TwitterFacebookGoogle PlusLinkedInRSS FeedEmail
Creative topics of AS400 / iSeries System Administration

I started this blog at the same time im wondering how to integrate AS400 system logs with a centralized log system. In my study im going to use SPLUNK, but the purposals of this post could apply to every log system.

For my proyect, i´d like to send all kind of logs to Splunk: system logs, audit logs and application logs.

What do i need?
To send system logs via tcp or udp to the centralized log system in real-time, where i can query or analyze or simple keep the data.

For system logs i heard about "syslog" as a standard for computer data logging. Syslog can be used for computed system management, debugging, analysis or audit security. In most of the cases, the implementation of Syslog came because some internal audit wants to keep all log form all systems in the same format and centralized.

Syslog is integrated in most of the system inside the O.S. Unfortunately is does not log any system operator messages, ftp, tcp, login or QAUDJRN. AS400 "per se" has a wonderful loggin system like QSYSOPR message queue, QHST logs and QAUDJRN, so i guess, that´s the point of IBM to dont implement Syslog.

Somehow, im tired of the "you cant do this with AS400" and the AS400 is not "out of the box" system.

But in the wonderful PASE for System i, we have the choice to install the Syslog / Syslogd API to log messages from CL or RPG programms, and it could be posible to build several "Exit Points" programs to log into Syslog.

Installing Syslog.
Syslog is included into the Licensed Program 5761SS1, Option 33 Portable App Solutions Enviroments.

To check the correct installation:

STRQSH -> cd /QOpenSys/usr/sbin
syslogd -h
/QOpenSys/usr/sbin/syslogd: illegal option — h
usage: syslogd [-d] [-s] [-n] [-N] [-r] [-mmarkinterval] [-ppath] [-fconffile] [-Mall]

Syslogd is the daemon that needs to be run to start loggin into the system. But first, we have to configure syslog editing the syslog.conf file. In most of the unix dedicated pages to Syslog , you could check how to configure syslog (rotating logs files,device or file to put the logs, etc).

Syslog has different facilities to configure for logging (mail server, kernel, authorization) but this will not work with AS400. The only now that i already now is using the parse command "logger" that i will explain later.

Configuring syslog.conf.
In Unix system, syslog.conf is allocated in: /etc/syslog.conf, but in AS400 we need to create it in /QOpenSys/etc:

*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

With this entry, i will send logs to the file /var/adm/messages (note: create the file messages with the command: touch messages).

After that, you could start SYSLOGD daemons in batch:
SBMJOB CMD(STRQSH CMD('/QOpenSys/usr/sbin/syslogd'))

and check the file to see what happends. You should see and entry like:
Dec 29 14:27:40 SYSTEM-NAME syslog:info syslogd: restart

Adding entries to syslog.

The only way i found is using the command "logger". If you need something better, please feedback :). Logger will send an event to the syslog daemon that we have running on batch.

logger "some text"

check /var/adm/messages
Dec 29 14:27:40 SYSTEM-NAME syslog:info syslogd: restart
Dec 29 14:28:40 SYSTEM-NAME user:notice qsecofr: some test.

So, my idea now is how to use this API to log what i need from AS400 to Syslog: login, system errors, ftp access, odbc access, etc.

The cool thing: sending the logs to a remote server.
I have installed Splunk in a unix server. I told Splunk to get data from syslog coming from the file in Unix allocated in:

The cool thing is that Syslog can send logs via tcp or udp. For testing purposal, i configured syslog for UDP (by default), but the problem os UDP is to lose some logs if network error happends.

Once i started syslog in UNIX or Linux (i thing for Windows you could use Winsyslog), i can change the configuration of syslog.conf in AS400 like:
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info @my-loggingserver
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

With this config, i can see the logs in local and send the logs to a remote server.

End the Syslogd job and start it again and test sending some data with logger :)

Posted in: as400, ibmi, iseries, splunk as400, splunk iseries, syslog, syslogd, unix
Email This
Share to Twitter
Share to Facebook

Newer Post Home
Mauro says: July 30, 2013 at 9:13 PM Reply
've found another method to send logs to a remote server or are you still with this method?

Steve Short says: October 7, 2013 at 4:34 PM Reply
Hello, any word on another method by Mauro?

gajovy says: December 12, 2013 at 8:01 AM Reply
This comment has been removed by the author.
gajovy says: December 12, 2013 at 8:03 AM Reply
Mauro, can you share your method, please?

Anonymous says: December 29, 2015 at 6:12 AM Reply
brillant piece of information, I had come to know about your web-page from my friend hardkik, chennai,i have read atleast 9 posts of yours by now, and let me tell you, your webpage gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a million once again, Regards,splunk training in hyderabad

Anonymous says: October 12, 2016 at 1:09 PM Reply
I'm getting an error when starting syslogd. The job log says:
syslogd: unknown priority name "": errno = 2
I think it is because it can't read the syslog.conf file.
How must it be created? What CCSID are you using?

Andrés Colodrero says: October 12, 2016 at 1:25 PM Reply
please check my new post

syslog.conf should be in /QOpenSys/etc/syslog.conf

Post a Comment

Blog Archives
Remote SYSLOGD from AS400 to UNIX or Linux Servers.
I started this blog at the same time im wondering how to integrate AS400 system logs with a centralized log system. In my study im going to …
Installing RSYNC on iSeries / AS400
Everday im digging more and more about iSeries PASE, my ydill with iSeries get better… and also with the Unix world. Once i tested the …
Monitoring ODBC and FTP Login entries to SYSLOG
Now that Syslog in IBM i is working and sending data to a remote server, i think i will use for auditing ODBC and FTP entries on my system….

Installing Fedora 16 on Power 7
If you have a new Power 7 box running IBM i, and you still have some more processing units or virtual processors, you could start considerin…
► 2012 (3)
▼ 2011 (1)
▼ December (1)
Remote SYSLOGD from AS400 to UNIX or Linux Servers…
Powered by Blogger.


Copyright © 2011 Creative topics of AS400 / iSeries System Administration | Powered by Blogger
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | GreenGeeks Hosting

Original source:

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License