TIBCO LogLogic Universal Collector User's Guide · Enterprise Java Beans (EJB), Java Platform...

TIBCO LogLogic® Universal CollectorUser's GuideSoftware Release 2.8.0August 2017

Two-Second Advantage®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage, The Power of Now, TIB, Information Bus, Rendezvous, TIBCORendezvous, and Messaging Appliance are either registered trademarks or trademarks of TIBCOSoftware Inc. in the United States and/or other countries.

Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform EnterpriseEdition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks ofOracle Corporation in the U.S. and other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 2010 - 2017 TIBCO Software Inc. All rights reserved.

TIBCO Software Inc. Confidential Information

2

TIBCO LogLogic® Universal Collector User's Guide

Contents

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Collecting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Real-Time File Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Collecting Single-line Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Log File Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Collecting Multi-line Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Custom Multi-line Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Windows Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

IP for Forwarded Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Local Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Remote Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Filtering Windows Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Syslog Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Filtering Syslog Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Remote Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring Remote File Default Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

LogLogic® Universal Collector Internal Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Creating and Configuring Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Add a New Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Copy a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Delete a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Creating Multiple Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Create a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Import Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating a Complete Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Edit Configuration General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Add a New Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Open a Stored Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Activate the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Save a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Editing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Edit a Real-Time File Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Editing the Forwarding Collection List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Edit Multiple Real-Time Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3


Edit a Windows Event Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Edit Multiple Windows Event Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Edit a Syslog Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Edit Multiple Syslog Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Edit a Remote File Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Edit Multiple Remote File Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Edit Different Types of Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Edit a Log Source using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Sorting Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Create a New Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Apply a Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Remove a Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Sort Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Forwarding Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Forwarding Logs To Multiple Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating a Syslog TCP or UDP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating an LMI Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Creating a Connection in Authentication and or Encryption Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Step 1 Get a Root Certificate Authority from your PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Step 2 Create a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Using the Internal Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Using the OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Step 3 Create a Valid LogLogic® Universal Collector Certificate using a CA and OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . .48

Step 4 Import the Certificate into *.ks or *.p12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Step 5 Configure the Forwarding Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

For *.ks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

For *.p12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

For *.pem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configure the Forwarding Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Step 6 Enable Secure Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Managing the list of Forwardings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Copying a Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Deleting a Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Monitoring LogLogic® Universal Collector Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Starting UCMon Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

To start UCMon from LogLogic® Universal Collector Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

To start UCMon manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Summary Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Status Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4


Log Source Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Forwarding Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Metrics Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Log Source Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Forwarding Connection Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Trends Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Log Source Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Forwarding Connection Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

RealTime Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Log Sources RealTime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Forwarding Connection RealTime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Exporting the Collection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

cert_mgt Manage the Security Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

uc_checkConf Check the Current Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

uc_createLogSources Import and Create Several Log Sources at a time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

uc_decodePwd Decode Passwords for Windows Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

uc_encryptPwd Encrypt Passwords for Windows Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

uc_monitor UCMon Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

uc_reload Reload Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

uc_saveActiveConfAs Save an Active Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

uc_switchTo Make Configuration Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Sample Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

UC Configuration uc.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

LMI Connection uldp-sampleCommented.uldp.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

LMI Connection uldp-sampleCommentedAuthJks.uldp.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

LMI Connection uldp-sampleCommentedAuthPem.uldp.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

LMI Connection uldp-sampleCommentedAuthPks12.uldp.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Log Sources file-sampleCommented.ls.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Log Sources syslog-sampleCommented.ls.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Log Sources wmi-sampleCommented.ls.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Event Output Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

IPv6 Support Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

5


TIBCO Documentation and Support Services

Documentation for this and other TIBCO products is available on the TIBCO Documentation site. Thissite is updated more frequently than any documentation that might be included with the product. Toensure that you are accessing the latest available help topics, visit:

https://docs.tibco.com

Product-Specific Documentation

The following documents for this product can be found on the TIBCO Documentation site:

● Web Help

● Installation Guide

● User's Guide

● Release Notes

● Readme

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support:

● For an overview of TIBCO Support, and information about getting started with TIBCO Support,visit this site:

http://www.tibco.com/services/support

● If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you canrequest one.

How to Join TIBCO Community

TIBCO Community is an online destination for TIBCO customers, partners, and resident experts. It is aplace to share and access the collective experience of the TIBCO community. TIBCO Community offersforums, blogs, and access to a variety of resources including product wikis that provide in-depthinformation, white papers, and video tutorials. In addition, users can submit and vote on featurerequests via the Ideas portal. For a free registration, go to https://community.tibco.com.

6


https://docs.tibco.com

http://www.tibco.com/services/support

https://support.tibco.com

https://community.tibco.com

Introduction

LogLogic® Universal Collector collects the information from four types of log sources: Syslog,Windows Event Logs, Real-Time File pull, or Remote File pull. Several LogLogic® Universal Collectoragents can be deployed on a dedicated/shared appliance or physical/virtual hardware to remotelycollect hundreds of log sources located at the same site.

OverviewLogLogic® Universal Collector can seamlessly collect and forward logs to multiple log sources.

Collecting Logs — LogLogic® Universal Collector allows you to gather data from several types of logsources while ensuring integrity of the logs. You can easily collect event logs from local or remoteinstances of log sources, including time-stamped or rotated files. The LogLogic® Universal Collectoragent works as a Syslog listener.

Forwarding Logs — LogLogic® Universal Collector has the ability to forward secure and authenticateddata to an TIBCO LogLogic® Log Management Intelligence server via a ULDP protocol without theneed for a dedicated appliance. LogLogic® Universal Collector also forwards to Syslog servers usingeither UDP or TCP protocols.

Monitoring Activity — A UCMon tool is also available to monitor the internal process of the LogLogic®Universal Collector which ensures that your collection and forwarding processes are correctlyresponding.

Easy Configuration — A LogLogic® Universal Collector configuration is composed of Log Sources,Forwarding connections, and LogLogic® Universal Collector general parameters. LogLogic® UniversalCollector configuration must be created and updated via the GUI or the Command Line Interface. Youcan create, save, and store a configuration.

A stored configuration is useful:

● to create a configuration and then activate it whenever you want, even if an active configuration isopen, i.e. another configuration is running on the system.

● to create several configurations and deploy them rapidly on other LogLogic® Universal Collectors.

Easy Management — Multiple LogLogic® Universal Collectors can be remotely managed using TIBCOLogLogic Management Center (MC) and MC Agent configured and running on each LogLogic®Universal Collector asset. MC is a software solution that allows you to manage Assets, schedule batchupgrade for Assets, monitor system health check, and backup and restore Asset data.

Adaptability — LogLogic® Universal Collector is a software program with a small footprint and lowmemory usage on your Domain Controllers, or application servers. It is highly adaptable and can becustomized easily. Its lightweight and reliable configuration helps you to manage changes according toyour particular needs.

7


For higher performance, LogLogic® Universal Collector must have no more than a maximum of 150collection hosts.

8


Collecting Logs

LogLogic® Universal Collector handles file collection from four different types of files.

Real-Time File LogsLogLogic® Universal Collector reads logs from local files - i.e. logs from files generated on the machinewhere LogLogic® Universal Collector is installed and forwards them to either an LMI or a Syslogserver.

LogLogic® Universal Collector can collect single and multi-line messages.

Collecting Single-line Messages

When a file is collected, only the newly added logs at the end of the file are collected. Logs alreadyavailable in a file before the LogLogic® Universal Collector log source creation will not be collected.

LogLogic® Universal Collector operates by monitoring specified text files that are receiving log outputfrom log sources. The log sources append new logs to the end of the text file as events occur.

As new records appear at the tail of the monitored file, they are instantly taken into account byLogLogic® Universal Collector.

LogLogic® Universal Collector forwards single-line log messages to an LMI or Syslog server. Bydefault, LogLogic® Universal Collector sends a maximum of 64000 characters per line.

LogLogic® Universal Collector uses cursors to track the monitored files and to resume continuouslyafter having stopped.

The cursors have information about the file positions at which to restart - called metadata - as well asfile identification information.

It can determine whether the file to be resumed is the file to which the saved position applies.

In other terms, even if the LogLogic® Universal Collector is stopped for a while, all messages containedin the file will be collected using the position cursors, no messages will be lost.

9


Log File Rotation

In the case of log file rotation, a log file is retired and renamed to a “rotated” name, and the monitoredfile is replaced by a new log file. Therefore, periodically during the monitoring of a log file that isrotated, the file is replaced by a fresh log file.

During the log file rotation process, the log file names are renamed in following two ways:

● The log file name contains a date that changes during the rotation process

The date in the log file name changes during the rotation process. Make sure you correctlyconfigured the File Log Source configuration file.

If you enter the parameter [date] in the file path you must:

1. Activate the file rotation.

Enable and enter a date format for the date pattern such as yyyyMMdd.

For example,

Filenames: logFile.20170521.log, logFile.20170522.log

Absolute path: c:\logDir\logFile.[date].log

LogLogic® Universal Collector is not compatible with Microsoft IIS or any otherapplication that uses a date in the active log filename.

● The log file name contains an id that changes during the rotation

The id in the log file name changes during the rotation process. Make sure you correctly configuredthe File Log Source configuration file. The current file from which LogLogic® Universal Collectorcollects logs does not contain an id.

For example,

Active file name: sys.log

Rotated file name: sys.log.1, sys.log.2 and so on.

If you enter the parameter [id] in the file path you must:

1. Activate the file rotation.

2. Enable and enter the number of digits expected (1-9) for the nbDigit parameter.

For example,

Filenames: logFile.1.log, logFile.2.log

Absolute path: c:\logDir\logFile.[id].log

You can combine the two examples to allow the use of both [id] and [date] parameters in the filepath.

While collecting logs from a file that rotates, the base file cannot be removed to avoidthe collection failure.

Recommendations

● In the case of resuming after having been stopped, if the log file has been rotated during the periodin which the collector was stopped, some log data will be missed. Therefore, you must ensure thatthe collector is not temporarily stopped during an interval in which a rotation occurs.

● To be collected, a file must have been modified after the latest collected file.

10


● The current log file name should not change during the rotation. The LogLogic® Universal Collectorrecords the “identity” of a log file in the cursor as a hash of the first several bytes of the file. Whenthe file is rotated by the log source and replaced with a fresh one, the hash will be different. Fileidentity checking is performed throughout the log file monitoring process to detect log rotation.

● If a log file needs to be replaced and enriched while LogLogic® Universal Collector is running, donot copy content in the file but move it on the same partition.

Collecting Multi-line Messages

LogLogic® Universal Collector can combine multiple consecutive related lines or multi-lines in a sourcelog file into a single line which will be sent to the LMI. Multi-line message groups may require analysisto determine the correct expression to use if the format is complex. LogLogic® Universal Collectorsupports Java regular expressions.

Before sending, groups of lines that represent a logical message are converted to a single-line format.All of the original messages' data is kept intact – nothing is altered.

LogLogic® Universal Collector can collect multi-line messages from default application sources orcustom ones:

Log Source Description

Tomcat / Servlet Container Default log location is CATALINA_BASE/logs. Tomcat and applicationlogs unless configured otherwise. The default format is multi-line, withthe first line beginning with a timestamp. It may change due tolocalization. Logs are rotated daily by default

WebLogic ApplicationServer

Default log location is under the server root DOMAIN_NAME/servers/ADMIN_SERVER_NAME/logs/. Each server or cluster maintains a serverlog and selected events are forwarded to a domain log. Most of theentries are single line, but can contain java exceptions. Each messagebegins with '####'. There may also be a web access log

WebSphere ApplicationServer

Default log location is under the WebSphere directory APPSERVER/profiles/PROFILENAME/logs/SERVERNAME/. There is no default logrotation. There are server start and stop logs (SystemErr.log,SystemOut.log), JVM log files (native_stderr.log, native_stdout.log),and process log files (startServer.log, stopServer.log). All of these logscontain entries describing the system environment that do not have atimestamp. The error logs do not contain any timestamps.Continuation lines are indented

JBoss Application Server Default log location is JBOSS_HOME/server/NAME/log. The boot logrecords startup events prior to the initialization of the logging service.The server.log file records activity while the server is running. Theboot.log file entries begin with a time with no date. The server.log fileentries start with a timestamp in the form 'YYYY-MM-DDHH:MI:SS,FFF'. Log messages can be multi-line and the continuationlines are sometimes indented, but frequently not. Messages start with atimestamp.

Note: The regex format for these default applications are indicated in <InstallationFolder>\runtime\conf\static\line_combiner.xml file.

11


Log Source Description

Custom multi-line Custom regex can be defined for custom multiline logs. You need todefine

- the header regex pattern.

- whether you keep orphaned lines, i.e LogLogic® Universal Collectorsends messages that do not match the Header Regexp

- the timeout after which messages are sent even if the regex is notfound again.

Custom Multi-line Log Sources

An example of a custom application log is as follows:

2017-03-19 16:09:41,344 WARN [main] file.FileImportSqlDao (?(think)) - File not

found (/home/exaprotect/conf/TBSMP6/report/etc/export.properties)

2017-03-19 16:09:41,344 WARN [main] config.ConfigurationFactory

(ConfigurationFactory.java:127) - No configuration found. Configuring ehcache from

ehcache-failsafe.xml found in the classpath: jar:file:/home/exaprotect/

report_TBSMP6/webapps/ExaReport/WEB-INF/lib/ehcache-1.2.2.jar!/ehcache-failsafe.xml

java version "1.8.0_18"

Java(TM) SE Runtime Environment (build 1.8.0_18-b07)

2017-03-19 16:09:50,723 INFO [main] config.FacesConfigurator

(FacesConfigurator.java:151) - Reading standard config org/apache/myfaces/resource/

standard-faces-config.xml

Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13, mixed mode)

In the LogLogic® Universal Collector Console, you can create a regex like:

^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\s[^\s]+\s+\[[^\]]+\]\s

with a timeout of 3 seconds and indicating that orphaned lines are kept.

It will match the header of the multiline log (date and level), which is:

2017-03-19 16:09:41,344 WARN [main]

All the lines will be aggregated and then forwarded as a single log to LMI. The \r and \n will bereplaced by escaped ones (\\r and\\n), until LogLogic® Universal Collector finds another regexheader.

You can obtain something like:

2017-03-19 16:09:41,344 WARN [main] file.FileImportSqlDao (?(think)) - File not

found (/home/exaprotect/conf/TBSMP6/report/etc/export.properties)

2017-03-19 16:09:41,344 WARN [main] config.ConfigurationFactory

(ConfigurationFactory.java:127) - No configuration found. Configuring ehcache from

ehcache-failsafe.xml found in the classpath: jar:file:/home/exaprotect/

report_TBSMP6/webapps/ExaReport/WEB-INF/lib/ehcache-1.2.2.jar!/ehcache-failsafe.xml

\r\njava version "1.8.0_18"\r\nJava(TM) SE Runtime Environment (build 1.8.0_18-b07)

2017-03-19 16:09:50,723 INFO [main] config.FacesConfigurator

(FacesConfigurator.java:151) - Reading standard config org/apache/myfaces/resource/

12


standard-faces-config.xml\r\n Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13,mixed mode)

Refer to Appendix to get the full content of the Real-Time File Log Source commented file.

Windows Event LogsLogLogic® Universal Collector can collect Windows Event Logs on Windows systems. However,collecting Windows Event Logs on Linux systems is not supported.

The supported Windows versions for remote collection are Windows 2003 R2 (32/64-bit), Windows 2008R2, Windows 2012 R2, Windows 2016 (64-bit) and Windows 7 (32/64-bit).

LogLogic® Universal Collector forwards Windows logs to the LMI appliance by using the ULDP.Windows logs collected by LogLogic® Universal Collector are forwarded in a format which is basedupon the Snare over Syslog format. Although Snare over Syslog and Snare formats are not 100%similar, a subtle difference may exist for certain messages. For details, see Event Output Format on page95.

Non-administrator user accounts can collect Windows Event Logs from remote event host. Foradministrator user accounts, LogLogic® Universal Collector auto-discovers the platform family andlanguage type of the remote event host. For non-administrator user accounts, you should manually setthe platform and language type on each Windows event host using the advanced option and must setthe following configuration settings:

● Enable the Remote Registry Service on the remote event host

● On Windows 2008, Windows 7, Windows 2012 systems when collecting Windows Event Logs onDomain member systems, the non-administrator domain user must be added to the Event LogReaders Group of the Domain member systems.

WMI ports must be opened from LogLogic® Universal Collector to the Windows host for successfulauto-discovery of the Windows version of the remote log source.

IP for Forwarded Events

When LogLogic® Universal Collector collects the forwarded events and the originating IP needs to beshown on LMI, make sure the function is switched On, and DNS resolution works properly orconfigure HOSTS file on LogLogic® Universal Collector server

Local CollectionThis section explains how to prepare a Windows host for local collection.

Enable the following Windows services:

● Windows Management Instrumentation

Remote CollectionThis section explains how to prepare a Windows host for remote collection.

Enable the following Windows services:

● Windows Management Instrumentation

● (For Windows 2003 only) Remote Registry

If Windows Firewall is enabled, run the following command to enable access to the above services:

netsh firewall set service RemoteAdmin enable

13


Filtering Windows Event LogsIt may be required to minimize Windows Audit events generated by certain LogLogic® UniversalCollector activities via one of the following methods:

Procedure

1. Removal of “Object Access/ Success” from the audit policy on Windows log sources. (For furtherdetails, reference Audit Policy Management on Windows below.)

2. Review the current Security Access Control List (SACL) settings for the Windows Event Logsnamespace \\root\CIMV2, and verify that Enable Account/Successful is not checked for accounts/group to which the LogLogic® Universal Collector is connected. If necessary, create a new policy forthe LogLogic® Universal Collector for which the Enable Account/Successful is not checked.

If necessary, inheritance of SACL may have to be disabled for that namespace.

Platform Description

Windows 2003 R2/Windows 2008 R2

The audit policy in Windows is configured via local policies and/orGPO linked to domain/OU/Site. A good way to understand theresulting policy is to use ‘Resulting set of policy’ snap-in of MMC.Check the current resulting policy is set to generate results for local hostonly. The current resulting policy can be found under ComputerConfiguration > Windows Settings > Local Policies > Audit Policy.

Windows 2008 R2only

On Windows 2008 more granular settings are possible, named “sub-category”. Based on the solution used, you can check the preciseauditing policy with: auditpol /get /category:*

For more information on sub-category audit capabilities, please refer tothe Microsoft documentation.

http://support.microsoft.com/kb/921468


Also review the article on Windows Event Logs namespacesmentioning specifically Windows Event Logs auditing:

http://msdn.microsoft.com/en-us/library/aa822575(v=vs.85).aspx

Syslog LogsLogLogic® Universal Collector reads logs sent via the Syslog protocol. The syslog logs will be collectedusing the TCP or UDP.

LogLogic® Universal Collector will not start up a syslog listener on the desired port until at least onesyslog collector exists.

If you want to use both protocols, you must define two Log Sources.

14




http://msdn.microsoft.com/en-us/library/aa822575(v=vs.85).aspx

Protocol Description

UDP Default configuration. It specifies that the syslog logs should be collectedvia UDP protocol. When modifying the LogLogic® Universal Collector’sstatus (such as updating or stopping it) or when the LogLogic®Universal Collector is not running during the collection, messages maybe lost. Indeed, contrary to the TCP protocol, the UDP protocol avoidsthe overhead of checking whether every packet actually arrived, whichmay lead to data loss.

TCP Specify that the syslog logs should be collected via TCP protocol. Ifanother Syslog log is running on the server where the LogLogic®Universal Collector is installed, the LogLogic® Universal Collector andsyslog will not have the same port, IP and protocols. In that case, youmust either stop the syslog or make the LogLogic® Universal Collectorlisten on another port.

Filtering Syslog Logs

The Syslog logs can be filtered, before being forwarded, according to their severity and facility.

● facility - type of message that must be collected.

● severity - levels of severity that will be reported.

If a message has neither severity nor facility, LogLogic® Universal Collector automatically allocates thelocal use 7 facility and the debug severity to the message. Then, it will be automatically filtered.

Remote FilesLogLogic® Universal Collector can collect files remotely and forward them to LMI.

By default, LogLogic® Universal Collector pulls every 1 hour but it can also pull every X minutes, everyX hour, daily at X time, weekly on Y day on X time. LogLogic® Universal Collector supports ftp, sftp,cifs and file protocol for remote file collection.

It is highly recommended to use a physical machine for remote file collection. It is not recommended touse the LogLogic® Universal Collector's remote file collection to collect large remote files (above 1GB)on Virtual Machine systems as it will slow down the system significantly.

Remote File with Rotation

In the case of log file rotation, a log file is retired and renamed to a “rotated” name, and the monitoredfile is replaced by a new log file. Therefore, periodically during the monitoring of a log file that isrotated, the file is replaced by a new log file.

When the date field is checked for rotation, LogLogic® Universal Collector will only collect files that aremodified after the remote file log source creation time.

LogLogic® Universal Collector deals with file rotation in two different ways. For more information,refer to Log File Rotation on page 10.

LogLogic® Universal Collector supports only .GZ compression format for file rotation.

Remote File with No Rotation

● Common Files Collection

Make sure that you specify the correct file path on the remote file system to pull the file correctly.

15


You must use only the supported Windows characters to specify the file path or file name.

● Compressed Files Collection

LogLogic® Universal Collector collects the compressed file in four formats: .zip, .tgz, .tar.gz and .gz.The compressed file can not include compressed directories.

The type of compression depends upon the compressed file extension.

● Directory

Directory pull allows you to choose a directory and pull files from that directory based on the‘include’ or ‘exclude’ options provided to you. Directory pull does not support file rotation.Directory contains the files in compressed format.

Example: /loglogic/ directory has three files: a.txt, b.txt, c.txt

Scenario 1: if users enters * for include, it will pull a.txt, b.txt, c.txt

Scenario 2: if users enters *.txt for include and a.txt for exclude, it will pull b.txt and c.txt

Scenario 3: if users enters a.txt for include and nothing for exclude, it will only pull a.txt.

● Directory contains compressed files: LogLogic® Universal Collector supports collection of fourcompressed file formats including: .zip, .tgz, .tar.gz and .gz.

● Using wildcard for directory pull

Example: There are following files:

//sharepoint/mainFolder/subFolder1/*.log



...


Scenario : if users enters //sharepoint/mainFolder/subFolder*/ or //sharepoint/mainFolder/subFolder?/ or //sharepoint/mainFolder/*/ for directory path and *.log for include, it will pull all thelog files.

Do not use multiple wildcards in a directory path for directory pull.

For Example:

● Incorrect: //sharepoint/*/subfolder1/*.log

● Correct: //sharepoint/mainFolder/subFolder1/*.log

● Remote File Collection with SFTP protocol

LogLogic® Universal Collector Remote File Collection supports SFTP server using password and SSHpublic key authentication.

1. Open the LogLogic® Universal Collector Console.

2. On Collection tab, click New > Remote File.

3. Enter the relevant information on the Log Source Edition screen and select SFTP protocol in theCollection pane.

4. Select Public Key option, then enter the user Id and click Browse to upload the private key file.

LogLogic® Universal Collector supports only DSA as signature algorithms for key pairs.

Select No passphrase while generating key pairs.

16


Configuring Remote File Default ParametersYou can change the remoteFileCheckSumByteCount of the remote file in UC_HOME\ runtime\conf\properties\manage_client.properties. By default the value is set to 4096.

The UC_HOME\ runtime\conf\properties\manage_client.properties is created automaticallyonce the remote file log source is created.

Procedure

1. Stop the LogLogic® Universal Collector service.

2. Open manage_client.properties using text editor.

3. Update the remoteFileCheckSumByteCount value and save the file.

4. Restart the LogLogic® Universal Collector service.

LogLogic® Universal Collector Internal LogsLogLogic® Universal Collector generates its own logs when it is subjected to changes or errors (forexample, starting of the LogLogic® Universal Collector, creation of a Log Source, disconnection of theLogLogic® Universal Collector, etc.). These internal logs are also sent to the LMI and can be used torepair or troubleshoot the LogLogic® Universal Collector.

Collecting LogLogic® Universal Collector Internal Logs

The LogLogic® Universal Collector internal logs are automatically generated in the uc.log file, whichis located in the LogLogic® Universal Collector installation folder in \LogLogic\UniversalCollector\logs (for Windows).

The uc.log is forwarded to the LMI provided you correctly configured the forwarding process (LMIconnection).

The LMI connection used to forward the LogLogic® Universal Collector internal logs can be the same asany log source LMI connection.

Creating and Configuring Log SourcesYou can add, copy, and delete Log Sources.

Add a New Log SourceYou can add a new Log Source.

Procedure

1. Open the LogLogic® Universal Collector Console by clicking on the shortcut and click theCollection tab.

2. Click New and select the type of Log Sources you want to add; Real Time File, Syslog, WindowsEvent Log, Remote Files, or Cmd.

3. In the Log Source Edition screen, enter the relevant information as explained in Editing Log Sourceson page 22.

4. Click Save to save the Log Source.A new log source is added in the list of Log Sources.

17


Copy a Log SourceYou can copy one or multiple Log Source configurations.

Procedure


2. Select one or several Log Sources (Ctrl + click to select more than one Log Source) from the list oflog sources.

3. Click Copy and confirm.The new log source(s) is/are displayed below the list of log sources. You can edit and modify as anyother log source.

By default, the log source configuration is not enabled.

Delete a Log SourceYou can delete one or multiple log sources.

Procedure


2. Select one or several Log Sources (Ctrl + click to select more than one Log Source) from the list oflog sources.

3. Click Delete.The Log Source list is automatically refreshed.

Creating Multiple Log SourcesYou can import and create multiple Log Sources of the same type at the same time.

Make sure that a CSV file with Log Source information must be available.

18


Create a CSV File

Procedure

1. Open a program such as Notepad.

2. In the header, on the first line, enter the following field names according to the type of Log Sourceyou want to create:

Log Source Fields

RT File name, description, lmi_connection*, enabled, timeInUtc,message_filter, match_filter, file_path*, useDateRolling,date_pattern, useIdRolling, nbDigit, useFileChangeNotification,multiline_active, multiline_header_type, multiline_custom_regex,multiline_orphaned_lines, multiline_lineTimeout, appName*,hostname*, maxLineLength, charset

Syslog name, description, lmi_connection*, enabled, timeInUtc, protocol, ip,port, severity, facilities, source_ip

Windows name, description, lmi_connection, enabled, timeInUtc,event_id_filter, filter_operator, source_filter, address, domain, login,password, include_eventlogs, eventlogs_list, polling_period,win_type, lang_type, detect_originating_ip

Remote File name, description, lmi_connection, enabled, ip, protocol, time_zone,file_system_type, user_id, password, domain, share_name,path_type, path, include, exclude, device_type, original_name,useDateRolling, date_pattern, useIdRolling, nbDigit,useFileChangeNotification, useUcIP, uc_ip, deleteInactiveFile,inactiveDays, privateKeyFilePath, certType, every_minutes,every_hours, daily_at_time, weekly_at_time, weekly_at_day

Cmd name, description, lmi_connection, enabled, timeInUtc, command,multiline_active, multiline_lineTimeout, appName, hostname,maxLineLength, run_once, schedule_active, every_minutes,every_hours, daily_at_time, weekly_at_time, weekly_at_day

* mandatory fields

1.LMI connection is mandatory only if there is more than one existing connectionsavailable. The sole connection will be taken by default. 2. Name is not mandatory as aname will be automatically created, such as Real Time File #n or Windows Event Log#n or Syslog #n.

3. On the lines below, fill in the fields with the correct values and save in CSV format.The CSV file format example:

name,description,lmi_connection,timeInUtc

Log Source A, Windows Log Sources, LMI_Connection, true

Use separator | to specify more than one LMI_Connection.

19


For example:

name,description,lmi_connection,enabled

Log Source A, Windows Log Sources, LMI_Connection1|LMI_Connection2, true

A detailed example of the fields and values to enter in the CSV file is available fromLogLogic® Universal Collector Console when importing the CSV file.

Import Log Sources

Procedure

1. Open the LogLogic® Universal Collector Console by clicking on the shortcut.

2. In the Collection tab, click New > Batch import.The Batch Import tab is displayed.

3. In the drop-down list, select the type of Log Sources you are going to import.

4. Browse the CSV file and click OK.

5. Click Import.The Log Sources are created under the Collection tab, for example, Import #1 - LS #1

Creating a Complete ConfigurationA configuration contains general settings, a list of Log Sources, and one or several Forwardingconnections.

All of these items are configured via the Graphical User Interface and are stored in a LogLogic®Universal Collector Configuration file (*.ucc) that you can unzip to explore the content.

Edit Configuration General SettingsYou can modify the default configuration at any time.

Procedure


2. Click .

3. Modify the following information:

Option Description

Name Name of the configuration.

Communication Port Port used by the LogLogic® Universal Collector to get information(for example, status, metrics, memory used...) via the CLI. Makesure this port is not already used. Otherwise LogLogic® UniversalCollector will not work.

20


Option Description

Collector Domain An identification name used to identify each message sent from aspecific LogLogic® Universal Collector. This field can be empty. Ifdefined, it must have a unique name with maximum 256characters. This field is case sensitive. Do not include specialcharacters, for example, \|/"?'*:%

TCP/UDP socket buffersize

TCP/UDP parameter and socket buffer size (in kilobytes) - thisparameter applies to all the Syslog Log Sources associated to theLogLogic® Universal Collector.

UDP max packet size UDP parameter and max packet size (in kilobytes) - this parameterapplies to all the Syslog Log Sources associated to the LogLogic®Universal Collector. The maximum size is 64KB.

Notes for Red Hat and SUSE Linux Enterprise

If you obtain a log message saying “Syslog Unable to set the required socket buffer size”, then it isrecommended to increase the maximum size of the buffer on your RHEL, SUSE.

On RHEL, SUSE, the default maximum TCP/UDP buffer size is 128 KB.

In the LogLogic® Universal Collector configuration file, the default value of the buffer socket size is1MB. These parameters apply to all the Syslog Log Sources related to LogLogic® UniversalCollector. Therefore, you must increase the maximum value of the Syslog buffer already set with aspecific command.

To change the maximum value of the buffer:

1. Log in as root on the system.

2. Enter the following command (example with 1 Megabyte):

sysctl -w net.core.rmem_max=1048576 (this value is expressed in bytes)

The modification of the system parameter will impact the maximum limitations for allsockets.

4. Click Apply.The configuration is updated.

Add a New ConfigurationYou can easily add a new configuration. After adding a new configuration, you must activate it.

Procedure


2. Go to Manage Configuration > New.

3. In the Browsing window, select a folder where you will store your configuration.

4. Enter a configuration name with a *.ucc extension in the Filename field and click Save.The new configuration is automatically displayed in the LogLogic® Universal Collector console, butit is not active.

21


Open a Stored ConfigurationYou can edit an existing or stored configuration other than the one running on the local LogLogic®Universal Collector at any time.

Procedure


2. Under Manage Configuration, click Open and browse the LogLogic® Universal Collectorconfiguration file (*.ucc).

3. Click Open.The configuration is displayed in the GUI. However, this configuration is neither applied norrunning.

You can display back your active configuration at any time by selecting ManageConfiguration > Open Active Configuration in the drop-down menu.

Activate the ConfigurationYou can make a stored configuration active at any time. Then, all the modifications applied on the freshactive configuration will be automatically saved and updated each time you validate the changes.

Procedure


2. Display the configuration that you want to activate in the LogLogic® Universal Collector Console.

3. Click .A warning message is displayed which indicates that the active configuration will be overwritten ifyou continue.

4. Click Continue to accept. If you do not want the active configuration to be erased, click Cancel andmake a copy of it before activating another configuration.The configuration is now active and can be modified.

Save a ConfigurationYou should save an active or stored configuration on the local system.

Procedure


2. To copy a configuration, select Manage Configuration > Save as.

3. In the Browsing window, select the folder where you want to save the configuration. You can createa new folder.

4. Name the configuration and click Save.A LogLogic® Universal Collector Configuration file with the *.ucc extension is created.

Editing Log SourcesYou can edit a single Log Source configuration. Similarly, you can update parameters for multiple LogSources of the same type at a time.

22


Edit a Real-Time File Log Source

Procedure

1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Editbutton.The RT File Edition tab is displayed.

2. In the General part of the screen, you can modify the following information:

Option Description

Log Source Enabled Click ON or OFF to define whether the current Log Source is enabled ordisabled.

Name Name of the Log Source.

Description Description of the Log Source.

3. In the Forwarding Connection part of the screen, you can modify the following information:

Option Description

Name Select the Forwarding connection to which you want to forwardcollected RT File logs. See Editing the Forwarding Collection List to editthe forwarding collection list.

LogLogic® UniversalCollector Collectiondate

Define whether the log message sent to the LMI server remains in a localsystem time zone or is converted into UTC time zone.

4. In the Message Filtering part of the screen, you can modify the following information:

LogLogic® Universal Collector supports Java regular expressions.

Option Description

[Filtering] Click ON or OFF to activate or deactivate the option.

Collect messages Define whether you collect messages that:

- match the regex (other logs are filtered)

- do not match the regex (i.e. filter the logs that match the regex)

23


Option Description

Filter Enter a case insensitive regular expression to specify the messages to bematched.

For example, if “Not matching regex is selected”:

"packet accepted" means that all the lines containing packet accepted arefiltered.

"^64\.242" means that all the lines that are beginning exactly with 64.242are filtered

"846$" means that all the lines that are ending exactly with 846 arefiltered.

For example, if “Matching regex is selected”:

"packet accepted" means that only the lines containing packet acceptedare kept.

"^64\.242" means that only the lines that are beginning exactly with64.242 are kept.

"846$" means that only the lines that are ending exactly with 846 arekept.

5. In the Collection part of the screen, you can modify the following information:

On Windows, Real-Time file collection is unavailable on network shared and Network FileSystem (NFS) mounted drives.

Option Description

File Path Browse the log file to be collected.

If the log file is rotated, you may enter [id] or [date] or both in thefilename as well as configuring the File rotation parameters.

For example, c:\temp\logFile[date].log to obtain file names such aslogFile20170521.log

For example, c:\temp\logFile[id].log to obtain file names such aslogFile1.log

File rotation Click ON or OFF to activate or deactivate the option.

[If File rotation isON] Date pattern

Enter the date format you want to use for the [date] parameter.

For example, yyyyMMdd for 20170421.

[If File rotation isON] Max number ofdigits

Check the box and indicate the maximum number of digits you want forthe [id] parameter.

LogLogic® Universal Collector can collect any file with an [id] whosenumber of digits is between 1 and 9 inclusive.

For example, If you set 5, the following [id] will be taken into account: 1,054, 586, 00599, 78945, etc.

24


Option Description

File changenotification

Click ON or OFF to activate or deactivate the option. This option allowsyou to monitor file changes. If set ON, a notification will be sent to LMIvia uc.log file when the specified file's modified date changes. Thenotification includes the changed content and time. A new log isrecorded for the notification when LogLogic® Universal Collectorinternal logs are forwarded to LMI. The file changes are not monitoredfor rotated files. In this case, the File change notification option isdisabled.

The specified file size should be less than the default size (10MB). If thefile size is more than 10MB, the notification does not include changedcontent.

Before activating this monitoring option, make sure to set theLMI Connection > Forwarding > Forward UC Internal Logsoption to ON.

[Multiline messages] Click ON or OFF to activate or deactivate the option to define whetherthe single message has several lines.

[If Multilinemessages is ON]Multiline headertype

Select the type of multi-line logs.

For example, 'jboss', 'tomcat', 'weblogic', 'websphere' or 'custom'.

[If Multilinemessages is ON]Custom header regex

Set a regular expression matching the header of the first line of a log.

[If Multilinemessages is ON]Send orphaned lines

Indicate whether you want the LogLogic® Universal Collector to sendmessages that do not match the Header Regexp.

[If Multilinemessages is ON]Multiline timeoutafter detected header

Indicate the number of seconds after which the multi-line logs are readyto be sent.

[Advanced] Click the drop-down menu to display advanced parameters.

Host name Enter the name of the host used to pair logs on the LMI server.

For example, customHostname.com

If you enter an IPv4 / IPv6 address, the device to be displayed in LMIwill be referred with this IP address.

Application name Enter the name of the application used to identify logs on the LMIserver.

For example, customApplicationName

25


Option Description

Maximum messageslength

Indicate the possible maximum length for the message (in bytes).

Default value: 64000

[Collected file]

Charset

Select the data format.

Default value: Use local system charset

6. Click Apply to validate the changes.

Editing the Forwarding Collection List

Procedure

1. Under the Collection tab, select the Log Source and click the Edit button.

2. On Forwarding Connection part of the screen, click Edit List. A screen with list of existingforwarding connections is displayed.

3. In the Available Forwarding Collections pane, select the collection and click Add to add thecollection to the list.

4. Select the collections from Selected Forwarding collections pane and click Remove to remove thecollection from the list.

5. Click Ok.

Edit Multiple Real-Time Log Sources

Procedure

1. Under the Collection tab, select the Log Sources and click the Edit button.The RT File Edition tab is displayed.

2. Select the set of RT File parameters you want to change.

3. Modify the parameters as explained in Edit a Real-Time File Log Source on page 23.

Edit a Windows Event Log Source

Procedure

1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Editbutton.The Windows Events Log Source Edition tab is displayed.


Option Description


26


Option Description


For example, ls-win-template



Option Description

Name Select the Forwarding connection to which you want to forwardcollected Windows Event logs. See Editing the Forwarding CollectionList to edit the forwarding collection list.




Option Description


Event ID Filter Regular expression to filter the Windows event ID.

For example,

“567|^58[1-9]” means that the events with an Event ID containing 567but also those from 581 to 589 inclusive are collected.

“^(8.*)|^(5[2-9].*)” means that the events with an ID starting with 8 butalso those starting with 52 to 59 inclusive are collected.

If the field is empty or .* is set means that no filter is set.

Refer to Regular Expressions on page 90 to get the list of charactersused in regular expressions.

and/or Select if you want to use both filters at the same time or one or another

Source Filter Enter a regular expression to filter Windows events on source field.

For example,

“Security” means that all the events with a Security source field arefiltered.

“DNS Client Events” means that all the events with a DNS Client Eventssource field are filtered.

“Time-Service” means that all the events with a time-Service source fieldare filtered.

If the field is empty or .* is set means that no filter is set.

Refer to Regular Expressions on page 90 to get the list of charactersused in regular expressions.

27



Option Description

[Location]

Local/Remote host Indicate whether the Windows host from which to poll logs is the localmachine or a remote host.

Host name Enter the IPv4 / IPv6 address or hostname of the remote Windowsserver.

[Credentials]

Use LogLogic®Universal Collectorservicecredentials/Usecustom credentials

Select the relevant options to use the correct Windows credentials.

If you have configured credentials in the LogLogic® UniversalCollector Windows Services Control Panel, you can use thosecredentials to create multiple Windows Event Log Collections.To do this, select the LogLogic® Universal Collector servicecredentials option.

Domain (if Usecustom credentials isset)

Enter the domain name to access the Windows server.

For example, domain.company

Login (if Use customcredentials is set)

Enter the login to connect to the Windows server. If the user has non-administrator privileges, make sure to satisfy the prerequisites specifiedin the section Windows Event Logs on page 13.

If the login belongs to a local user with administratorprivileges, the User Account Control (UAC) needs to beturned off at the event host.

Password (if Usecustom credentials isset)

To connect to the Windows server, enter a password

[Windows Event Logs]

Collect Define the Windows Event Logs journals to include. It can be either:

- all event logs = all current and logs to come are collected

- all event logs except the following ones = all current and event logs tocome are collected except the one indicated in the List form.

- only the following event logs = only the following event logs indicatedin the List form are collected

List List of Event Logs to include or exclude.

28


Option Description

Edit List Displays the Edit List window to select the event logs to be collected:

1 - In the Available Event Logs pane, select an event log and click Add.This will add the logs to the list.

2 - If you want to remove them from the list, select them and clickRemove.

3 - If you want to manually add an Event Log, enter the name and clickAdd. Make sure you entered the name correctly as it is case-sensitive.

4 - Click OK.

If you want to display all the Event Logs available, click theDiscover Event Logs button.

[Advanced]

Polling Period Enter the time period (in seconds) after which LogLogic® UniversalCollector checks for new Windows events.

Default value: 10

Windows type Specify the platform from the drop-down list.

If you do not specify the platform type, LogLogic® UniversalCollector will try to auto-discover the platform type.However, if the user has non-administrator privileges,LogLogic® Universal Collector will fail to auto-discover theplatform type.

Language type Specify the language type from the drop-down list.

If you do not specify the type, by default it will be assigned asEnglish.

Detect the OrginatingIP for ForwardedEvents

Detects the originating IP of the forwarded events.

Make sure the function is switched On and the DNSresolution is working properly or configure HOSTS file onLogLogic® Universal Collector server.


Edit Multiple Windows Event Log Sources

Procedure

1. Under the Collection tab, select the Log Sources and click the Edit button.The Windows Event Log Edition tab is displayed.

2. Select the set of Windows Event Logs parameters you want to change.

3. Modify the parameters as explained in Edit a Windows Event Log Source.

29


Edit a Syslog Log Source

Procedure

1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Editbutton.The Syslog Log Source Edition tab is displayed.


Option Description





Option Description

Name Select the Forwarding connection to which you want to forwardcollected Syslog logs. See Editing the Forwarding Collection List to editthe forwarding collection list.




Option Description

Protocol Define whether the Log Source uses the udp/tcp SYSLOG protocol.

In order to listen on both UDP and TCP protocols, you must create twoSyslog Log Sources.

Port Enter the port to listen to the Syslog flow.

Default value: 514

30


Option Description

Binding interface If there are multiple network interfaces, enter the IP address to listen tothe Syslog flow. Only one IP address is possible.

To listen to all network interfaces for IPv4, use 0.0.0.0.

To listen to a specific interface for IPv4, use an address like 192.168.11.10

To listen to all network interfaces for IPv6, use ::0.

To listen to a specific interface for IPv6, use an address likefe80::84c8:f82e:74a1:a187

Default value: 0.0.0.0

When there are multiple syslog collectors, if one of thecollectors has been bound to a specific interface, all remainingcollectors cannot be bound to 0.0.0.0. The remaining collectorsshould be bound to other specific interfaces.


Option Description


If Message Filtering is set on OFF, messages with a ‘debug’ severity arenot collected (max severity set to 6).

If a message has neither severity nor facility, LogLogic® UniversalCollector automatically allocates the local use 7 facility and the debugseverity to the message. It will then be automatically filtered.

Maximum Severity Select the maximum accepted severity (numerical code, see RFC 3164)

0 - Emergency: system is unusable

1 - Alert: action must be taken immediately

2 - Critical: critical conditions

3 - Error: error conditions

4 - Warning: warning conditions

5 - Notice: normal but significant condition

6 - Informational: informational messages

7 - Debug: debug-level messages

Default value: 6 - Informational: informational messages

31


Option Description

Authorized facilities Select one or several accepted facilities (see RFC 3164). The logs withthese facilitities are kept.

0 - kernel messages

1 - user-level messages

2 - mail system

3 - system daemons

4 - security/authorization messages (note 1)

5 - messages generated internally by syslogd

6 - line printer subsystem

7 - network news subsystem

8 - UUCP subsystem

9 - clock daemon (note 2)


11 - FTP daemon

12 - NTP subsystem

13 - log audit (note 1)

14 - log alert (note 1)


16 - local use 0 (local0)








Default value: 0-23

Authorized IPaddresses

Enter the regular expression to filter the accepted IP addresses and tofilter the accepted host.

All the logs from all IP addresses are collected if the field is blank(default).


32


Edit Multiple Syslog Log Sources

Procedure

1. Under the Collection tab, select the Log Sources and click the Edit button.The Syslog Log Source Edition tab is displayed.

2. Select the set of Syslog parameters you want to change.

3. Modify the parameters as explained in Edit a Syslog Log Source on page 30.

Edit a Remote File Log Source

Procedure

1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Editbutton.The Remote File Log Source Edition tab is displayed.


Option Description





Option Description

Name Select the Forwarding connection to which you want to forwardcollected Remote File logs. See Editing the Forwarding Collection List toedit the forwarding collection list.

Remote File Collection is only supported by LMI v5.6 or above and can only be forwardedto LMI, not generic syslog servers.


Option Description

Host IP/Name Enter the IP or name of the remote log source.

Protocol Define whether the Log Source uses the ftp, sftp, cifs or file protocol.

On Windows, Remote file collection using file protocol isunavailable on network shared and Network File System(NFS) mounted drives.

33


Option Description

[If ftp is selected]Server TimeZone

Select the timezone of the remote log source.

[If a non-localtimezone is selected]File System Type

Select the file system type.

User ID Enter the User ID to connect to the remote log source.

[If cifs is selected]Domain/User name

Enter the domain or user name.

[If sftp is selected]Password/Public key

Select the authentication method.

Following authentication modes are supported:

● Password only

● Public key only

● Password or public key

User password Enter the user password.

User key [If sftpprotocol and publickey is selected]

Upload the private key file.

[If cifs is selected]Share name

Enter the cifs share name.

File / Directory Select the source of the collection, either a file or the content of adirectory.

[If File is selected]File path

If File is selected, enter the file path. This is the absolute path of the filesystem where the LogLogic® Universal Collector is installed. Forexample, on Windows: d:/myFolder/myLog.log. However, on Linux/UNIX systems it must be as /usr/myAccount/myLog.log.

[If File is selected]File Rotation

Click ON or OFF to activate or deactivate the option.

Only available if File is selected.

34


Option Description

[If File is selected]File changenotification

Click ON or OFF to activate or deactivate the option. You can monitor afile changes. If set ON, a notification will be sent to LMI via uc.log filewhen the specified file's modified date changes. The notificationincludes the changed content and time. A new log is recorded for thenotification when LogLogic® Universal Collector internal logs areforwarded to LMI. The file changes are not monitored for rotated files.In this case, the File change notification option is not available.

The specified file size should be less than the default size (10MB). If thefile size is more than 10MB, the notification does not include changedcontent.

Before activating this monitoring option, make sure to set theLMI Connection > Forwarding > Forward UC Internal Logsoption to ON.

[If File Rotation isON] Original name

The file that is currently being written; it is usually the file without dateor id tag.

[If File Rotation isON] Date pattern

Enter the date format you want to use for the [date] parameter.

For example, yyyyMMdd for 20170421

[If File Rotation isON] Max number ofdigits

Check the box and indicate the maximum number of digits you want forthe [id] parameter.

LogLogic® Universal Collector can collect any file with an [id] whosenumber of digits is between 1 and 9 inclusive.

For example, If you set 5, the following [id] will be taken into account: 1,054, 586, 00599, 78945, etc.

[If Directory isselected] Directorypath

If Directory is selected, enter the directory pathname.

[If Directory isselected] File(s)Include

Enter the files that must be included in the collection. The field supportsthe standard common wildcard characters for matching file names (*and ?).

[If Directory isselected] File(s)Exclude

Enter the files that must be excluded from the collection. The fieldsupports the standard common wildcard characters for matching filenames (* and ?).

Device type Select the type of logs to be collected.

Test connection Click this button to check if the connection to the remote log source isworking.

35


Option Description

[Advanced]

Log Source IP

Select an option:

- Remote file server: selected by default. The IP is grabbed from the hostIP that you previously entered.

This option is not available when the file protocol is selected.

- UC: IP address of the workstation where LogLogic® UniversalCollector is installed. You can change it as you want.

The IP address will be set as the host IP address when the fileprotocol is selected.

Delete inactive file Click ON or OFF to activate or deactivate the option. You can purge filesthat are older than certain time based on the modified time.

[If Delete inactive fileis selected] Delete fileremains unchangedmore than

Enter the number of days after which the inactive file is deleted. Thedefault is set to 7 days.

[Schedule] Select the collection period, either per minute, hour, daily or weekly at aspecific hour.


Edit Multiple Remote File Log Sources

Procedure

1. Under the Collection tab, select the Log Sources and click the Edit button.The Remote File Log Source Edition tab is displayed.

2. Select the set of Remote file parameters you want to change.

3. Modify the parameters as explained in Edit a Remote File Log Source.

Edit Different Types of Log SourcesYou can edit several Log Sources of different types, except remote files, at a time. Only the commonparameters are editable.

Procedure

1. Under the Collection tab, press Ctrl while clicking on the Log Sources to select them.

2. Click Select screen to only select the list of visible Log Sources at a time or click Select all to selectall the lists of Log Sources.

3. Click the Edit button and select All. The All tab is displayed.

36



Option Description





Option Description

Name Select the Forwarding connection to which you want to forwardcollected RT File logs. See Editing the Forwarding Collection List to editthe forwarding collection list.

6. Click Apply to save the changes. If you open again one of the Log Source you selected, you can seethat the changes are applied.

Edit a Log Source using the Command Line

Procedure

1. Under the Collection tab, double-click on the selected Log Source or just select it and click the Editbutton.The Cmd Log Source Edition tab is displayed.


37


Option Description





Option Description

Name Select the Forwarding connection to which you want to forwardcollected logs. See Editing the Forwarding Collection List to edit theforwarding collection list.

LogLogic® UniversalCollector collectiondate



Option Description

Command Enter the command line script path.

If the script path or argument contains empty spaces, it mustbe entered in double quotation marks.

On Windows, if the script path and argument contain emptyspaces, you must enter the command as shown below:

""D:\folder name\Hello World.py" "hello world"" (doublequotation marks for the the whole command)

or

D:\"folder name"\"Hello World.py" "hello world"

[Multiline messages] Click ON or OFF to activate or deactivate the option to define whetherthe single message has several lines.

[If Multilinemessages is ON]

Multiline timeoutafter detected header

Indicate the number of seconds after which the multi-line logs are readyto be sent.

[Advanced] Click the drop-down menu to display advanced parameters.

Host name Enter the name of the host used to pair logs on the LMI server.

For example, customHostname.com

If you enter an IPv4 / IPv6 address, the device to be displayed in LMIwill be referred with this IP address.

38


Option Description

Application name Enter the name of the application used to identify logs on the LMIserver.

For example, customApplicationName

Maximum messageslength

Indicate the possible maximum length for the message (in bytes).

Default value: 64000

Run once Click ON or OFF to activate or deactivate the option to define whetherthe script should be run once or multiple times.

[Schedule] Select the collection period, either per minute, hour, daily, or weekly at aspecific hour.


Sorting Log SourcesTags are useful to store, sort, and search for Log Sources in a list.

For example, if you want to easily find the logs coming from Windows server A to which theadministrator has logged. You can create tags such as Server A, Connection, Administrator, and thensearch based on tags.

You can create and apply up to 10 filters.

Create a New Tag

Procedure

1. Under the Collection tab, select one or several log sources.

2. In the Tag edition panel on the right, enter a tag in the combo box and click Add Tag.The tag is automatically saved.

Apply a TagOnce you have created tags, you can apply them to one or several log sources.

Procedure

1. Under the Collection tab, select the log source(s) to which you want to apply a tag.

2. In the combo box in the right hand panel, select the tag you want to apply and click Add Tag.The tag is displayed under the Tags column.

Remove a Tag

Procedure

1. Under the Collection tab, select the log source for which you want to remove the tag.

39


2. In the Tag edition panel, click the cross of the tag you want to remove.The list is updated automatically.

Sort Log SourcesYou can sort the list of log sources to display only the relevant items.

Procedure

1. In the left hand part of the configuration panel, click the + Add Filter button.Two drop-down list boxes are displayed.

2. In the first drop down list, select the type of information you want to filter. The options are:Enabled, Name, Forwarder, Type, Collection or Tags.

3. Based on the type, select the relevant values.

Filter Values

Enabled Sorts log sources per status, i.e. Off or On.

Name Sorts log sources per name. Enter the log source name.

For example, ls-logsource-windows

Forwarder Sorts log sources per Forwarding connection (names of the connectionfile), for example, uldp-sample

Type Sorts log sources per type, i.e. file, syslog or windows.

Collection Sorts log sources per collection type, i.e. file, syslog or windows.

Tags Sorts log sources per user-created tags, for example, server, web.

4. Click Apply to filter the list.

5. To add another filter, click +Add Filter and repeat the procedure explained above. For example, tomake a search on a specific forwarder AND a specific type of file, you will obtain something likethis:

6. For a same filter if you want to add another value, click the + button and select the relevant value.For example, to find a File Log Source OR a Syslog log source, you will have to obtain somethinglike this:

40


7. To remove a filter or only a value, click the - button.

8. Click the column header to display the filtered list by alphabetical order.

9. Click the Clear all button to disable the filters.

41


Forwarding Logs

LogLogic® Universal Collector collects the information from various types of log sources and forwardsthem to an LMI server.

The logs are forwarded to an LMI server via the proprietary ULDP protocol or to a Syslog server usingUDP or TCP protocols for the communication between the LogLogic® Universal Collector and the LMIserver or syslog server.

You must select the UDP when forwarding syslog to LMI server.

A file is identified by a file identifier usually a string representing the path name of the file in the sourcedevice.

Forwarding Logs To Multiple Destinations

LogLogic® Universal Collector sends collected logs to multiple forwarders. To add or remove the'forwarding connections', click Edit List in Forwarding Connection pane.

Creating a Syslog TCP or UDP ConnectionYou can add up to 10 Forwarding Connections.

Procedure

1. Open the LogLogic® Universal Collector Console and click the Forwarding tab.

2. Select the New > TCP (Syslog) or UDP (Syslog) menu.

3. In the General section, modify the name of the connection.

4. In the Security section, make sure the button is set to OFF.

5. In the Forwarding section, modify the following values:

Forwarding

Address Enter the IPv4 / IPv6 address or host name of the TCP /UDP server.

Port Enter a port number. (Default: 514)

[TCP Only] TestConnection

Test the connection between LogLogic® Universal Collector and theserver.

Message Format

42


Facility Select the facility to be applied to the log:

0 - kernel messages

1 - user-level messages

2 - mail system

3 - system daemons


5 - messages generated internally by syslog

6 - line printer subsystem

7 - network news subsystem

8 - UUCP subsystem



11 - FTP daemon

12 - NTP subsystem

13 - log audit (note 1)

14 - log alert (note 1)










Severity Select the severity to be applied to the log:

0 - Emergency: system is unusable

1 - Alert: action must be taken immediately.

2 - Critical: critical conditions.

3- Error: error conditions.

4 - Warning: warning conditions.

5 - Notice: normal but significant condition.

6 - Informational: informational messages.

7 - Debug: debug-level messages.

Custom Header Indicate the header of the message.

Advanced

43


[TCP only] Sessiontimeout

Enter the session timeout (in seconds)

UC Binding interface If there are multiple network interfaces, enter the IP address that theLogLogic® Universal Collector uses when establishing theconnection.

Default: 0.0.0.0

6. In the Message Buffering section, modify the following values:

Message Buffering

Buffer size (MB) Enter the buffer size in megabytes. (Default: 100 MB)

7. Click OK to save and close the screen.The list of connections is updated.

Creating an LMI Connection

Procedure


2. Select the New > ULDP to open the LMI Connection tab.

3. In the General section, modify the name of the connection.

4. In the Security section, make sure the button is set to OFF.

5. In the Forwarding section, modify the following values:

Forwarding

Address Enter the IPv4 / IPv6 address or host name of the LMI.

Port Select the LMI port or enter a port.

- 5515 for secured connection with LMI (configurable in LMI)

- 5516 for connection with LMI

Test connection Test the connection between LogLogic® Universal Collector and LMI.

Forward UC InternalLogs

Define whether the LogLogic® Universal Collector internal logs aresent to the remote LMI by selecting ON.

Compress Messages If the connection is slow, you can configure the logs to be compressedfor a more rapid flow of data. Define whether the logs arecompressed by selecting ON.

Advanced

Reconnection Enter the reconnection frequency to the LMI (in seconds)

44


Session timeout Enter the session timeout to LMI (in seconds)

UC Binding interface If there are multiple network interfaces, enter the IP address thatLogLogic® Universal Collector uses when establishing the connectionto LMI.

Default: 0.0.0.0

6. In the Message Buffering part of the screen, modify the following values:

Message Buffering


Scheduled Forwarding Define the period of time during which the logs are sent to the LMI(time window) by selecting ON.

Schedule forwarding is not recommended for pulling largefiles via remote file collection.

Daily Start Define the beginning of the time window. If sendingWindow = truein the above parameter, define the time (hour and minute) when theevent starts to be sent (default value = 23:00)

Daily Stop Define the end of the time window. If you set sendingWindow = truein the above parameter, define the time (hour and minute) when theevent stops to be sent (default value = 05:00).

7. Click OK to save and close the screen.The list of LMI connections is updated.

Creating a Connection in Authentication and or Encryption ModeThe information is delivered through the communication between the LogLogic® Universal Collectorand LMI server or syslog server can be encrypted.

To secure communications between the LogLogic® Universal Collector and LMI or syslog servers, thefollowing information will be checked: LMI or a syslog server and LogLogic® Universal Collectoridentities and encryption of communication between LogLogic® Universal Collector and LMI or asyslog server (public and private key mechanism).

If you need to use AES192 or AES256 key, you must install the Java Cryptography Extension (JCE)Unlimited Strength Jurisdiction Policy Files 7 package from Oracle. The 2 JAR files included in thispackage must be loaded into the lib/security directory of the Java instance that LogLogic® UniversalCollector uses in order to utilize AES192 or AES256 key ciphers. If you do not have JCE installed, thenthe LogLogic® Universal Collector Console will fail when you try to import an AES192 or AES256 key.

As a requirement, you need a PKI and OpenSSL or another compatible tool.

This section is intended for advanced users with the necessary encryption and secure communicationskills.

45


Procedure

1. A public key and a private key are used to create a Root Certificate Authority (Root CA).

2. A public key and a private key are generated to create the LogLogic® Universal Collector’sCertificate Signing Request (CSR).

3. This request will be sent along with the LogLogic® Universal Collector’s identity information andthe public key and then the Root CA delivers the certificate by signing the Certificate SigningRequest. The LogLogic® Universal Collector’s certificate is then created and sent with theAuthority’s certificate.

Step 1 Get a Root Certificate Authority from your PKI

When deploying an authentication process with LogLogic® Universal Collector, you need to use aPublic Key Infrastructure (PKI) consisting of a certificate authority or CA (and a registration authorityor RA) that issues and verifies digital certificate. A certificate includes the public key; one or moredirectories where the certificates (with their public keys) are held and a certificate management system.

A number of products that enable a company or group of companies to implement a PKI exist.

Procedure

1. Access a tool such as OPENSSL.

46


2. Generate a public and a private key. The recommended and maximum size is 2048 bit andencrypted in AES 128 (3DES is also supported).

Example: openssl genrsa -out ca.key -aes128 2048

3. Generate the CA (valid for 7305 days)Example: openssl req -new -x509 -days 7305 -key ca.key -out ca.pem

What to do next

Refer to the SSL Certificates HOWTO documentation to know how to create your Certificate Authority:

http://www.gtlib.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html

Step 2 Create a Certificate Signing Request

Prerequisites

You must now generate a Certificate Signing Request in a LogLogic® Universal Collector to be able tocreate a Certificate on a Certificate Authority. You will obtain a file with the *.csr extension.

Using the Internal Tool

The tool is located in <INSTALL_DIR>/tools folder.

Procedure

1. Enter the following command to start the tool:

Windows:cert_mgt.bat

RHEL, SUSE:cert_mgt

2. Enter the following command:<script-name> request

3. Enter the command to indicate the file path of the file to be generated. You have three possibilitiesaccording to the type of your certificates.

[ -jks <file path of the generated *.ks containing the private key> ]

[ -p12 <file path of the generated *.p12 certificate containing the private

key> ]

[ -pem <file path of the generated *.pem private key> ]

47




-csr <file path of the generated Certificate Signing Request>

[ -dn <CSR Distinguished Name> ]

-pwd <mandatory password for the file containing the private key>

This command generates 2 files containing the private key (i.e. a *.ks or *.p12 or *.pem) and aCertificate Signing Request (CSR).

If it is not specified in the command line, by default, the DN of the CSR is:

CN=<UC-IP>, O=loglogic

For example: cert_mgt request -jks uc.ks -pwd loglogic -csr uc.csr

Using the OpenSSL

You need LogLogic® Universal Collector's public and private keys and OpenSSL.

Procedure

1. Generate the public and private keys. The recommended and maximum size is 2048 bit andencrypted in AES 128 (3DES is also supported):openssl genrsa -out uc.key -aes128 2048

2. Create the CSR like:openssl req -new -key uc.key -out uc.csr

What to do next

Refer to the SSL Certificates HOWTO documentation to know how to create your Certificate Authority.

Step 3 Create a Valid LogLogic® Universal Collector Certificate using a CA andOpenSSL

You must create the valid Certificate issued by a Certificate Authority in the LogLogic® UniversalCollector configuration.

Procedure

● Enter the following command:openssl ca -config ”conf_file.txt” -days 730 -in uc.csr -out uc.pem -notext

In this example, a file has been defined (conf_file.txt). If no configuration file has beenspecified, then OpenSSL takes /usr/local/ssl/openssl.cnf by default. Make sure thatthe path /usr/local/ssl/openssl.cnf is created and configured in advance.

You will get a *.pem certificate that contains the LogLogic® Universal Collector’s certificate.

48


Refer to the SSL Certificates HOWTO documentation to know how to create your CertificateAuthority.

Step 4 Import the Certificate into *.ks or *.p12This step is not required if you work with a *.pem certificate.

Prerequisites

This command allows you to import the LogLogic® Universal Collector certificate and/or the root CAcertificate in a *.ks or the LogLogic® Universal Collector certificate in a *.p12 certificate.

Procedure

● Using the CLI provided by LogLogic, enter the command to format the file:

<script-name> import

[ -jks <file path of the *.ks> ]

[ -p12 <file path of the *.p12 certificate> ]

-pwd <mandatory password>

[ -cert <file path of the UC certificate in *.pem format> ]

[ -rootcert <file path of the root CA certificate in *.pem format> ]

This command imports the LogLogic® Universal Collector certificate and/or the root CA.

You can obtain a *.ks certificate file that contains a Certificate Authority, private key and theLogLogic® Universal Collector’s certificate or a *.p12 certificate binary code, which containsthe LogLogic® Universal Collector’s certificate and a private key encrypted by a passphrase.

For example: cert_mgt import -jks uc.ks -pwd loglogic -cert uc-cert.pem -rootcertca.pem

Step 5 Configure the Forwarding ProcessIf the connection is authenticated or encrypted, the necessary cryptographic elements must beimported.

The three supported formats are:

● *.ks--A keystore in the JKS format containing the root CA, the private key and the associatedLogLogic® Universal Collector certificate.

Associated configuration elements are a keystore filename and a password for the keystore(mandatory)

● *.p12--A keystore in the PKCS#12 format, containing the private key and the associated LogLogic®Universal Collector certificate and the root CA (in *.pem format) as a separate file.

Associated configuration elements are a PKCS#12 (.p12) file, a password protected PKCS#12 file(mandatory) and a root CA file.

49


● *.pem--A private key (encrypted or not), a certificate to be used by LogLogic® Universal Collector inPEM format, a root CA certificate in PEM format. Associated configuration elements are a privatekey file, a password if the private key is encrypted (mandatory), a LogLogic® Universal Collectorcertificate file, a root CA certificate file.

The Certificate Authority’s certificate allows to check the validity of the LMI or syslog server’scertificate towards the LogLogic® Universal Collector.

The LogLogic® Universal Collector Valid certificate allows you to identify the LogLogic® UniversalCollector from the LMI.

The Certificate Authority must be the one you previously used to validate the LMI or syslog servercertificate.

Procedure


2. Click the New Connection button to open the Edition tab.

3. In the Description part of the screen, modify the name of the LMI or syslog server connection.

4. In the Security part of the screen, activate the following options:

Value Description

Authentication Activates the authenticated communication when the button isON

Encryption Activates the encrypted communication when the button is ON

Certificate Displays the certificate imported in LogLogic® UniversalCollector

Initialize Secured Connection Displays the screens to import the certificates

For *.ks

Procedure

1. In the Secured Connection Initialization screen, select JKS and click Continue.

2. In the Java Keystore section, click Import and select the UC JKS Certificate in *.jks format.

3. Enter the certificate password and click OK.

4. Click OK to close the window.The screen is automatically updated.

For *.p12

Procedure

1. In the Secured Connection Initialization screen, select P12 and click Continue.

50


2. In the UC Certificate section, click Import and select the UC PKCS#12 Certificate in *.p12 format.

3. Enter the certificate password and click OK.

4. In the Root CA Certificate section, click Import and select the root CA certificate stored in *.p12format.


For *.pem

Procedure

1. In the Secured Connection Initialization screen, select PEM and click Continue.

2. In the UC Certificate section, click Import and select the LogLogic® Universal Collector Certificatein *.pem format.

3. In the new small window, click Import Private Key and select the file in .pem format.

4. Enter the private key password and click OK.

5. In the Root CA Certificate section, click Import and select the root CA certificate stored in *.pemformat.


Configure the Forwarding Process

Procedure

1. In the Forwarding part of the screen, modify the following values:

Forwarding

Address Enter the IPv4 / IPv6 address or host name of the LMI.

Port Select the LMI port or enter a port.

- 5515 for secured connection (configurable in LMI)

- 5516 (default port)

Test connection Test the connection between LogLogic® Universal Collector and LMI.

Forward UC InternalLogs

Define whether the LogLogic® Universal Collector internal logs aresent to the remote LMI by selecting ON.

Compress Messages If the connection is slow, you can configure the logs to be compressedfor a more rapid flow of data. Define whether the logs arecompressed by selecting ON.

Advanced

51


Reconnection Enter the reconnection frequency to the LMI (in seconds)

Session timeout Enter the session timeout to LMI (in seconds)

UC Binding interface If there are multiple network interfaces, enter the IP address that theLogLogic® Universal Collector uses when establishing the connectionto LMI.

Default: 0.0.0.0

2. In the Message Buffering part of the screen, modify the following values:

Message Buffering


Scheduled Forwarding Define the period of time during which the logs are sent to the LMI(time window) by selecting ON.

Daily Start Define the beginning of the time window. If sendingWindow = truein the above parameter, define the time (hour and minute) when theevent starts to be sent (Default: 23:00)

Daily Stop Define the end of the time window. If you set sendingWindow = truein the above parameter, define the time (hour and minute) when theevent stops to be sent (Default: 05:00).

3. Click OK to save and close the screen.The list of LMI connections is updated.

The configuration of LogLogic® Universal Collector has finished. When the certificate hasexpired, you must follow the procedure from the beginning. You can use the same CSRyou used if you have stored it earlier.

Step 6 Enable Secure Connection

As for LMI, two certificates are needed:

● The root CA can be retrieved from your certificate authority server or from your organization's PKIadministrators. It will check the LogLogic® Universal Collector’s identity.

● A certificate signing request or CSR. In order to generate the signed certificate, manual steps arerequired unlike LogLogic® Universal Collector.

52


Procedure

1. Using the LogLogic CLI, create a Certificate Signing Request:

system secureuldp create csr

This will generate a private key as well as the CSR.

The CSR is the value between the Begin Certificate and End Certificate lines.

2. If you have already created your CSR and just want to display it again, enter:system secureuldp show csr

3. Copy the CSR and sign the CSR. Once the CA signs the CSR, it will generate a signed certificate.Alternatively, you can create a CSR as per your desired option, sign it, and then import thecertificate using the Administration > SSL certificate > Certificate Import menu.

4. Install this signed certificate back to the LMI Appliance by entering:system secureuldp install certificate

5. Paste the certificate in. Make sure to include the Begin Certificate and End Certificate lines whenpasting it in

6. Install the root CA certificate which will be the common certificate used for validation between theLMI and LogLogic® Universal Collector. To do so, enter:system secureuldp install rootCA

7. Paste it in the root CA certificate.

8. You may need to restart the ULDP collector:mtask -s engine_uldpcollector stop ; mtask -s engine_uldpcollector start

9. Once you have created all the certificates, you must go to Administration > System Settings >General and check the Yes radio button associated with Enable Secure ULDP.

Result

The communication between LogLogic® Universal Collector and LMI is now secured.

53


Managing the list of ForwardingsYou can easily copy or delete Forwardings.

Prerequisites

Label/Button Description

Name Label of the configuration

Address IPv4 / IPv6 address or host name of the server

Port Forwarding port

[ULDP only] UCLogs

Indicates whether the LogLogic® Universal Collector internal logs are sent tothe remote LMI or not

[ULDP only]Comp.

Indicates whether the logs are compressed or not

Auth. Communication authenticated or not

Encrypt Communication encrypted or not

Buffer (MB) Buffer size in megabytes (100 MB - default value, 50 GB - maximum value)

[ULDP only]Sched.

Indicate if the messages are sending to the server during a specified timewindow

New Allows you to add new Forwardings to the list (Maximum 10)

Edit Allows you to edit Forwardings one by one

Copy Allows you to copy Forwardings to the list

Delete Allows you to delete Forwardings from the list

Copying a ForwardingYou can copy a Forwarding one by one. The copied Forwardings keep the same configuration and thesame name with the _Copy suffix.

Procedure

1. Select the Forwarding that you want to copy.

2. Click Copy.The new Forwarding is displayed in the Forwarding list. Double-click on the row to edit or modifythe configuration.

By default, the Forwarding is linked with no Log Source.

54


Deleting a ForwardingYou can delete Forwardings one by one.

Procedure

1. Make sure that the Log sources linked to the Forwarding are removed or disabled.

2. Select a row from the list and click Delete. Click Yes to confirm.The list is automatically refreshed.

55


Monitoring LogLogic® Universal Collector Activities

A UCMon tool is also available to monitor the internal process of the LogLogic® Universal Collector.

This section provides instructions for quickly checking that LogLogic® Universal Collector is workingproperly, troubleshooting LogLogic® Universal Collector, Forwarding connection configuration, andmonitoring the activities of the different log sources

Starting UCMon Tool

To start UCMon from LogLogic® Universal Collector Console

Procedure

● Open the LogLogic® Universal Collector Console and go to Manage Configuration > MonitorActive Configuration.

To start UCMon manually

Procedure

● Open the LogLogic® Universal Collector installation folder and launch the executable file located inthe tools folder:

uc_monitor.exe (Windows) also available by clicking on the uc_monitor shortcut

uc_monitor (RHEL, SUSE)

The UCMon is displayed.

Summary Screen

Label Description

Uptime Time when the LogLogic® Universal Collector has been started

Current Time Current date and time are automatically refreshed

Totals for the UC

Collected Total number of collected message for a given period of time

Between brackets, number of collected message per second

Filtered Total number of filtered message for a given period of time

Between brackets, number of filtered message per second

56


Label Description

To Buffer Total number of forwarded message for a given period of time

Between brackets, number of forwarded message per second

UC Mem Current memory used / Total memory (Java Heap Size)

Config Current configuration name

Forwarding Connections and Log Sources

All Forwarding Conn. Forwarding connection status

● Active: the Forwarding connection works correctly

● Idle: Forwarding connection is OK but the connection is NOTestablished

● Error: there is an error on the Forwarding connection

● Off: indicates when the Forwarding connection is not used

● Total: total number of enabled Forwarding connections

All Log Sources/Syslog/Windows Event Log/RTFile/Remote File

Log Sources status

● Active: the Log Sources are answering correctly

● Idle: Log Source not active at the moment

● Error: there is an error on the Log Source

● Off: indicates when a Log Source is inactive

● Total: total number of Log Sources

Interactive menu

< C > Changes the time value of the “Totals for UC” metrics.

Each time you enter C, the value switches as follows:

● current value

● 1 minute

● 5 minutes

● 15 minutes

● 24 hours

● time when the UCMon has been started

< M > Displays additional information

< 1 > Displays the Summary view

< 2 > Displays the Status view

57


Label Description

< 3 > Displays the Metrics view

< 4 > Displays the Trend view

< 5 > Displays the Real Time view

< Q > Quit the UCMon tool

Status Screen

To switch between Log Sources and Forwarding connection views, press L.

Log Source Status

Label Description



Log Source: Name of the Log Source

Status Status of the current Log Source:

● Active: the connection is OK

● Err: the connection encountered an error

● Idle: the connection never received a message from the source ornothing at all for 24 hours

● Off: a Log Source is inactive

Type Type of the Log Source: Win EL, RT File, Remote File or Syslog

Collection Connection parameters

● Win EL: Server IP or address

● Syslog: protocol/binded port

● RT File: Filename (no path)

● Remote: File path

Forwarding Connection Current Forwarding connections associated with the current LogSource

Interactive menu

58


Label Description

1-n/n Scrolls the tables into view

< N >ext/< P >revious Displays the next or previous view of the list of Log Sources

< E >rr first Sort Log Source status by Error (ERR) or alphabetical order

< V >erbose mode Display additional information

< L >og Source/Forwarding Switch between Forwarding connections and Log Sources tables







Forwarding Connection Status

Label Description



Forwarding Connection

Status Status of the current Log Source:

● Active: the connection is OK

● Err: the connection encountered an error or spool may be full

● Idle: no message transmitted from the source or nothing for 24hours

● Off: a Forwarding connection is not used

Address IP address and port of the remote Forwarding connection

59


Label Description

S C A E Current Forwarding connection settings:

● S: Scheduled

● C: Compression

● A: Authentication

● E: Encryption

Usage Spool load of the current Forwarding connection in %

Interactive menu


< N >ext/< P >revious Displays the next or previous view of the list of Forwardingconnections

< E >rr first Sort Log Source status by Error (ERR) or alphabetical order

< V >erbose mode Display additional information








Metrics Screen


Log Source Metrics


Label Description


60


Label Description



Format Format of the displayed values (messages or mps)

Period Period of time when the data are displayed (since uptime, 1min, 5min, 15 min, 24h)

Sort Sorting order of Log Source: By name/ In values (descending)

Forwarding Connection Define the current Forwarding connection with the Log Source

Collected Total number of collected message for a given period of time

Filtered Total number of filtered message for a given period of time

To Buffer Total number of forwarded message for a given period of time

Interactive menu



< F >ormat data Switch between message or messages per second.


< C >ycle period Switch of time period (current, 1mn, 5mn, 15mn, 24h, uptime)

< S >ort table Sort by collected values (descending) or by name







61


Forwarding Connection Metrics

Label Description





Period Period of time when the data are displayed (since uptime, 1min, 5min, 15 min, 24h)

Sort Sorting order of Forwarding connection: By name/ In values(descending)

IN Input log rate

OUT Number of forwarded logs coming out from the spool

Usage Current Forwarding connection spool load

Interactive menu



< F> omat data Switch between message or messages per seconds


< C >ycle period Switch of time period (current, 1mn, 5mn, 15mn, 24h, uptime)

< S >ort table Sort by IN (descending) or by name







62


Trends Screen


Log Source Trends

Label Description





Display Type of display. The possible values are:

● Collected

● Filtered

● Forwarded

Forwarding Conn. Name of the Forwarding connection

current, 1min, 5min, 1h,24h, since uptime

Log rate over different time periods:

● n/a: value not available

Interactive menu



< F >ormat data Switch between message or messages per seconds


< D >isplay Displays the values for different probes:

Forwarding connection data type: IN or OUT

Log Source data type (Collected, Filtered, Forwarded)



63


Label Description





Forwarding Connection Trends

Label Description



Forward Connection



● IN

● OUT




Interactive menu


< N >ext/< P >revious Displays the next or previous Forwarding connection and LogSources

< F >ormat data Switch between message or messages per seconds







64


Label Description





RealTime Screen


Log Sources RealTime

Label Description





● Collected

● Filtered

● Forwarded




Interactive menu







65


Label Description







Forwarding Connection RealTime

Label Description





● IN

● OUT




Interactive menu








66


Label Description






Exporting the Collection StatusYou can export collection status to a .csv format.

Procedure

1. Open the LogLogic® Universal Collector Console.

2. On Manage Configuration , select Export Collection Status .

3. Browse and select a folder to save your .csv file.

4. Enter a file name with a .csv extension.

5. Click Save.

67


Command Line Interface

The Command Line Interface (CLI) interacts with the local LogLogic® Universal Collector.

You can make a configuration active and reload the current configuration, check the currentconfiguration, manage the security certificates, encrypt password or import several Log Sources in arow.

To start a Command Line Interface, open a shell into the following path:

Operating System CLI

Windows C:\Program Files\LogLogic\Universal Collector\tools\

RHEL, SUSE /opt/LogLogic/Universal_Collector/tools/

The extension of the file to execute in order to run the commands differs on each LogLogic® UniversalCollector supported OS:

Windows: uc_*.bat

RHEL, SUSE: no extension

All the samples are given for RHEL, SUSE environments. For Windows environment, use the samecommand with *.bat.

cert_mgt Manage the Security Certificates

LogLogic® Universal Collector does not have to be started.

Goal Syntax Options

Request for *.pem cert_mgt request -pem <certfile> -csr

<fileresult> -pwd <password>

Request for *.ks cert_mgt request -jks <file.ks> -pwd

<password> -csr <fileresult.csr>

Request for *.p12 cert_mgt request -p12 <file.p12> -pwd

<password> -csr <fileresult.csr>

Import for *.ks cert_mgt import -jks <file.ks> -pwd

<password> -cert <certToImport> -rootcert

<rootcertificate>

Import for *.p12 cert_mgt import -p12 <file.p12> -pwd

<password> -cert <certToimport>

Get help on thecertificates

cert_mgt

cert_mgt request

cert_mgt import

-h

68


Goal Syntax Options

Get information onthe tool version

cert_mgt -v <nameofconf>

uc_checkConf Check the Current Configuration

LogLogic® Universal Collector must be started.

Goal Syntax Options

Indicate validity ofthe configurationand displayspotential errors andwarnings

uc_checkConf -ucc <nameofconf>

Get help on the tool uc_checkConf -h

Indicate the port toconnect to the UC

uc_checkConf -ucc <nameofconf> -p <portnumber>

Get information onthe tool version

uc_checkConf -v

uc_createLogSources Import and Create Several Log Sources at a time


Goal Syntax Options

Indicate the type ofLog Sources toimport (WindowsEvent Log, syslog,file, remotefile)

uc_createLogSources -t <windows,

syslog, file,

remotefile>

Import a CSV filewith Log Sourceinformation tocreate a Log Source

uc_createLogSources -in <pathname>

Indicate the *.uccfile where to exportthe Log Sourceinformation

uc_createLogSources -out

<pathname>

69


Goal Syntax Options

Force thecommand withoutany confirmation

uc_createLogSources -f

uc_decodePwd Decode Passwords for Windows Files


Goal Syntax Options

Allows decodingpassword

/opt/LogLogic/UniversalCollector/tools/

uc_decodePwd <passwordTodecode>

uc_encryptPwd Encrypt Passwords for Windows Files


Goal Syntax Options

Allows encodingpassword


uc_encryptPwd <passwordToencrypt>

uc_monitor UCMon Tool


Goal Syntax Options

Indicates theLogLogic®Universal Collectorport to which theUCMon listens to(if not default port)


uc_monitor -p <portnumber>

-p

<portnumber>

uc_reload Reload Configuration


This command is used to update the active configuration without stopping the whole process.

To update the current configuration, the command is:

For Windows:uc_reload.bat

70


For RHEL, SUSE:uc_reload

Example 1: You want to update the active configuration ‘conf1’.

Enter the command to apply a new configuration to the LogLogic® Universal Collector via the CLIlocated in <INSTALL_DIR>/tools.

\uc_reload.bat

The active configuration is updated.

Example 2: You want to check the impacted process during an update of the configuration.

Enter the following command:

uc_reload.bat -dryrun -vb

Goal Syntax Options

Reload the currentconfiguration toapply changes

uc_reload

There is no need to enter the name of the configuration as it is the current configuration, which isautomatically updated.

uc_saveActiveConfAs Save an Active Configuration


Goal Syntax Options

Save aconfigurationcurrently in use

uc_saveActiveConfAs <pathname\confname.ucc>

Force to save aconfigurationcurrently in useeven if it alreadyexists

uc_saveActiveConfAs <pathname\confname.ucc> -f

uc_switchTo Make Configuration Active


Goal Syntax Options

Activate LogLogic®Universal CollectorConfiguration

uc_switchTo -ucc <nameofconf>

71


Goal Syntax Options

Simulate the change of theactive LogLogic® UniversalCollector configuration.Displays possible errors andwarnings in the storedconfiguration and changesbetween active and storedconfigurations.

uc_switchTo -ucc <nameofconf> -dryrun

Get help on the Switchcommand

uc_switchTo -h

Indicate the port to connectto the LogLogic® UniversalCollector

uc_switchTo -ucc <nameofconf> -p <portnumber>

Get information on theSwitch version

uc_switchTo -v

Activate LogLogic®Universal CollectorConfiguration and displayverbose information

uc_switchTo -ucc <nameofconf> -vb

Switching from One Configuration to Another

It is possible to switch from one configuration to another one.

To apply a new configuration, the command is:

uc_switchTo.bat -ucc {myconf}(under Windows)

uc_switchTo -ucc {myconf} (under RHEL, SUSE)

In case of an error, the configuration switch is interrupted and the configuration error is logged in theuc.log file.

Example: You want to switch from the current configuration ‘conf1’ to ‘conf2’.

Enter the command to apply a new configuration to the LogLogic® Universal Collector via the CLIlocated in <INSTALL_DIR>/tools.

\uc_switchTo.bat -ucc c:\tmp\conf2

The current configuration is now ‘conf2’.

Checking the Impacted Processes

It is possible to check which log sources and Forwarding connections are impacted by the newconfiguration - without having to apply it.

To check the impact on the processes:

-dryrun gives information on the switch or the update of configurations

-dryrun -vb gives detailed information on the switch or the update of configurations

Example: You want to check the impacted process during a switch of configurations.

Enter the following command:

72


uc_switchTo.bat -ucc {uc.conf.file}.ucc -dryrun -vb

You can obtain something like this:

3 configuration files checked

1 Log Source config updated

1 SYSLOG Log Source config updated

2 Forwarding connection updated (1 created, 1 removed)

1 LS Config Updated

============================================================

syslog.1 UPDATE

2 Forwarding Config Updated

============================================================

MyCuteLmi2 REMOVE

MyCuteLmi CREATE

WARNING data may not have been collected during the switch configuration operation,

the log sources [syslog.1] may have been impacted

WARNING data contained in Forwarding connection spool of [MyCuteLmi2] may have been

lost if remote Forwarding connection was not available

SUCCESS-[conf3] DryRun mode : No change has been applied to the running

configuration

Limitations

During a switch process, some limitations may occur.

● First case--If you remove or update a Syslog Log Source, you may stop the flow and lose some data.

● Second case--If you switch from a Forwarding connection to another one for a given Syslog LogSource, you may lose a few events. This behavior is rare though.

● Third case--If you remove a Forwarding connection or modify the values of the buffer size while theconnection to the Forwarding connection is not available (for example, network failure), theForwarding connection buffer will try to empty itself by sending the remaining data to theForwarding connection. This will cause the loss of the buffer content during the time-out.

73


Sample Configuration Files

In the installation directory, the folder <config-samples> contains the templates you can copy tocreate a complete configuration manually without using LogLogic® Universal Collector Console.

● sample-commented.ucc contains documented XML files.

● sample-lite.ucc contains XML files with mandatory tags only without documentation.

● sample.ucc contains XML files with all the tags without documentation.

When you unzip one of them, you obtain:

● uc.xml file: allows the configuration of the LogLogic® Universal Collector’s general information.

● log-sources sub-folder: contains documented templates to define a log source, it is what you canfind under the Collection tab in the GUI.

● uldp sub-folder: contains documented templates to define the Forwarding connections. It is whatyou can find under the Forwarding tab or when editing a Forwarding Connection in the GUI.

UC Configuration uc.xml

You must unzip sample.ucc to display the uc.xml file, which contains the information you can findunder the General Settings tab in the GUI.

 <uc schemaVersion="2.0">



<configurationName>sampleCommented</configurationName>



<domainName>sampleDomainName</domainName>



<ucCommunicationPort>1099</ucCommunicationPort>



<syslogCollection>



<socketBufferSize>1024</socketBufferSize>



<udpMaxPacketSize>8</udpMaxPacketSize>

</syslogCollection>

</uc>

74

LMI Connection uldp-sampleCommented.uldp.xml



<uldpConnection schemaVersion="2.0">



<name>Full_ULDP_File</name>



<revision>



<version>12</version>



<author>admin</author>



<creationDate>2017-04-22T01:00:00-05:00</creationDate>



<lastModifiedBy>admin</lastModifiedBy>



<lastModifiedDate>2017-04-22T01:00:00-05:00</lastModifiedDate>

</revision>



<address>192.198.12.16</address>



<port>5516</port>



<compression>true</compression>



<sendingWindow>true</sendingWindow>

75

<sendingWindowStart>22:00</sendingWindowStart>



<authentication>false</authentication>



<encryption>false</encryption>



<uldpForwarder>



<ucBindingIp>0.0.0.0</ucBindingIp>



<spoolerSize>100</spoolerSize>



<reconnectionFrequency>60</reconnectionFrequency>



<sessionTimeout>600</sessionTimeout>



<internalUcLogs>false</internalUcLogs>

</uldpForwarder>

</uldpConnection>

LMI Connection uldp-sampleCommentedAuthJks.uldp.xml



76

<revision>












</revision>




- 5515 for secured connection LMI 5.6 or later


<port>5515</port>

















default value) -->

<authentication>true</authentication>

77

value) -->




<certificate>

<jks>



<jksFile>sample.jks</jksFile>



<password>LSKS9bw/t01FqNd4P3l3pgeOy/N/qqqlEzG+QC/kfDq0LVXTPVgziQ==</password>




</jks>

</certificate>

</uldpConnection>

LMI Connection uldp-sampleCommentedAuthPem.uldp.xml



the LMI server.





-->





<revision>








78

</revision>






<port>5515</port>

















default value) -->



value) -->




<certificate>




<pem>



<pemPrivKeyFile>pemPrivKeyFile</pemPrivKeyFile>

79

<pemCertFile>pemCertFile</pemCertFile>



<pemRootCertFile>pemRootCertFile</pemRootCertFile>

</pem>

</certificate>

</uldpConnection>

LMI Connection uldp-sampleCommentedAuthPks12.uldp.xml



the LMI server.





-->





<revision>












</revision>



80

<port>5515</port>

















default value) -->



value) -->




<certificate>

<pkcs12>



<p12CertFile>p12CertFile</p12CertFile>



<pemRootCertFile>pemRootCertFile</pemRootCertFile>




</pkcs12>

</certificate>

</uldpConnection>

81

This file is located in <InstallFolder>\config-samples\.

You must unzip sample.ucc and open the log-sources folder.

Log Sources file-sampleCommented.ls.xml





<logsource type="file" schemaVersion="2.0">

<general>



<active>true</active>



<name>ls-file-template</name>



<description>Comment of the ls-file-template</description>



<revision>
















</revision>

</general>



<forwarding>



82

<uldp>



<connectionIds>

<connectionId>uldp-sampleCommented</connectionId>

</connectionIds>



<timeInUtc>false</timeInUtc>

</uldp>

</forwarding>



<collection>



<maxLineLength>65000</maxLineLength>



<charsetName></charsetName>



<fileName>



<absolutePath>c:\temp\logfile.log</absolutePath>



<dateFormat>yyyyMMdd</dateFormat>



<useIdRolling>false</useIdRolling>



<nbDigit>2</nbDigit>

</fileName>

</collection>

83

<processing>



<multiLine>



<lineCombinerId>jboss</lineCombinerId>



<userDefinedRegExp></userDefinedRegExp>



<keepHeadlessLog>false</keepHeadlessLog>



<lineTimeout>3000</lineTimeout>

</multiLine>



<hostname>customHostname.com</hostname>



<appName>customApplicationName</appName>

</processing>



<filter>



<messageFilter>packet accepted</messageFilter>



<matchAcceptedMessage>false</matchAcceptedMessage>

</filter>



<tags>

84

<tag>sample</tag>

<tag>commented</tag>

</tags>

</logsource>

Log Sources syslog-sampleCommented.ls.xml




<logsource type="syslog" schemaVersion="2.0">

<general>






<name>ls-syslog-template</name>



<description>Comment of the ls-syslog-template</description>



<revision>













</revision>

</general>


<forwarding>

85

<uldp>


<connectionIds>

<connectionId>uldp-sample</connectionId>

</connectionIds>




</uldp>

</forwarding>


<collection>



<ip>0.0.0.0</ip>



<port>514</port>



<protocol>udp</protocol>

</collection>



<filter>



<severity>6</severity>



<facilities>0-23</facilities>



<sourceIp>.*</sourceIp>

</filter>


sensitive. -->

86

<tags>


blank space. -->

<tag>sample</tag>


</tags>

</logsource>

Log Sources wmi-sampleCommented.ls.xml




<logsource type="wmi" schemaVersion="2.0">

<general>






<name>ls-win-template</name>



<description>Comment of the ls-win-template</description>



<revision>
















</revision>

</general>

87

<forwarding>



<uldp>


<connectionIds>

<connectionId>uldp-sampleCommented</connectionId>

</connectionIds>




</uldp>

</forwarding>


<collection>



<domain>domain.company</domain>






<login>jdoe</login>






<pollingPeriod>10</pollingPeriod>

</collection>



<filter>



<includeJournal>only</includeJournal>



88

<journalList>

<journal>Security</journal>

<journal>Application</journal>

</journalList>



<eventIdFilter>.*</eventIdFilter>



<sourceFilter>.*</sourceFilter>



<filterOperator>and</filterOperator>

</filter>


sensitive. -->

<tags>


blank space. -->

<tag>sample</tag>


</tags>

</logsource>

89

Regular Expressions

Regular expressions provide a concise and flexible means for “matching” (specifying and recognizing)strings of text, such as particular characters, words, or patterns of characters. They are used when youconfigure Log Sources.

Construct Matches

Characters

x The character x

\ \ The backslash character

\0n The character with octal value 0n (0 <= n <= 7)

\0nn The character with octal value 0nn (0 <= n <= 7)

\0mnn The character with octal value 0mnn (0 <= m <= 3, 0 <= n <= 7)

\xhh The character with hexadecimal value 0xhh

\uhhhh The character with hexadecimal value 0xhhhh

\t The tab character ('\u0009')

\n The newline (line feed) character ('\u000A')

\r The carriage-return character ('\u000D')

\f The form-feed character ('\u000C')

\a The alert (bell) character ('\u0007')

\e The escape character ('\u001B')

\cx The control character corresponding to x

Character classes

[abc] a, b, or c (simple class)

[^abc] Any character except a, b, or c (negation)

[a-zA-Z] a through z or A through Z, inclusive (range)

[a-d[m-p]] a through d, or m through p: [a-dm-p] (union)

[a-z&&[def]] d, e, or f (intersection)

[a-z&&[^bc]] a through z, except for b and c: [ad-z] (subtraction)

90


Construct Matches

[a-z&&[^m-p]] a through z, and not m through p: [a-lq-z] (subtraction)

Predefined character classes

. Any character (may or may not match line terminators)

\d A digit: [0-9]

\D A non-digit: [^0-9]

\s A whitespace character: [\t\n\x0B\f\r]

\S A non-whitespace character: [^\s]

\w A word character: [a-zA-Z_0-9]

\W A non-word character: [^\w]

POSIX character classes (US-ASCII only)

\p{Lower} A lower-case alphabetic character: [a-z]

\p{Upper} An upper-case alphabetic character:[A-Z]

\p{ASCII} All ASCII:[\x00-\x7F]

\p{Alpha} An alphabetic character: [\p{Lower}\p{Upper}]

\p{Digit} A decimal digit: [0-9]

\p{Alnum} An alphanumeric character: [\p{Alpha}\p{Digit}]

\p{Punct} Punctuation: One of !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

\p{Graph} A visible character: [\p{Alnum}\p{Punct}]

\p{Print} A printable character: [\p{Graph}]

\p{Blank} A space or a tab: [\t]

\p{Cntrl} A control character: [\x00-\x1F\x7F]

\p{XDigit} A hexadecimal digit: [0-9a-fA-F]

\p{Space} A whitespace character: [\t\n\x0B\f\r]

Classes for Unicode blocks and categories

\p{InGreek} A character in the Greek block (simple block)

\p{Lu} An uppercase letter (simple category)

91


Construct Matches

\p{Sc} A currency symbol

\P{InGreek} Any character except one in the Greek block (negation)

[\p{L}&&[^\p{Lu}]]

Any letter except an uppercase letter (subtraction)

Boundary matchers

^ The beginning of a line

$ The end of a line

\b A word boundary

\B A non-word boundary

\A The beginning of the input

\G The end of the previous match

\Z The end of the input except for the final terminator, if any

\z The end of the input

Greedy quantifiers

X? X, once or not at all

X* X, zero or more times

X+ X, one or more times

X{n} X, exactly n times

X{n,} X, at least n times

X{n,m} X, at least n but not more than m times

Reluctant quantifiers

X?? X, once or not at all

X*? X, zero or more times

X+? X, one or more times

X{n}? X, exactly n times

X{n,}? X, at least n times

92


Construct Matches

X{n,m}? X, at least n but not more than m times

Possessive quantifiers

X?+ X, once or not at all

X*+ X, zero or more times

X++ X, one or more times

X{n}+ X, exactly n times

X{n,}+ X, at least n times

X{n,m}+ X, at least n but not more than m times

Logical operators

XY X followed by Y

X|Y Either X or Y

(X) X, as a capturing group

Back references

\n Whatever the nth capturing group matched

Quotation

\ Nothing, but quotes the subsequent character

\Q Nothing, but quotes all characters until \E

\E Nothing, but ends a quote started by \Q

Special constructs (non-capturing)

(?:X) X, as a non-capturing group

(?idmsux-idmsux) Nothing, but turns match flags on - off

(?idmsux-idmsux:X)

X, as a non-capturing group with the given flags on - off

(?=X) X, via zero-width positive look ahead

(?!X) X, via zero-width negative look ahead

(?<=X) X, via zero-width positive look behind

93


Construct Matches

(?<!X) X, via zero-width negative look behind

(?>X) X, as an independent, non-capturing group

94


Event Output Format

LogLogic® Universal Collector collects Windows Event logs and forwards them in Snare over syslogformat.

For details about the Snare over Syslog format, see http://wiki.rsyslog.com/index.php/Snare_and_rsyslog.

Snare over Syslog format<SYSLOGNUM>CurrentDate<SPACE>HostName<SPACE>MSWinEventLog<TAB>Criticality<TAB>Criticality<TAB>Security<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5 checksum (optional)

The following table describes the differences between data elements passed in a typical Snare format vsSnare over Syslog format:

Field Snare formatSnare over Syslogformat Description

ID The <SYSLOGNUM>is the appropriatenumeric syslogfacility/prioritycombination for theobjective, as defined inthe snareconfiguration.

Date and Time The CurrentDate is thesyslog timestamp.

Host name Hostname the assigned hostnameof the machine or theoverride value enteredusing the Snare front.

Hostname The host name forsyslog is the syslog IPaddress.

Event Log Type MSWINEventLog MSWINEventLog Fixed value of'MSWinEventLog'.

Criticality Criticality Criticality This is determined bythe Alert level given tothe objective by theuser and is a numberbetween 0 and 4,LogLogic® UniversalCollector uses fixedvalue of 0.

95


http://wiki.rsyslog.com/index.php/Snare_and_rsyslog

http://wiki.rsyslog.com/index.php/Snare_and_rsyslog


SourceName EventLogSource EventLogSource This is the WindowsEvent Log from whichthe event record wasderived, In the aboveexample, the eventrecord was derivedfrom the 'security'event log.

Snare Event Counter SnareCounter SnareCounter SnareCounter is asequential eventcounter, designed toassist the process ofdetermining deliverypercentages whenusing non-guaranteedtransmissionprotocols.GlobalCounter is the same meanwith SnareCounter,LogLogic® UniversalCollector uses fixedvalue of 0.

DateTime SubmitTime SubmitTime This is the date timestamp of the eventrecord. LogLogic®Universal Collectoruses the UTC format.

EventID EventID EventID This is the WindowsEvent ID.

SourceName SourceName SourceName This is the WindowsEvent Log from whichthe event record wasderived, In the aboveexample, the eventrecord was derivedfrom the 'security'event log.

UserName UserName UserName This is the Window'suser name.

SIDType SIDType SIDType This is the type of SIDused.

96



EventLogType EventLogType EventLogType This can be anyone of'Success Audit','Failure Audit', 'Error','Information', or'Warning'.

ComputerName ComputerName ComputerName This is the Windowscomputer name.

CategoryStrint Category Category This is the category ofaudit event, asdetailed by theWindows eventlogging system

DataString Data Data This contains the datastrings.

ExpandedString Expanded EventRecordID This contains theexpanded data strings.

In LogLogic®Universal Collector, itcontains the eventrecord id.

MD5 Checksum MD5Checksum <Optional> An md5 checksum ofthe event canoptionally be includedwith each event sentover the network bythe Snare for WindowsAgent. Note that theapplication thatevaluates each recordwill need to strip thefinal delimiter, plusthe checksum, prior toevaluating the event.

Snare over Syslog format is slightly different than the regular Snare format.

The regular Snare format is shown below for reference:HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5 checksum (optional)

97


IPv6 Support Matrix

The IPv6 support matrix is as shown below:

Log SourceAddress

LogLogic®

UniversalCollector

LMI Supported LogLogic® Universal Collector Version

IPv4 IPv4 IPv4

v2.8.0 and below

IPv6 IPv6 IPv6

v2.7.0 and v2.8.0

IPv4 IPv6 IPv6

v2.7.0 and v2.8.0

98


TIBCO LogLogic Universal Collector User's Guide · Enterprise Java Beans (EJB), Java Platform...

Documents

Transcript of TIBCO LogLogic Universal Collector User's Guide · Enterprise Java Beans (EJB), Java Platform...