Can somebody explain the syslog sensor that is built into PRTG. Is this a syslog server? What are the differences between PRTG's syslog sensor and a syslog server?
The following information is deprecated as of PRTG 14.1.8.
It applies to the Syslog Receiver sensor in PRTG 7 through 13.
Wikipedia says about syslog (http://en.wikipedia.org/wiki/Syslog): "Syslog is a client/server protocol: the syslog sender sends a small (less than 1KB) textual message to the syslog receiver. The receiver is commonly called [..] "syslog server"."
Basically, the Syslog Receiver Sensor of PRTG can be described as a "syslog server". PRTG version 14.1.8 and later includes a syslog receiver which is designed for high performance usage in order to review and analyze incoming syslog messages from various devices.
The differences between a dedicated syslog server and PRTG's syslog sensor
But there are differences:
- Dedicated syslog servers are optimized to receive and process many different message types from a large number of devices
- Dedicated syslog servers are able to store many messages per time interval in their internal database for later review and analysis PRTG's syslog sensor is not suitable to handle high loads, process many different message types or to store many messages in its log database. It can process some hundred messages per minute, one sensor can process and check one message type and PRTG can store some hundred messages per minute in its log database (across all syslog sensors).
The sensor is not intended to be a full-scale replacement for a dedicated syslog servers. It is a great tool if you need to monitor a handful of devices that send syslog messages from time to time. And as such it avoids the need to install, setup and manage a dedicated syslog server software for just a few devices.
Setting up a syslog sensor
To create a syslog sensor navigate to your "local probe" (or one of your remote probes if you any) and choose "Add Sensor". In the sensor type selection select "syslog receiver sensor" from the "Various Protocols" section.
In the sensor settings you must enter a listening port (the common port number is 514).
- Note 1: Remember that the listening port must be opened if you run a firewall on the probe system (the built-in Windows Firewall will automatically configured correctly by PRTG).
- Note 2: You can only create syslog sensors on probe devices, because the PC running the probe software is the actual receiver.
The syslog sensor has three other settings:
- When Message comes in: Activate the option "Write message to log and fire change trigger" to fire the "change trigger" for this sensor and to write a log entry whenever a syslog message is received (this may create lots of log entries, use with caution). This is only suitable when a few messages per minute are received. After creating the sensor you can enter a "change" trigger on the notifications tab of the sensor that will send a notification (e.g. email) whenever a syslog message comes in.
- Message must include: This setting allows you to define a string. The sensor will go into error state if one or more of the incomng messages do not contain this string.
- Message must not include: Here you can enter a second string. The sensor will go into error state if a message contains this string.
The first option allows you to create a log of all incoming messages (at least for small scenarios with <100 messages per minute). The 2nd and 3rd option are used to filter out specific messages. Configure a "state trigger" for "down" on the notification tab and PRTG will fire an email if a message arrives that meets any or both of the two criteria.