syslog监控华为交换机
- syslog协议
syslog也是个cs结构的协议,走UDP方式,与snmp的get、set方式不同,其结构更近似snmp的trap,也就是采用被动接受方式。在被监控上有个产生消息的agent,在监控端有个server进行侦听。
syslog是个简单的协议,主要定义了个报文结构(rfc3164)。报文由报头(PRI part、Header Part)和报体(MSG part)组成。PRI part是用“<”、“>”包起来的ASCII数值,接收程序中处理成整数后,前面5个bit表示来源(Facilities),后3个bit表示严重性(Severity)。Header Part主要是时间。MSG part就是内容了。报文是ASCII码的字符串。
http://www.networkdictionary.cn/Protocol/Syslog-Protocol.php底部可下载rfc3164.pdf
该协议虽简单,但麻烦就来源于简单。由于协议中未给出详细的规定,各家厂商都有自己的Header Part、MSG part结构。这样解析消息时间、内容都不相同。
例如:华为交换机的格式为:
<189>Jun 7 05:22:03 2003 Quidway IFNET/6/UPDOWNine protocol on interface Ethernet0/0/0, changed state to UP
cicso格式为:
<189>931: *Sep 11 20:07:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
- 交换机配置
华为:
>sys
>info-center loghost xxx.xxx.xxx.xxx //监控端IP
>info-center channel 2 //往哪个通道输出消息。缺省情况下,通道0~9的名称分别为console,monitor,loghost,trapbuffer,logbuffer,snmpagent,channel6,channel7,channel8,channel9。
>info-center enable //启动
>dis info-center //查看配置
cicso:
>config terminal
>logging xxx.xxx.xxx.xxx
>logging facility local7 //将Facilities>local7消息都报告
>logging source-interface xxxx.xxx.xxx.xxx //指定本设备发送消息时用的IP
>logging on //启动
- 编程
syslog用的是UDP方式,直接用jdk的java.net包下的类就成。
package com.lingtong.agent.syslogd; import java.io.IOException; import java.net.DatagramPacket; import java.net.DatagramSocket; import java.net.SocketException; import java.util.logging.Logger; import com.lingtong.agent.db.DBPool; public class SyslogServer extends Thread { final static Logger logger = Logger.getLogger(SyslogServer.class.getName()); private static final int IN_BUF_SZ = (8 * 1024); // private static final int SYSLOG_PORT = 514; private boolean socketOpen; private int port; private DatagramSocket inSock; private DatagramPacket inGram; private byte[] inBuffer; private SyslogConfig configuration; // private FeedbackDisplayer feedback; public SyslogServer() { this(SyslogDefs.DEFAULT_PORT); } public SyslogServer(int port) { super(); this.port = port; socketOpen = false; inBuffer = null; inGram = null; // feedback = null; configuration = null; } public SyslogConfig getConfiguration() { return configuration; } public void setConfiguration(SyslogConfig configuration) { this.configuration = configuration; } public void startupServices() { try { inSock = new DatagramSocket(port); inBuffer = new byte[SyslogServer.IN_BUF_SZ]; socketOpen = true; } catch (SocketException ex) { ex.printStackTrace(); logger.severe("-------->创建侦听端口" + port + "出错!!!"); interrupt(); } } public void shutdownServices() { if (socketOpen) { inSock.close(); socketOpen = false; } } public void finalize() { logger.info("---------->终止服务...."); shutdownServices(); } public void run() { //int packetCount = 0; logger.info("---------->启动服务...."); startupServices(); logger.info("---------->开始侦听...."); for (;;) { try { inGram = new DatagramPacket(inBuffer, inBuffer.length); inSock.receive(inGram); } catch (IOException ex) { ex.printStackTrace(); logger.warning("--------->读取端口数据错误!"); break; } String msgBuf = new String(inGram.getData(), 0, inGram.getLength()); //++packetCount; String hostName = inGram.getAddress().getHostName(); logger.info("<---------数据包["+hostName+":" + inGram.getLength() + "]" + msgBuf); if (hostName == null) hostName = "localhost"; processMessage(msgBuf, hostName); } finalize(); } /** * 根据IP获取配置并解析消息结构,最后提交处理 * @param message * @param hostName */ public void processMessage(String message, String ip) { try { ConfigEntry entry= configuration.getConfigEntry(ip); if (entry!=null){ entry.processMessage(ip,message); } }catch(Exception e){ e.printStackTrace(); } } static public void main( String argv[] ){ //建立数据库连接池 DBPool pool = DBPool.getInstance(); pool.initPool((String)argv[0]); //读取配置 SyslogConfig config = new SyslogConfig(); config.loadConfiguration((String)argv[0]); SyslogServer server = new SyslogServer(); server.setConfiguration( config ); //Thread thread= new Thread(server); server.start(); } }