the same here.

Logyard will now drain all the logs in the format name as specified to EventLog Analyzer's UPD port number as give. EventLog Analyzer can now collect all the stackato logs as syslogs and analyze them with special reports.

Configuring the Syslog Service on a UNIX Host

1. Login as root user and edit the syslog.conf file in the /etc directory.

2. Append *.*<space/tab>@<server_name> at the end, where <server_name> is the name of the machine on which EventLog Analyzer is running.

3. Save the configuration and exit the editor.

4. Edit the services file in the /etc directory.

5. Change the syslog service port number to 514, which is one of the default listener ports of EventLog Analyzer. But if you choose a different port other than 514 then remember to enter that same port when adding the host in EventLog Analyzer.

6. Save the file and exit the editor.

7. Restart the syslog service on the host using the command:
   /etc/rc.d/init.d/syslog restart

For configuring syslog-ng daemon in a Linux host, append the following entries

destination eventloganalyzer { udp("<server_name>" port(514)); };
log { source(src); destination(eventloganalyzer); };

at the end of /etc/syslog-ng/syslog-ng.conf, where <server_name> is the ip address of the machine on which EventLog Analyzer is running.

Configuring the Syslog Service on a HP-UX/Solaris/AIX Host

1. Login as root user.

2. Edit the syslog.conf file in the /etc directory as shown below.

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug <tab-separation>@<server_name>

Note: For Solaris host, it is just enough to include *.debug<tab-separation>@<server_name> in the syslog.conf file.

where, <server_name> is the name of the machine where EventLog Analyzer server or Service is running. Just ensure that only a tab separation alone is there in between *.debug and @<server_name>.

3. Save the configuration and exit the editor.

4. Edit the services file in the /etc directory.

5. Change the syslog service port number to 514, which is one of the default listener ports of EventLog Analyzer. But if you choose a different port other than 514 then remember to enter that same port when adding the host in EventLog Analyzer.

6. Start the syslog daemon running on the OS. You need to just execute the below command.
   Usage : /sbin/init.d/syslogd {start|stop}

Command to be executed :
(for HP-UX) /sbin/init.d/syslogd start
(for Solaris) /etc/init.d/syslog start
(for Solaris 10) svcadm -v restart svc:/system/system-log:default
(for IBM AIX) startsrc -s syslogd

Configuring the Syslog Service on VMware

All ESX and ESXi hosts run a syslog service (syslogd), which logs messages from the VMkernel and other system components to a file.

To configure syslog for an ESX host:

Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX host. To configure syslog for an ESX host, you must edit the /etc/syslog.conf file.

To configure syslog for an ESXi host:

On ESXi hosts, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to configure the following options:

• Log file path: Specifies a datastore path to the file syslogd logs all messages.
• Remote host: Specifies a remote host to which syslog messages are forwarded. In order to receive the forwarded syslog messages, your remote host must have a syslog service installed.
• Remote port: Specifies the port used by the remote host to receive syslog messages.

To configure syslog using vSphere CLI command :

For more information on vicfg-syslog, refer the vSphere Command-Line Interface Installation and Reference Guide.

To configure syslog using vSphere Client:

1. In the vSphere Client inventory, click on the host.

2. Click the Configuration tab.

3. Click Advanced Settings under Software.

4. Select Syslog in the tree control.

5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog will log messages. If no path is specified, the default path is /var/log/messages.

The datastore path format is [<datastorename>] </path/to/file> where the path is relative to the root of the volume backing the datastore.

Example: The datastore path [storage1] var/log/messages maps to the path / vmfs/volumes/storage1/var/log/messages.

6. In the Syslog.Remote.Hostname text box, enter the name of the remote host where syslog data will be forwarded. If no value is specified, no data is forwarded.

7. In the Syslog.Remote.Port text box, enter the port on the remote host where syslog data will be forwarded. By default Syslog.Remote.Port is set to 514, the default UDP port used by syslog. Changes to Syslog.Remote.Port only take effect if Syslog.Remote.Hostname is configured.

8. Click OK.

Configuring the Syslog on Cisco Switches

1. Login to the switch.

2. Go to the config mode.

3. Do the below configuration to configure the switch (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer server:
   
   <Catalyst2900># config terminal
   <Catalyst2900>(config)# logging <EventLog Analyzer IP>
   
   For the latest catalyst switches
   
   Catalyst6500(config)# set logging <EventLog Analyzer IP>
   
   We can also configure other options like logging facility , trap notifications, etc. .. as
   
   Catalyst6500(config)# logging facility local7
   Catalyst6500(config)# logging trap notifications

Note: The same commands are also applicable for Cisco Routers. Please refer Cisco® documentation for detailed steps on configuring syslog in the respective routers or switches. Contact eventlog-support@manageengine.com if the syslog format of your cisco devices are different from the standard syslog format supported by EventLog Analyzer.