Logscape Support

Date: Apr 30, 2014

Cannot receive log for remote Linux machine in LogScape dashboard

ZG · Veteran Member

Hi Hyder,

Can you confirm data is being collected in the syslog directory on the Manager.

The data from your syslog clients is stored in the following folder

$LOGSCAPE_HOME/work/Syslog_SERVER_/$CLIENT_HOSTNAME_OR_IP/

If there is data present but it is not showing up within Logscape, could you send a screenshot of the data source and the search that you are using.

Kind Regards,

ZG

Date: May 1, 2014

Thanks for your reply ZG.

I can see the folder has been created and there are logs in the folder.

hyder@logscape:/opt/logscape/logscape/work/SysLogServer_SERVER_/10.1.5.3$ ls -alt

total 20

drwxrwxr-x 5 hyder hyder 4096 Apr 30 01:06 .

drwxrwxr-x 2 hyder hyder 4096 Apr 30 01:06 14May01

drwxrwxr-x 2 hyder hyder 4096 Apr 29 04:14 14Apr30

drwxrwxr-x 4 hyder hyder 4096 Apr 28 18:56 ..

drwxrwxr-x 2 hyder hyder 4096 Apr 28 18:56 14Apr29

Directory: /opt/logscape/logscape/work/SysLogServer_SERVER_/10.1.5.3/14Apr29

File mask: *.log

Search: * | _tag.equals(Test_Log_1) _filename.count(_host)

ZG · Veteran Member

Hi Hayder,

It looks like there isn't a datasource pulling in your syslog data.

1.) To find out if any of the data from 10.1.15.3 has been ingested, execute the following search going back 2 or more days:

| _host.equals(10.1.5.3) _tag.count()

This search returns the data source the system is using. Your data may be coming from a different data source other than Test_log_1. It's important that your search goes back far enough.

2.) If you get nothing coming back in step 1.) the data sources have not been set up correctly. Please send a screenshot of your syslog-server data source and TestLog_1 datasource and I will be able to see if it is a problem with the data source or something else.

ZG.

ZG · Veteran Member

You could also try the default syslog search:

* | _tag.equals(syslog-server) _filename.count(_host)

Date: May 21, 2014

Many thanks ZG for the information.

That looks great and working fine now.

Unfortunately, there is an issue came up with it that if we have separate accounts to view the data from various data source respectively, other user can view each others' information through query. Therefore, is there any way we could prevent this or resolve this authorisation issue or is there any development on this in track?

Cheers.

Best regards

Hyder

neilson9 · Senior Member

Hi Hyder,
If you have upgraded to 2.3.1 you could look at using datagroups. Each datagroup can apply a host filter and you can assign datagroups to individual user accounts.

logscape.github.io/users-datagroups.html

HTH
-NA.

-- Edited by neilson9 on Wednesday 28th of May 2014 09:32:01 PM