Contents
This sample demonstrates the use of the TIBCO StreamBase® Syslog Input Adapter.
This sample is meant to receive syslog messages and pass them on to the StreamBase application. Once the sample is up and running, you will need a means to send it some syslog messages to demonstrate its use. To do so, you can either set up an existing machine on your network to send its syslog events to the IP address of the machine running the sample, or for testing purposes you can simply generate fake syslog messages on the machine's UDP port 514.
Devices and programs generating syslog messages do so by sending them to the system's Syslog daemon (syslogd). This daemon is the program responsible for properly routing the messages to local logs file and/or collectors such as the adapter. The syslogd daemon needs to be explicitly told to forward messages to your StreamBase application in order for the adapter to receive them. This is done by modifying the /etc/syslog.conf configuration file. To forward all syslog messages to your application, ensure the following line is included (replacing the host name by that of the machine running StreamBase):
*.* @logserv.example.com
(You will need root access to make this change.)
Afterwards, restart syslogd with the command:
service syslogd restart
From then on the client machine will forward all syslog entries to your StreamBase application. Refer to syslogd(8) and syslog.conf(5) documentation for instructions on configuring finer-grained forwarding rules (e.g. only forwarding messages of a certain priority).
For a quick test run of the sample, if you do not wish to set up a Linux box to send its syslog events to the adapter you can simply send strings to UDP port 514 and they will be interpreted by the adapter as syslog messages. An easy way to do so is to use the nc Linux command (substituting the correct IP address to reach your running StreamBase application):
nc -u 127.0.0.1 514
This command will wait for input to send on the port. Type the following and hit Enter:
<165>1 2013-05-01T12:00:00.000Z mymachine.example.com fakeevent - ID00 [exampleSDID@32767 iut="3" eventSource="Application"
eventID="1011"] This is a fake syslog event conforming to RFC 5424
-
In the Package Explorer view, double-click
syslog.sbapp. -
Click the
Run button. This opens the SB Test/Debug perspective and starts the application.
-
In the Test/Debug Perspective, open the Application Output view. Look for a tuple emitted on the Status stream with its
actionvalue set toConnected, indicating that the adapter has established a connection to the configured port and is listening for traps. -
In the Manual Input view, select the
Commandsstream. Enterdisconnectin thecommandfield. Click and observe that a tuple has been emitted on theStatusstream, and a message has been printed to the console to indicate the adapter has disconnected from the configured port. -
In the Manual Input view, select the
Commandsstream again. Enterconnectin thecommandfield. Click and observe that a tuple has been emitted on theStatusstream, and a message has been printed to the console to indicate the adapter has reconnected to the port and is again listening for traps. -
To see syslog messages emitted by the adapter, refer to the Receiving Syslog Messages section above.
-
As syslog messages are received by the adapter you will see a tuple emitted on the SyslogMessages stream describing its contents.
-
When done, press F9 or click the
Stop Running Application button.
This section describes how to run the sample in UNIX terminal windows or Windows command prompt windows. On Windows, be sure to use the StreamBase Command Prompt from the Start menu as described in the Test/Debug Guide, not the default command prompt.
-
Open three terminal windows on UNIX, or three StreamBase Command Prompts on Windows. In each window, navigate to your workspace copy of the sample, as described above.
-
In window 1, type:
sbd syslog.sbapp -
In window 2, type:
sbc dequeue -vThis window displays the tuples dequeued from the adapter's output ports.
-
In window 3, disconnect from the UDP port:
echo disconnect | sbc enqueue Commands -
Observe in window 2 that a
DisconnectedTuple is emitted from theStatusport and a message is issued in window 1 to indicate the adapter has disconnected from the UDP port and is no longer listening for syslog messages. -
In window 3, reconnect to the UDP port:
echo connect | sbc enqueue Commands -
Observe in window 2 that a
ConnectedTuple is again emitted from theStatusstream. A message is issued in window 1 to indicate the adapter has reconnected to the UDP port and listening to syslog events. -
To see syslog messages emitted by the adapter, refer to the Receiving Syslog Messages section above.
-
Observe in window 2 that a new tuple has been emitted on the SyslogMessages stream for each syslog event received by the adapter.
-
In window 3, type the following command to terminate the server and dequeuer:
sbadmin shutdown
In StreamBase Studio, import this sample with the following steps:
-
From the top menu, click → .
-
Select this sample from the Embedded Input Adapters list.
-
Click OK.
StreamBase Studio creates a project for this sample.
When you load the sample into StreamBase Studio, Studio copies the sample project's files to your Studio workspace, which is normally part of your home directory, with full access rights.
Important
Load this sample in StreamBase Studio, and thereafter use the Studio workspace copy of the sample to run and test it, even when running from the command prompt.
Using the workspace copy of the sample avoids permission problems. The default workspace location for this sample is:
studio-workspace/sample_adapter_embedded_syslogSee Default Installation Directories for the default location of studio-workspace on your system.
In the default TIBCO StreamBase installation, this sample's files are initially installed in:
streambase-install-dir/sample/adapter/embedded/syslogSee Default Installation Directories for the default location of studio-workspace on your system.