Logscape Support

mark · Member

Cant load data, via syslog or local folder

ZG · Veteran Member

Hi Mark,

1. Check that Logscape Syslog Server is accepting messages by sending a test messages from a remote host. Verify the message was received by checking the folder $LOGSCAPE_HOME/work/Syslog_SERVER/$REMOTE_IP/.... . Testing connectivity will depend on your operating system. If you are using Linux and you have set up up your rsyslog/syslong-ng correctly you can use the logger tool. Here's an example

logger 10.28.1.160 -P 1468 This a test .....

2. The syslog server log file is $LOGSCAPE_HOME/work/syslogserver.log. The ports used are also printed in the log at start up. When the system starts up, it will do a connectivity test by launching a local syslog client that sends test messages to the Logscape Syslog Server. Check the $LOGSCAPE_HOME/Syslog_SERVER_/localhost/user.log for the startup messages.

3. Once you are happy that your Syslog set up is correct, you can browse your syslog logs by navigating to the Search Page and selecting the syslog-server datasource on the left panel.

Kind Regards,

ZG.

mark · Member

Hello

I have tried using syslog udp on port 1514 and 514, the logscape receives the syslog messages, it creates a new directory with the name of the sender so that part seems to be ok

The issue is that it does not show the data in the search

Also it doe snot fetch the logs from files in a directory

I really like logscape, I just need to make it work

Thanks
Mark

ZG · Veteran Member

Hi Mark,

Go to the Configure/Datasource page and find the syslog-server datasource. Click the search button for this data source. This should then take you to the Search Page with the following search:

* | _tag.equals(syslog-server) _filename.count(_host)

Make sure that the search is set to search more than 60 days. See if this brings up your logs. Alternatively, you can try port 1468 with the TCP protocol. The data may be appearing further back on your timeline than expected.

Could you paste a screenshot of your data source for the application logs and a sample of your data. The problem could be with the time format used in the data or it could be in the way the data source is configured. It's difficult to say without more to go on.

If you do not feel comfortable sharing some of your logs in the forum please use the email support@logscape.com. Make sure that you attach 5-10 lines of your log data and a copy of your Logscape config and someone will get back to you shortly.

Regards,

ZG.

neilson9 · Senior Member

Hey mark,

Can you also try and save the syslog datasource and see if that helps?

Cheers Neil.

mark · Member

Hello,

Thanks very much for the help, it was working but the issue was with the dates, this is why I could not see any data.

Logscape was trying to read the date field from the logs and that was confusing it, to verify it I selected the dates for the search from 1960 to today and the logs where finally found in the 2012-2013 years

I need to learn how to play with the date fields so that I can have Logscape picking up the date in the right way

The syslog works on UDP 1514 or TCP, that was another problem I had, I did the first tests using standard UDP 514

Logscape is very fast and it it fantastic how it can read compressed files as well.

Again thanks very much for the prompt support, really appreciated

Thanks and best regards
Mark