System.ApplicationLog.SysLogReader

System Center

Updated: August 10, 2011

Applies To: Operations Manager 2007 R2

The System.ApplicationLog.SysLogReader data source module type is used to provide syslog UDP packets on a network. This module returns each system log data entry as System.ApplicationLog.SysLogData data.

Usage

Use the module to provide syslog UDP packets on a network from within a workflow.

Type Definition


<DataSourceModuleType ID="System.ApplicationLog.SysLogReader" Accessibility="Public" Batching="false">
  <Configuration>
    <xsd:element name="Port" type="xsd:unsignedInt" xmlns:xsd="http://www.w3.org/2001/XMLSchema" />
  </Configuration>
  <ModuleImplementation Isolation="Any">
    <Native>
      <ClassID>B4BE2EB9-6D55-46C1-86CB-D87057ECFC8A</ClassID>
    </Native>
  </ModuleImplementation>
  <OutputType>System.ApplicationLog.SysLogData</OutputType>
</DataSourceModuleType>

Parameters

The System.ApplicationLog.SysLogReader module supports the configuration parameters described in the following table.

 

Parameter Type Overrideable Description

Port

Unsigned Integer

False

Required parameter. Defines the port on which to listen for UDP syslog packets. Usually, the port is 514.

Remarks

This module uses the Windows Sockets 2 (Winsock) library to receive the UDP syslog packets on the specified port. For more information, see Windows Sockets 2.

Composition

The System.ApplicationLog.SysLogReader module is a native module.

Errors

The following errors can occur from within the System.ApplicationLog.SysLogReader module.

 

Exception Reason

11601

General failure.

Related Modules

None.

External Module References

The System.ApplicationLog.SysLogReader module is a member of the module described in the following table.

 

Module Type Library Usage

System.ApplicationLog.GenericLog.EventProvider

System.ApplicationLog.Library

Maps syslog data to event data. Returns System.Event.Data data.

Sample

The following sample illustrates a rule that listens for UDP syslog packets on Port 514. If the Priority parameter equals “1”, an alert will be generated.

ImportantImportant
This particular rule targets every Microsoft.Windows.Computer instance that belongs to the management group. If the criteria are met, the rule will create an alert associated to that computer. In reality however, many systems that support syslog are configured to send their syslog messages to one Windows computer. It is therefore possible to run the syslog rules on only one Windows computer rather than all Windows computers. One way to do this is to associate the rules to a class type that represents the syslog Hostname system or a syslog device. You must also define a class type definition for the Windows computer that specifically supports syslog. The discovery of the syslog Hostname system or syslog device must be targeted at the Windows computer that receives the syslog packets.


<Rule ID="Microsoft.Samples.ReadSysLog" Target="Windows!Microsoft.Windows.Computer" Enabled="true" ConfirmDelivery="true">
  <Category>Custom</Category>
   <DataSources>
     <DataSource ID="SR" TypeID="AppLog!System.ApplicationLog.SysLogReader">
      <Port>514</Port>
    </DataSource>
  </DataSources>
   <ConditionDetection ID="Filter" TypeID="System!System.ExpressionFilter">
     <Expression>
       <SimpleExpression>
         <ValueExpression>
          <XPathQuery Type="Integer">Priority</XPathQuery>
        </ValueExpression>
        <Operator>Equals</Operator>
         <ValueExpression>
          <Value>1</Value>
        </ValueExpression>
      </SimpleExpression>
    </Expression>
  </ConditionDetection>
   <WriteActions>
     <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
      <Priority>1</Priority>
      <Severity>1</Severity>
      <AlertMessageId>$MPElement[Name="Microsoft.Samples.AlertMessage"]$</AlertMessageId>
       <Suppression>
        <SuppressionValue />
      </Suppression>
    </WriteAction>
  </WriteActions>
</Rule>


The filtered System.ApplicationLog.SysLogData data item could look like the following:


<DataItem type="System.ApplicationLog.SysLogData" time="2008-03-11T03:08:55.0343534-08:00" sourceHealthServiceId="0A0800A0-A802-E90B-6045-D961D516CA78">
   <Facility>0</Facility>
   <Severity>0</Severity>
   <Priority>1</Priority>
   <PriorityName></PriorityName>
   <TimeStamp>Time</Timestamp>
   <HostName>Name of Host</HostName>
   <Message>Some message.</Message>
</DataItem>


Information

 

   

Module Type

DataSourceModuleType

Input Type

None

Output Type

System.ApplicationLog.SysLogData

Implementation

Composite

Library

System.ApplicationLog.Library

 
Show: