Syslog Input Adapter Sample

Contents

About This Sample
Importing This Sample into StreamBase Studio
Running This Sample in StreamBase Studio
Receiving Syslog Messages
Sample Location

About This Sample

This sample demonstrates the use of the Spotfire Streaming Syslog Input Adapter.

Importing This Sample into StreamBase Studio

In StreamBase Studio, import this sample with the following steps:

  • From the top-level menu, click File>Import Samples and Community Content.

  • Enter sysl to narrow the list of options.

  • Select Syslog input adapter from the StreamBase Standard Adapters category.

  • Click Import Now.

StreamBase Studio creates a project for this sample.

Running This Sample in StreamBase Studio

  1. In the Project Explorer view, open the sample you just loaded.

    If you see red marks on a project folder, wait a moment for the project to load its features.

    If the red marks do not resolve themselves after a minute, select the project, right-click, and select Maven>Update Project from the context menu.

  2. Open the src/main/eventflow/packageName folder.

  3. Open the syslog.sbapp file and click the Run button. This opens the SB Test/Debug perspective and starts the module.

  4. In the Test/Debug Perspective, open the Output Streams view. Look for a tuple emitted on the Status stream with its action value set to Connected, indicating that the adapter has established a connection to the configured port and is listening for traps.

  5. In the Manual Input view, select the Commands stream. Enter disconnect in the command field. Click Send Data and observe that a tuple has been emitted on the Status stream, and a message has been printed to the console to indicate the adapter has disconnected from the configured port.

  6. In the Manual Input view, select the Commands stream again. Enter connect in the command field. Click Send Data and observe that a tuple has been emitted on the Status stream, and a message has been printed to the console to indicate the adapter has reconnected to the port and is again listening for traps.

  7. To see syslog messages emitted by the adapter, refer to the Receiving Syslog Messages section below.

  8. As syslog messages are received by the adapter you will see a tuple emitted on the SyslogMessages stream describing its contents.

  9. When done, press F9 or click the Terminate EventFlow Fragment button.

Receiving Syslog Messages

This sample is meant to receive syslog messages and pass them on to the StreamBase application. Once the sample is up and running, you will need a means to send it some syslog messages to demonstrate its use. To do so, you can either set up an existing machine on your network to send its syslog events to the IP address of the machine running the sample, or for testing purposes you can simply generate simulated syslog messages on the machine's UDP port 514.

Configuring a Linux Machine to Send Syslog Messages to the Adapter

Devices and programs generating syslog messages do so by sending them to the system's Syslog daemon (syslogd). This daemon is the program responsible for properly routing the messages to local logs file and/or collectors such as the adapter. The syslogd daemon needs to be explicitly told to forward messages to your StreamBase application in order for the adapter to receive them. This is done by modifying the /etc/syslog.conf configuration file. To forward all syslog messages to your application, ensure the following line is included (replacing the host name by that of the machine running StreamBase):

*.* @logserv.example.com

(This change requires root access.)

Afterwards, restart syslogd with the command:

service syslogd restart

From then on the client machine will forward all syslog entries to your StreamBase application. Refer to syslogd(8) and syslog.conf(5) documentation for instructions on configuring finer-grained forwarding rules (e.g. only forwarding messages of a certain priority).

Sending Simulated Syslog Messages to the Adapter

For a quick test run of the sample, if you do not wish to set up a Linux box to send its syslog events to the adapter, you can simply send strings to UDP port 514 and they will be interpreted by the adapter as syslog messages. An easy way to do so is to use the nc Linux command (substituting the correct IP address to reach your running StreamBase application):

nc -u 127.0.0.1 514

This command waits for input to send on the port. Type the following and click Enter:

<165>1 2013-05-01T12:00:00.000Z mymachine.example.com fakeevent - ID00 [exampleSDID@32767 iut="3" eventSource="Application" eventID="1011"] This is a fake syslog event conforming to RFC 5424

Sample Location

When you load the sample into StreamBase® Studio, Studio copies the sample project's files to your Studio workspace, which is normally part of your home directory, with full access rights.

Important

Load this sample in StreamBase® Studio, and thereafter use the Studio workspace copy of the sample to run and test it, even when running from the command prompt.

Using the workspace copy of the sample avoids permission problems. The default workspace location for this sample is:

studio-workspace/sample_adapter_embedded_syslog

See Default Installation Directories for the default location of studio-workspace on your system.