Syslog Input Adapter Sample

This sample demonstrates the use of the TIBCO StreamBase® Syslog Input Adapter.

Receiving Syslog Messages

This sample is meant to receive syslog messages and pass them on to the StreamBase application. Once the sample is up and running, you will need a means to send it some syslog messages to demonstrate its use. To do so, you can either set up an existing machine on your network to send its syslog events to the IP address of the machine running the sample, or for testing purposes you can simply generate fake syslog messages on the machine's UDP port 514.

Configuring a Linux Machine to Send Syslog Messages to the Adapter

Devices and programs generating syslog messages do so by sending them to the system's Syslog daemon (syslogd). This daemon is the program responsible for properly routing the messages to local logs file and/or collectors such as the adapter. The syslogd daemon needs to be explicitly told to forward messages to your StreamBase application in order for the adapter to receive them. This is done by modifying the /etc/syslog.conf configuration file. To forward all syslog messages to your application, ensure the following line is included (replacing the host name by that of the machine running StreamBase):

*.* @logserv.example.com

(You will need root access to make this change.)

Afterwards, restart syslogd with the command:

service syslogd restart

From then on the client machine will forward all syslog entries to your StreamBase application. Refer to syslogd(8) and syslog.conf(5) documentation for instructions on configuring finer-grained forwarding rules (e.g. only forwarding messages of a certain priority).

Sending Fake Syslog Messages to the Adapter

For a quick test run of the sample, if you do not wish to set up a Linux box to send its syslog events to the adapter you can simply send strings to UDP port 514 and they will be interpreted by the adapter as syslog messages. An easy way to do so is to use the nc Linux command (substituting the correct IP address to reach your running StreamBase application):

nc -u 127.0.0.1 514

This command will wait for input to send on the port. Type the following and hit Enter:

<165>1 2013-05-01T12:00:00.000Z mymachine.example.com fakeevent - ID00 [exampleSDID@32767 iut="3" eventSource="Application" eventID="1011"] This is a fake syslog event conforming to RFC 5424

Running This Sample in StreamBase Studio

  1. In the Package Explorer view, double-click syslog.sbapp.

  2. Click the Run button. This opens the SB Test/Debug perspective and starts the application.

  3. In the Test/Debug Perspective, open the Application Output view. Look for a tuple emitted on the Status stream with its action value set to Connected, indicating that the adapter has established a connection to the configured port and is listening for traps.

  4. In the Manual Input view, select the Commands stream. Enter disconnect in the command field. Click Send Data and observe that a tuple has been emitted on the Status stream, and a message has been printed to the console to indicate the adapter has disconnected from the configured port.

  5. In the Manual Input view, select the Commands stream again. Enter connect in the command field. Click Send Data and observe that a tuple has been emitted on the Status stream, and a message has been printed to the console to indicate the adapter has reconnected to the port and is again listening for traps.

  6. To see syslog messages emitted by the adapter, refer to the Receiving Syslog Messages section above.

  7. As syslog messages are received by the adapter you will see a tuple emitted on the SyslogMessages stream describing its contents.

  8. When done, press F9 or click the Stop Running Application button.

Running This Sample in Terminal Windows

This section describes how to run the sample in UNIX terminal windows or Windows command prompt windows. On Windows, be sure to use the StreamBase Command Prompt from the Start menu as described in the Test/Debug Guide, not the default command prompt.

  1. Open three terminal windows on UNIX, or three StreamBase Command Prompts on Windows. In each window, navigate to your workspace copy of the sample, as described above.

  2. In window 1, type:

    sbd syslog.sbapp

  3. In window 2, type:

    sbc dequeue -v

    This window displays the tuples dequeued from the adapter's output ports.

  4. In window 3, disconnect from the UDP port:

    echo disconnect | sbc enqueue Commands

  5. Observe in window 2 that a Disconnected Tuple is emitted from the Status port and a message is issued in window 1 to indicate the adapter has disconnected from the UDP port and is no longer listening for syslog messages.

  6. In window 3, reconnect to the UDP port:

    echo connect | sbc enqueue Commands

  7. Observe in window 2 that a Connected Tuple is again emitted from the Status stream. A message is issued in window 1 to indicate the adapter has reconnected to the UDP port and listening to syslog events.

  8. To see syslog messages emitted by the adapter, refer to the Receiving Syslog Messages section above.

  9. Observe in window 2 that a new tuple has been emitted on the SyslogMessages stream for each syslog event received by the adapter.

  10. In window 3, type the following command to terminate the server and dequeuer:

    sbadmin shutdown

Importing This Sample into StreamBase Studio

In StreamBase Studio, import this sample with the following steps:

  • From the top menu, click FileLoad StreamBase Sample.

  • Select this sample from the Embedded Input Adapters list.

  • Click OK.

StreamBase Studio creates a project for this sample.

Sample Location

When you load the sample into StreamBase Studio, Studio copies the sample project's files to your Studio workspace, which is normally part of your home directory, with full access rights.

Important

Load this sample in StreamBase Studio, and thereafter use the Studio workspace copy of the sample to run and test it, even when running from the command prompt.

Using the workspace copy of the sample avoids the permission problems that can occur when trying to work with the initially installed location of the sample. The default workspace location for this sample is:

studio-workspace/sample_adapter_embedded_syslog

See Default Installation Directories for the location of studio-workspace on your system.

In the default TIBCO StreamBase installation, this sample's files are initially installed in:

streambase-install-dir/sample/adapter/embedded/syslog

See Default Installation Directories for the default location of studio-workspace on your system.