Syslog Interface to The PI System
Syslog
Interface to the PI System
Version 1.0.0.1
Rev A
How to Contact Us
|Phone |(510) 297-5800 (main number) |
| |(510) 297-5828 (technical support) |
|Fax |(510) 357-8136 |
|E-mail |techsupport@ |
|World Wide Web | |
|Mail |OSIsoft |OSI Software, Ltd |
| |P.O. Box 727 |P O Box 8256 |
| |San Leandro, CA 94577-0427 |Symonds Street |
| |USA |Auckland 1035 New Zealand |
| | | |
| |OSI Software GmbH |OSI Software, Asia Pte Ltd |
| |Hauptstra(e 30 |152 Beach Road |
| |D-63674 Altenstadt 1 |#09-06 Gateway East |
| |Deutschland |Singapore, 189721 |
Unpublished – rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013
Trademark statement—PI is a registered trademark of OSIsoft, Inc. Microsoft Windows, Microsoft Windows for Workgroups, and Microsoft NT are registered trademarks of Microsoft Corporation. Solaris is a registered trademark of Sun Microsystems. HP-UX is a registered trademark of Hewlett Packard Corp.. IBM AIX RS/6000 is a registered trademark of the IBM Corporation. DUX, DEC VAX and DEC Alpha are registered trademarks of the Digital Equipment Corporation.
PI_Syslog.doc
( 2003, 2004 OSIsoft, Inc. All rights reserved
777 Davis Street, Suite 250, San Leandro, CA 94577
Table of Contents
Introduction 1
Reference Manuals 1
Supported Features 2
Diagram of Hardware Connection 4
Principles of Operation 5
Syslog Format and Contents 5
Syslog Interface Message Types 6
PIX 6
Cisco IOS 7
Syslog General 8
Message Formatting 8
Installation Checklist 13
Interface Installation 15
Naming Conventions and Requirements 15
Interface Directories 15
The PIHOME Directory Tree 15
Interface Installation Directory 16
Interface Installation Procedure 16
Installing the Interface as an NT Service 16
Installing the Interface Service with PI-Interface Configuration Utility 16
Installing the Interface Service Manually 18
PointSource 21
PI Point Configuration 23
Point Attributes 23
Tag 23
PointSource 23
PointType 23
Location1 23
Location2 23
Location3 24
Location4 25
Location5 25
InstrumentTag 25
ExDesc 25
Scan 27
Shutdown 28
I/O Rate Tag Configuration 29
Monitoring I/O Rates on the Interface Node 29
Configuring I/O Rate Tags with PI-ICU (NT-Intel) 29
Configuring I/O Rate Tags Manually 30
Configuring the PI Point on the PI Server 31
Configuration on the Interface Node 31
Startup Command File 33
Command-line Parameters 34
Sample PI_Syslog.bat File 36
Interface Node Clock 37
Security 39
Starting / Stopping the Interface 41
Starting Interface as a Service 41
Stopping Interface Running as a Service 41
Buffering 43
Configuring Buffering with PI-ICU (NT-Intel) 43
Configuring Buffering Manually 46
Example piclient.ini File 47
Appendix A: Error and Informational Messages 49
Message Logs 49
Messages 49
Interface Startup Errors 49
Point Loading Errors 49
Point Debugging Messages 50
Run-time Error 50
Interface-level Debugging 50
Syslog Error Message 51
System Errors and PI Errors 51
APPENDIX B: PI_PIX Firewall Interface Compatibility 53
Migration 53
Manual Migration 53
Migration Using the PI ICU 53
Compatibility 56
Count, Rate and User Points 56
Appendix C: Extract from RFC3164 – 4.1.1 PRI 59
Revision History 61
Introduction
The syslog protocol is a standard for logging system events over a network. It provides a transport to allow a machine to send event notification messages across IP networks to event message collectors (also known as syslog servers). OSIsoft’s PI-Syslog Interface works as a syslog server for one or more devices. The interface listens on the syslog port (UDP port 514) and collects the syslog messages sent by the devices. The interface then matches each message with the appropriate PI Point and sends the required part or parts of the messages to this Point.
A standard format for the syslog messages is recommended by the syslog protocol. However, there are no set requirements on the contents of the syslog packet as it is originally sent from a device. Therefore, the PI-Syslog Interface considers any packet received from the syslog port a valid syslog message and records the information to the corresponding PI points. In addition, the interface supports the specific syslog message formats of devices such as Cisco PIX Firewall and other Cisco devices. PI-Syslog can recognize the device-specific syslog messages, parse the received packet accordingly and store appropriate information to the corresponding PI points.
The PI-Syslog interface runs on Windows NT 4.0, Windows 2000 or Windows XP operating systems. Unless otherwise noted, the remainder of this document uses the term “Windows NT” to refer to all three.
PI-Syslog interface requires:
• PI Server
• PI-SDK/API
• Internet Explorer 4.0 or greater (The interface uses the Internet Explorer Regular Expression Engine to parse the syslog messages)
No special hardware is required by this interface.
The direction of data flow is uni-directional; that is, from the device(s) sending out the syslog messages to the PI Server.
Reference Manuals
OSIsoft
• UniInt End User Document
• PI Server Manual
• PI-SDK Manual
• PI-API Manual
• Regular Expressions Tutorial
Cisco
• Cisco Systems, Inc Cisco PIX Firewall System Log Messages
• Cisco – Setting Up PIX Syslog
• Cisco-System Error Messages Overview
Other
• The BSD Syslog Protocol
Supported Features
|Feature |Support |
|Part Number |PI-IN-OS-SYSLOG-NT |
|Platforms |Windows NT 4.0 / W2K / XP |
|PI Point Types |Float16 / float32 / float64 / int16 / int32 / digital |
| |/ string |
|Sub-second Timestamps |Yes |
|Sub-second Scan Classes |No |
|Automatically Incorporates PI Point Attribute Changes |Yes |
|Exception Reporting |Yes |
|Outputs from PI |No |
|Inputs to PI: Scan-Based / Unsolicited / Event Tags |Unsolicited |
|Maximum Point Count |Point count of PI Server |
|Uses PI-SDK |Yes - Requires PI-SDK v1.3.1 (or higher) |
|PINet to PI 3 String Support |Not applicable |
|* Source of Timestamps |PI Server |
|History Recovery |No |
|Failover |No |
|* UniInt-based |Yes |
|Vendor Software Required on PI-API / PINet Node |No |
|Vendor Software Required on Foreign Device |No |
|Vendor Hardware Required |No |
|* Additional PI Software Included with Interface |Yes |
|Device Point Types |Not applicable |
* See paragraphs below for further explanation.
Source of Timestamps
The clock on the computer running the PI Server provides the source of the timestamps for the data sent by PI-Syslog. The interface writes a timestamp that reflects the time at which it processed the Syslog packet.
UniInt-based
UniInt stands for Universal Interface. UniInt is not a separate product or file; it is an OSIsoft-developed template used by our developers and is integrated into many interfaces, such as the PI-Syslog interface. The purpose of UniInt is to keep a consistent feature set and behavior across as many of our interfaces as possible. It also allows for the very rapid development of new interfaces. In any UniInt-based interface, the interface uses some of the UniInt-supplied configuration parameters and some interface-specific parameters. UniInt is constantly being upgraded with new options and features.
The UniInt End User Document is a supplement to this manual.
Additional PI Software
A utility for testing regular expressions (RegExpTester.exe) is included in the install of this interface. This utility is useful for testing the syntax of regular expressions before using them in a PI Point.
Diagram of Hardware Connection
[pic]
Principles of Operation
The PI-Syslog Interface functions as a syslog server: it listens to either UDP port 514 (the syslog port) or any other specified port and collects the syslog messages sent by one or more devices. Upon receiving the syslog packet, the interface parses the received message according to the PI Point configuration specified in the point attributes. The interface then stores the corresponding value into the PI Server. Because the length of a syslog packet should not exceed 1024 bytes, if a packet longer than 1024 bytes is received, the interface would truncate it to fit the limit before processing the message.
Syslog Format and Contents
A syslog packet is a string of printable and non-printable ASCII characters. The total length of the packet must be 1024 bytes or less. Typically a syslog packet contains three discernable parts:
• PRI (Facility and Severity)
• HEADER
• MSG
It is recommended that a syslog packet have all three parts. But there are no set requirements on the contents of the syslog packet as it is originally sent from a device. For example a syslog packet may have only the MSG part or have any part missing. The order of the parts, however, can not be interchanged.
PRI (Facility and Severity)
The PRI part starts with a leading “”. The number contained within these angle brackets is known as the Priority value and represents both the Facility and Severity.
All syslog messages have a logging Facility and a Severity level. The logging Facility can be thought of as “where” and the Severity level can be thought of “what.” The Facilities and Severities of the messages are numerically coded with decimal values. The PRI part that contains a Priority value is included in a syslog packet and represents both the Facility and Severity. The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity.
HEADER
The HEADER part typically contains two fields called the TIMESTAMP and the HOSTNAME. The TIMESTAMP is the local time and is in the format of
Mmm dd hh:mm:ss
where:
Mmm is the English language abbreviation for the month of the year with the first character in uppercase and the other two characters in lowercase. The following are the only acceptable values: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.
dd is the day of the month. If the day of the month is less than 10, then it must be represented as a space and then the number.
hh:mm:ss is the local time. The hour (hh) is represented in a 24-hour format. Valid entries are between 00 and 23. The minute (mm) and second (ss) entries are between 00 and 59.
The HOSTNAME field contains either the hostname or the IP address of the originator of the message.
MSG
The MSG part usually contains some additional information of the process that generated the message, and then the text of the message. It has two fields known as the TAG field and the CONTENT field. The value in the TAG field may be the name of the program or process that generated the message. The CONTENT contains the details of the message.
As an example, a valid syslog message is as follows:
Dec 18 17:58:26 mymachine su: ‘su root” failed for lonvick on /dev/pts/8
Thus
• PRI: 34 (Facility 4 Severity 2)
• Header: Dec 18 17:58:26 mymachine
• MSG: su: ‘su root” failed for lonvick on /dev/pts/8
But as discussed previously, the aforementioned format of the syslog messages is recommended, but not required. Therefore, different programs, processes and devices can send out syslog packets with different formats. For example, the MSG part of a System log packet sent by the PIX Firewall always begins with a percent sign (%) and is structured as follows:
%PIX-Level-Message_number: Message_text
Syslog Interface Message Types
To facilitate the correct interpretation of each message, points in this interface can be configured to treat a syslog message as one of four categories.
PIX
Syslog messages sent by a Cisco PIX Firewall contain information about the status of connections within this firewall. Typically these messages have the form:
TimeStamp Host %PIX-Level-Message_number: Message_text
For example:
Jul 16 2003 17:15:32 OSIFirewall001 : %PIX-4-400024 IDS: 2151 Large ICMP Traffic from 10.4.1.2 to 10.2.1.1 on interface dmz
Where:
| |The PRI (facility and severity) |
|Timestamp |The time the message was generated |
|Host |The Host Name or IP address of the originating device |
|PIX |Identifies the message facility code for message generated by the PIX Firewall. This |
| |value is always PIX. |
|Level |The level reflects the severity of the condition described by the message. The lower the|
| |number, the more severe the condition. |
|Message_number |A unique 6-digit number that identifies the message. |
|Message_text |A text string describing the condition. This portion of the message sometimes includes |
| |IP addresses, port numbers or usernames. |
The interface will attempt to parse out the following fields from a syslog message:
• Facility number (from the PRI)
• Severity number (from the PRI)
• TimeStamp
• Host
• Level
• MSG
Cisco IOS
Cisco devices may provide IOS messages to a syslog server. These syslog messages include messages in a standardized format (often called system error messages) and output from debug commands. Messages are of the form:
%facility-severity-mnemonic: message-text
These messages are often preceded with additional information like time and sequence-number, for example:
000013: Mar 18 14:52:10.039:%LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down
The message may also be preceded by a PRI.
Syslog messages with the message component starting with %name-number-name are suitable to be considered type Cisco IOS. This does not exclude PIX type messages.
|Facility Name |Identifies the message facility code, in this case LINK |
|Level |The level reflects the severity of the condition described by the message. The lower the |
| |number, the more severe the condition. |
|mnemonic |General description of message type |
|Message_text |A text string describing the condition. |
The interface will attempt to parse out the following fields from a syslog message
• Facility: (from PRI)
• Severity: (from PRI)
• TimeStamp: Any valid time before the first %
• Host
• Level
• MSG: The entire message after the fist %
• Facility Name: This is the facility after the first %
Syslog General
Although the Syslog standard does not impose requirements on a syslog message format, RFC 3164 – The BSD syslog protocol guidelines, provides a recommended format for syslog messages. Points of this category will treat the syslog message as if it were in this recommended format. That is, the message will typically be of the form:
TimeStamp Host Message
where the PRI, if it exists, is at the start of the message and is enclosed in the “” characters, and other fields are separated by spaces or other non-alphanumeric characters. The interface will make its best guess at parsing out the fields if the packet does not comply with the above format.
The Interface will attempt to parse out the following fields from a syslog message:
• Facility number: (from PRI)
• Severity number: (from PRI)
• TimeStamp: Any valid time at the start of the header
• Host: The first field after the time, or if the time is not found, the field after the PRI
• MSG: The entire message following the TimeStamp field
Note: The timestamp field is usually expected to immediately follow the PRI. This interface will accept the first valid timestamp within two fields of the start of the syslog message. This is to accommodate additional fields like the sequence number of the Cisco IOS message type. A field is delimited by a space or a non-printable character.
Note: In Syslog messages that do not include a host field, the Host will be equal to the first field in the MSG part. In order to ensure no part of the message is missing when written to the PI Point, the Syslog general MSG is the entire message after the TimeStamp.
Message Formatting
The PI points associated with the PI-Syslog Interface can be categorized as one of the above four types: PIX, General, User, and IOS. Each point category (Location2) treats the syslog message as described above. Messages that satisfy the filtering criteria in the point’s ExDesc attribute are written to the PI Point. The part of the syslog message sent to each point is determined by the PI Point’s Location3.
|Category |Point Value |
|(Location2) | |
|0 |This type of point should only be used for syslog messages from Cisco PIX firewalls with the |
|PIX |message format described in the previous section. If the packet qualifies the filtering rules|
| |in the PI Point’s Extended Descriptor, then the interface writes the following to this PI |
| |Point: |
| |Location3=0 The PI Point contains all the components of the syslog packet (Facility, |
| |Severity, TIMESTAMP, HOSTNAME and MSG) separated by the pipe character “|”. |
| |Location3=1 The PI Point contains only the MSG part of the syslog message. |
| |Location3=2 The PI Point contains the Facility. |
| |Location3=3 The PI Point Contains the Severity. |
| |Location3=4 The PI Point Contains the IP of the device that sends the syslog message. |
| |Location3=5 The PI Point contains the count of syslog messages satisfying the filtering rules|
| |in the ExDesc attribute. |
| |Location3=6 The PI Point contains the Rate of syslog messages satisfying the filtering rules |
| |in the Exdesc attribute. |
| |Loctaion3=7 The PI Point contains the part of the syslog messages extracted by a user-defined|
| |Regular expression - Substitution pair. |
|1 |Retained for backward compatibility with the PI-PIX interface |
|2 |Retained for backward compatibility with the PI-PIX interface |
|3 |Retained for backward compatibility with the PI-PIX interface |
|4 |This type of point should only be used for Cisco IOS syslog messages with the message format |
|IOS |described in the previous section. If the packet qualifies the filtering rules in the PI |
| |Point’s Extended Descriptor, then the interface writes the following to the PI Point: |
| |Location3=0 The PI point contains all the components of the syslog packet (Facility, |
| |Severity, TIMESTAMP, HOSTNAME and MSG) separated by the pipe character “|”. |
| |Location3=1 Point contains only the MSG part of the syslog message. |
| |Location3=2 Point contains the Facility number. |
| |Location3=3 Point Contains the Severity number. |
| |Location3=4 Point Contains the IP of the device that sends the syslog message. |
| |Location3=5 Point contains the count of syslog messages satisfying the filtering rules in the|
| |ExDesc attribute. |
| |Location3=6 Point contains the Rate of syslog messages satisfying the filtering rules in the |
| |ExDesc attribute. |
| |Loctaion3=7 The PI Point contains the part of the syslog messages extracted by a user-defined|
| |Regular expression - Substitution pair. |
|5 |This type of point can be used for syslog messages in any format that complies with the |
|General |Syslog protocol. If the packet qualifies the filtering rules in the PI Point’s Extended |
| |Descriptor, then the interface writes the following to the PI Point: |
| |Location3=0 The PI point contains all the components of the syslog packet (Facility, |
| |Severity, TIMESTAMP, HOSTNAME and MSG) separated by the pipe character “|”. |
| |Location3=1 Point contains only the MSG part of the syslog message. |
| |Location3=2 Point contains the Facility number. |
| |Location3=3 Point Contains the Severity number. |
| |Location3=4 Point Contains the IP of the device that sends the syslog message. |
| |Location3=5 Point contains the count of syslog messages satisfying the filtering rules in the|
| |ExDesc attribute. |
| |Location3=6 Point contains the Rate of syslog messages satisfying the filtering rules in the |
| |ExDesc attribute. |
| |Loctaion3=7 The PI Point contains the part of the syslog messages extracted by a user-defined|
| |Regular expression - Substitution pair. |
Examples
The interface receives the following packets in the last 10 seconds from a PIX Firewall (IP address 162.98.12.1) that is configured to have the Facility as 20 and to display the timestamp and the device ID (OSIFirewall001) in all syslog packets:
Jul 16 2003 17:15:32 OSIFirewall001 : %PIX-4-400024 IDS: 2151 Large ICMP Traffic from 10.4.1.2 to 10.2.1.1 on interface dmz
Jul 16 2003 17:15:35 OSIFirewall001 : %PIX-3-106010: Deny inbound tcp src outside:201.123.2.10/6404 dst outside:210.164.1.1/32123
Jul 16 2003 17:15:35 named[29356]: [ID 295310 daemon.warning] owner name "gc._msdcs." IN (secondary) is invalid - proceeding anyway
Jul 16 2003 17:15:42 OSIFirewall001 : %PIX-4-400013 IDS: 2003 ICMP redirect from 108.14.8.1 to 128.1.5.11 on interface dmz
If the user creates PI points with the following configurations:
|PI Point Name |Category |Output |Filtering Rules |
| |Location2 |Location3 |ExDesc |
|Firewall_Attack_Log |PIX |0 |Severity=4 |
| |0 | |1_Filter=-400024 |
|Firewall_Warning_Count |PIX |5 |Severity: 4 |
| |0 | |Counting interval: |
| | | |Location5=10 (seconds) |
|Severity4_Warning_Count |General |5 |Severity: 4 |
| |5 | |Location5=10 (seconds) |
...then the values of these PI points written by the PI-Syslog interface are:
|PI Point Name |PI Point Value |
|Firewall_Attack_Log |20|4|Jul 16 2003 17:15:32|OSIFirewall001| %PIX-4-400024 IDS: 2151 Large |
| |ICMP Traffic from 10.4.1.2 to 10.2.1.1 on interface dmz |
|Firewall_Warning_Count |2 |
|Severity4_Warning_Count |3 |
For Firewall_Attack_Log, only the first packet satisfies the filtering rules. The components of this syslog packet are stored in a single string tag, separated by the pipe character (|), in the order listed below:
1. Facility
2. Severity
3. TIMESTAMP
4. HOSTNAME
5. MSG
If the PIX Firewall is not set to display the device ID, then this point would have the following value:
20|4|Jul 16 2003 17:15:32||%PIX-4-400024 IDS: 2151 Large ICMP Traffic from 10.4.1.2 to 10.2.1.1 on interface dmz
For Firewall_Warning_Count, the first, third, and fourth packets have Severity 4, however only the first and fourth are of type PIX. Thus Firewall_Warning_Count is 2 and Severity4_Warning_Count is 3.
Points can also be configured so that the interface records other details of Syslog messages such as Facility, Severity, IP address of the message originator, and the MSG part of the PIX Firewall. Thus, for the previous example, the PI-Syslog Interface can write the respective values to the following PI points of PIX type:
Firewall_Attack_Log_Facility : 20
Firewall_Attack_Log_Severity : 4
Firewall_Attack_Log_Device : 162.98.12.1
Firewall_Attack_Log_Msg : %PIX-4-400024 IDS: 2151 Large ICMP Traffic from 10.4.1.2 to 10.2.1.1 on interface dmz
...assuming that they have the same filtering rules as Firewall_Attack_Log.
Installation Checklist
For those users who are familiar with running PI data collection interface programs, this checklist helps you get the PI-Syslog Interface running. If you are not familiar with PI interfaces, you should return to this section after reading the rest of the manual in detail.
1. Install the PI-Interface Configuration Utility (which installs PI-SDK and PI-API)
2. Verify that PI-API has been installed.
3. Install the interface.
4. Choose a unique point source.
5. Configure PI points.
Location1 is the interface instance.
Location2 is the point category.
Location3 is the output style.
Location4 is zero for all points..
Location5 defines the counting interval (seconds) for Count and Rate types of PI Points.
ExDesc contains the filtering rules and Regular Expression matching and substitution rules.
InstrumentTag is not used.
6. Configure I/O Rate tag.
7. Edit startup command file using the PI-ICU.
8. Set interface node clock.
9. Set up security.
10. Start the interface without buffering.
11. Verify data.
12. Stop interface, start buffering, start interface.
Interface Installation
OSIsoft recommends that interfaces be installed on PI Interface Nodes instead of directly on the PI Server node. A PI Interface Node is any node other than the PI Server node where the PI Application Programming Interface (PI-API) has been installed (see the PI-API Installation Instructions manual). With this approach, the PI Server need not compete with interfaces for the machine’s resources. The primary function of the PI Server is to archive data and to service clients that request data.
After the interface has been installed and tested, Bufserv should be enabled on the PI Interface Node (once again, see the PI-API Installation Instructions manual). Bufserv is distributed with the PI-API. It is a utility program that provides the capability to store and forward events to a PI Server, allowing continuous data collection when communication to the PI Server is lost. Communication will be lost when there are network problems or when the PI Server is shut down for maintenance, upgrades, backups, or unexpected failures.
In most cases, interfaces on PI Interface Nodes should be installed as automatic services. Services keep running after the user logs off. Automatic services automatically restart when the computer is restarted, which is useful in the event of a power failure.
The guidelines are different if an interface is installed on the PI Server node. In this case, the typical procedure is to install the PI Server as an automatic service and interfaces as manual services that are launched by site-specific command files when the PI Server is started. Interfaces that are started as manual services are also stopped in conjunction with the PI Server by site-specific command files. Bufserv can be enabled on the PI Server node so that interfaces on the PI Server node do not need to be started and stopped in conjunction with PI, but it is not standard practice to enable buffering on the PI Server node. See the UniInt End User Document for special procedural information.
Naming Conventions and Requirements
In the installation procedure below, it is assumed that the name of the interface executable is PIsyslog.exe and that the startup command file is called PIsyslog.bat.
It is customary for the user to rename the executable and the startup command file when multiple copies of the interface are run. For example, one would typically use PIsyslog1.exe and PIsyslog1.bat for interface number 1, PIsyslog2.exe and PIsyslog2.bat for interface number 2 and so on. When an interface is run as a service, the executable and the command file must have the same root name because the service looks for its command-line arguments in a file that has the same root name.
Interface Directories
The PIHOME Directory Tree
The PIHOME directory tree is defined by the PIHOME entry in the pipc.ini configuration file. This pipc.ini file is an ASCII text file, which is located in the WinNT directory. A typical pipc.ini file contains the following lines:
[PIPC]
PIHOME=c:\pipc
The above lines define the \pipc directory as the root of the PIHOME directory tree on the C: drive. OSIsoft recommends using \pipc as the root directory name. The PIHOME directory does not need to be on the C: drive.
Interface Installation Directory
Place all copies of the interface into a single directory. The suggested directory is:
PIHOME\interfaces\PISyslog\
Replace PIHOME with the corresponding entry in the pipc.ini file.
Interface Installation Procedure
The PI-Syslog interface setup program uses the services of the Microsoft Windows Installer. Windows Installer is a standard part of Windows 2000. When running on Windows NT 4.0 systems, the PI-Syslog setup program will install the Windows Installer itself if necessary. To install, run the PI_syslog_x.x.x.x.exe installation kit.
Installing the Interface as an NT Service
The PI-Syslog interface service can be created with the PI-Interface Configuration & Management Utility, or can be created manually.
Installing the Interface Service with PI-Interface Configuration Utility
The PI-Interface Configuration & Management Utility provides a user interface for creating, editing, and deleting the interface service:
[pic]
Service Configuration
Service name
The Service to Add box shows the name of the current interface service. This service name is obtained from the interface executable.
Display name
The Display Name text box shows the current Display Name of the interface service. If there is currently no service for the selected interface, the default Display Name is the service name with a “PI-” prefix. Users may specify a different Display Name. OSIsoft suggests that the prefix “PI-” be appended to the beginning of the interface to indicate that the service is part of the OSI suite of products.
Startup Type
The Startup Type indicates whether the interface service will start automatically or need to be started manually on reboot.
• If the Auto option is selected, the service will be installed to start automatically when the machine reboots.
• If the Manual option is selected, the interface service will not start on reboot, but will require someone to manually start the service.
• If the Disabled option is selected, the service will not start at all.
Generally, interface services are set to start automatically.
Dependencies
The Installed services list is a list of the services currently installed on this machine. Services upon which this Interface is dependant should be moved into the Dependencies list using the [pic] button. For example, if API Buffering is running, then “bufserv” should be selected from the list at the right and added to the list on the left.
To remove a service from the list of dependencies, use the [pic] button, and the service name will be removed from the “Dependencies” list.
When the PI Interface is started (as a service), the services listed in the dependency list will be verified as running (or an attempt will be made to start them). If the dependent service(s) cannot be started for any reason, then the PI interface service will not run.
Note: Please see the PI Log and Operating System Event Logger for messages that may indicate the cause for any server not running as expected.
[pic] - Add button
To add a dependency from the list of Installed services, select the dependency name, and click the Add button.
[pic] - Remove button
To remove a selected dependency, highlight the service name in the Dependencies list, and click the Remove button.
The full name of the service selected in the Installed services list is displayed below the Installed services list box.
Create
The Create button adds the displayed service with the specified Dependencies and with the specified Startup Type.
Remove
The Remove button removes the displayed service. If the service is not currently installed, or if the service is currently running, this button will be grayed out.
Start or Stop Service
To Start or Stop an interface service, use the Start button [pic] and a Stop button [pic] on the ICU toolbar. If this interface service is not currently installed, these buttons will remain grayed out until the service is added. If this interface service is running, the Stop button is available. If this service is not running, the Start button is available.
The status of the Interface service is indicated in the lower portion of the PI-ICU dialog.
[pic]
Installing the Interface Service Manually
One can get help for installing the interface as a service at any time with the command:
PI_syslog.exe –help
Change to the directory where the PIsyslog1.exe executable is located. Then, consult the following table to determine the appropriate service installation command.
|NT Service Installation Commands on a PI Interface Node or a PI Server node |
|with Bufserv implemented |
|Manual service |PIsyslog.exe –install –depend “tcpip bufserv” |
|Automatic service |PIsyslog.exe –install –auto –depend “tcpip bufserv” |
|NT Service Installation Commands on a PI Interface Node or a PI Server node |
|without Bufserv implemented |
|Manual service |PIsyslog.exe –install –depend tcpip |
|Automatic service |PIsyslog.exe –install –auto –depend tcpip |
When the interface is installed as a service on the PI Server node and when Bufserv is not implemented, a dependency on the PI network manager is not necessary because the interface will repeatedly attempt to connect to the PI Server until it is successful.
Note: Interfaces are typically not installed as automatic services when the interface is installed on the PI Server node.
Check the Microsoft Windows NT services control panel to verify that the service was added successfully. One can use the services control panel at any time to change the interface from an automatic service to a manual service or vice versa.
PointSource
The PointSource is a single, unique character that is used to identify the PI point as a point that belongs to a particular interface. For example, one may choose the letter S to identify points that belong to the PI-Syslog interface. To implement this, one would set the PointSource attribute to S for every PI Point that is configured for the PI-Syslog interface. Then, if one uses /ps=S on the startup-command line of the PI-Syslog interface, the PI-Syslog interface will search the PI Point Database upon startup for every PI point that is configured with a PointSource of S. Before an interface loads a point, the interface usually performs further checks by examining additional PI point attributes to determine whether a particular point is valid for the interface. For additional information, see the /ps and /ID argument.
Case-sensitivity for PointSource Attributes
If the interface is running on a PINet node and the Server node is a PI 3 system, use a capital letter (or a case-insensitive character such as a number, a question mark, etc.) for the PointSource attribute when defining points. For all other scenarios, one does not need to be careful with the case of the PointSource.
In all cases, the point source character that is supplied with the /ps command-line argument is not case sensitive. That is, /ps=S and /ps=s are equivalent. One only needs to be careful with the case of the PointSource during point definition, and only if the interface will be running on a PINet node communicating to a PI 3 Server.
PI 3 Server Nodes
No point source table exists on a PI 3 Server, which means that points can be immediately created on PI 3 with any point source character. Several subsystems and applications that ship with PI 3 are associated with default point source characters. The Totalizer Subsystem uses the point source character T, the Alarm Subsystem uses G and @, Random uses R, RampSoak uses 9, and the Performance Equations Subsystem uses C. You can either not use these point source characters or change the default point source characters for these applications. Also, if one does not specify a point source character when creating a PI point, the point is assigned a default point source character of L. Therefore, it would be confusing to use L as the point source character for an interface.
PI Point Configuration
The PI point is the basic building block for controlling data flow to and from the PI Server. A single point is configured for each measurement value that needs to be archived. Use the point attributes below to define what data to transfer.
Point Attributes
Tag
A tag is a label or name for a point. Any tag name can be used in accordance to the normal PI point naming conventions.
PointSource
The PointSource is a single, unique character that is used to identify the PI point as a point that belongs to a particular interface. For additional information, see the /ps command-line argument and the “Point Source” section.
PointType
Typically, device point types do not need to correspond to PI point types. For example, integer values from a device can be sent to floating point or digital PI tags. Similarly, a floating-point value from the device can be sent to integer or digital PI tags, although the values will be truncated.
Specifically for this interface, create float or integer PI points for storing Count, Rate Facility and Severity values. String PI points are suitable for all other output values, however Location3=7 type points where the string returned is guaranteed to represent a number can be created as a float, integer or digital type.
Location1
Location1 indicates to which copy of the interface the point belongs.
Location2
Location2 is used to specify the category of the PI points. The meanings of the Location2 codes are:
|Location2 |PI Point Category |Description |
|0 |PIX |This type of point should be only used for syslog messages from Cisco PIX |
| | |firewalls with the MSG format described in the previous section. |
| | |Normally the complete syslog packet is recorded to a single PI point with the|
| | |components of the syslog packet (Facility, Severity, TIMESTAMP, HOSTNAME and |
| | |MSG) separated by the pipe character “|” if the packet qualifies the |
| | |filtering rules specified by PI point attribute ExDesc. It can also be |
| | |configured to record other details of the syslog packets such as Facility, |
| | |Severity and IP address of the PIX Firewall, and the MSG part |
| | |(%PIX-Level-Message_number: Message_text) to a PI point. |
|1-3 | |Retained for backward compatibility with the PI-PIX interface (see Appendix |
| | |B). |
|4 |IOS |This type of point should be only used for Cisco IOS syslog messages with the|
| | |MSG format described in the previous section. |
| | |Normally the complete syslog packet is recorded to a single PI point with the|
| | |components of the syslog packet (Facility, Severity, TIMESTAMP, HOSTNAME and |
| | |MSG) separated by the pipe character “|” if the packet qualifies the |
| | |filtering rules specified by PI point attribute ExDesc. It can also be |
| | |configured to record other details of the syslog packets such as Facility, |
| | |Severity and IP address of the PIX Firewall, and the MSG part |
| | |(%PIX-Level-Message_number: Message_text) to a PI point. |
|5 |General |This type of points should be used with other non Cisco syslog messages |
| | |Normally the complete syslog packet is recorded to a single PI point with the|
| | |components of the syslog packet (Facility, Severity, TIMESTAMP, HOSTNAME and |
| | |MSG) separated by the pipe character “|” if the packet qualifies the |
| | |filtering rules specified by PI point attribute ExDesc. It can also be |
| | |configured to record other details of the syslog packets such as Facility, |
| | |Severity and IP address of the PIX Firewall, and the MSG part |
| | |(%PIX-Level-Message_number: Message_text) to a PI point. |
Location3
Location3 used to determine what is written to the PI server, if the received syslog packet satisfies the filtering rule specified by PI point attribute ExDesc.
|Location3 |Description |
|0 |The complete syslog packet with the components (Facility, Severity, TIMESTAMP, HOSTNAME and MSG) |
| |separated by |. |
|1 |The MSG part (%PIX-Level-Message_number: Message_text) contained in the syslog packet is recorded |
| |to the PI tag. |
|2 |The Facility number of the syslog message is written to the PI tag. |
|3 |The Severity number is recorded. |
|4 |The IP address of the device from which the interface receives the syslog packets is stored. |
|5 |Count - The number of the syslog messages satisfying the filtering criteria specified by ExDesc is|
| |counted over a user-defined interval and is stored as the point value into the PI server. |
|6 |Rate - The rate of the syslog messages satisfying the filtering criteria specified by ExDesc is |
| |calculated over a user-defined interval and is stored to a PI point |
|7 |User - The PI Point contains the part of the syslog messages extracted by a user defined Regular |
| |expression - Substitution pair (see ExDesc) |
Location4
Location 4 is not used for this interface. Set this to zero.
Location5
The data collection of PI-Syslog Interface is unsolicited. This means, the interface collects data upon receiving syslog packets on the syslog port.
Location5 should be set to zero for all PI points associated with PI-Syslog interface, except for the Count and Rate types of points. For Count and Rate Points Location5 specifies the interval in seconds, over which the number of packets qualifying the filtering criteria defined in the ExDesc is counted. At the end of this period the Count or Rate is written to PI
InstrumentTag
InstrumentTag is not currently used for the PI-Syslog interface.
ExDesc
This is the extended descriptor attribute. PI-Syslog interface uses ExDesc to define the filtering criteria and rules that determine if a syslog message belongs to this tag. That is, the interface checks the filtering criteria against the syslog message, treating the syslog message as if it where the type defined in Location2. Filter keywords should be separated by a semicolon “;”.
The Syslog message must match each filter criteria for it to be input to PI. That is, each filter field is combined with a logical AND.
As described in the “Principles of Operation” section, a syslog packet can be filtered using the following keywords.
Standard Filtering Expressions
• Facility= specifies Facility contained in the PRI part of the syslog packet. The Facility can be an integer or a range of integers.
• FacilityName= specifies the facility name in the %Facility-Level-mnemonic part of an IOS message (not case sensitive, IOS only).
• Severity= specifies Severity contained in the PRI.
• Level= specifies Level (Severity) contained in the %Facility-Level-mnemonic part of an IOS message (PIX and IOS only).
• Host= specifies the HOSTNAME contained in the header part of a syslog packet (not case insensitive).
• Device= specifies the IP address of the device that sends the syslog messages.
n_Filter
In addition to the above standard filtering expressions, the interface is able to filter the syslog message using one or more Regular Expression (RegExp) via the n_Filter keyword. Thus if a syslog packet contains the contents specified by each n_Filter, then this packet qualifies the filtering rule.
In the keyword n_Filter, the n is a number that corresponds to the particular rule number and must increase continuously. If a PI point has filtering rules specified as:
1_Filter=…; 2_Filter=…; 4_Filter=…;
The filtering rules defined by 1_Filter and 2_Filter are considered, but the filtering rule in 4_Filter is ignored because 3_Filter is missing.
RegExp and Sub
User type tags (Location3=7) have the additional ExDesc filters, RegExp and Sub. RegExp defines the searching pattern to be found in the syslog packets and Sub specifies what to extract out of the packets from within the string defined by RegExp. Sub must come with RegExp as a pair. If no Sub is defined, whatever matches the searching pattern defined in RegExp is returned and written to the corresponding PI point. If an empty string is returned from the RegExp-Sub pair, then an empty string is written to PI.
Regular Expression is used for n_Filter and RegExp Sub, thus the specifications for them must follow the Regular Expression requirements. For details about how to configure RegExp and Sub, refer to the Regular Expression Tutorial document.
If any of these filtering and extracting keywords are omitted, the specification is the same as “any.”
Note that for a PI 3 Server, the extended descriptor is limited to 1024 characters.
Point-level Debug
Point-level debugging can be enabled by including the string /db in the ExDesc attribute.
Example 1 – Cisco PIX Firewall
If the PI-Syslog interface is to record the syslog packets from a Cisco PIX firewall that meets the following filtering criteria:
Facility: 20
Severity: 4
Host: Corporate-Firewall
Device: 128.10.22.111
...and the message part includes the substring “IDS” and a message number of “400013”
Then the ExDesc should be specified as:
Facility=20; Severity=4; Host=Corporate-Firewall; Device=128.10.22.111; 1_Filter=IDS; 2_Filter=400013;
Also
Location2=0 (PIX)
Location3=0 (complete syslog packet)
PointType=string
Example 2 -- MotherBoard Monitor
A device sends CPU temperature information in the following packet:
Feb 20 15:04:37 PC112 MBM[CPU Temp]: C=46 LA=5 HA=70 L=1 H=49 A=47
If the interface is to record the temperature (46 in this case) for any messages from host PC112 about CPU Temp, the ExDesc should be specified as:
Host= PC112; 1_Filter=MBM\[ CPU Temp \]; RegExp=C=(\d+); Sub=$1
Also
Location2=5 (General)
Location3=7 (User)
PointType=float32
Note: In regular expression syntax the “[“ and “]” characters have special meanings. We need to “escape” these special characters with the “\” (see the Regular Expressions Tutorial or other documentation for a list of reserved characters and other tips for using Regular Expressions). Also note that as the string returned from the syslog message is guaranteed to be a number, we can make this tag a real or integer PointType.
Example 3 – Number of Syslog Packets Each Minute
If the interface is to record the number of syslog packets each minute from any devices that meet the following filter criteria:
Facility: 16, 18, 20-22
Severity: 0-3, 5, 7
Then the ExDesc should be:
Facility=16,18,20-22; Severity=0-3,5,7;
Also
Location2=5(Generic)
Location3=5(count)
Location5=60
Example 4 – Record All Syslog Messages
If the interface is to record all syslog messages to a single PI point; this is useful when initially configuring tags in the interface.
ExDesc=
Location2=5(Generic)
Location3=7(User)
Scan
By default, the Scan attribute has a value of 1, which means that scanning is turned on for the point. Setting the scan attribute to 0 turns scanning off. If the scan attribute is 0 when the interface starts, SCAN OFF will be written to the PI point. If the scan attribute is changed from 1 to 0 while the interface is running, SCAN OFF will also be written to the PI point after the point edit is detected by the interface.
There is one other situation, which is independent of the Scan attribute, where UniInt will write SCAN OFF to a PI point. If a point that is currently loaded by the interface is edited so that the point is no longer valid for the interface, the point will be removed from the interface, and SCAN OFF will be written to the point. For example, if the PointSource of a PI point that is currently loaded by the interface is changed, the point will be removed from the interface and SCAN OFF will be written to the point.
Shutdown
The shutdown attribute is used only if the server node is a PI 3 system.
The Shutdown attribute is 1 (true) by default. The default behavior of the PI Shutdown subsystem is to write the SHUTDOWN digital state to all PI points when PI is started. The timestamp that is used for the SHUTDOWN events is retrieved from a file that is updated by the Snapshot Subsystem. The timestamp is usually updated every 15 minutes, which means that the timestamp for the SHUTDOWN events will be accurate to within 15 minutes in the event of a power failure. For additional information on shutdown events, refer to PI Server manuals.
Note: The SHUTDOWN events that are written by the PI Shutdown subsystem are independent of the SHUTDOWN events that are written by the interface when the /stopstat=Shutdown command-line argument is specified.
One can disable SHUTDOWN events from being written to PI when PI is restarted by setting the Shutdown attribute to 0 for each point. Alternatively, one can change the default behavior of the PI Shutdown Subsystem to write SHUTDOWN events only for PI points that have their Shutdown attribute set to 0. To change the default behavior, edit the \PI\dat\Shutdown.dat file, as discussed in PI Server manuals.
Bufserv
It is undesirable to write shutdown events when Bufserv is being used. Bufserv is a utility program that provides the capability to store and forward events to a PI Server, allowing continuous data collection when the Server is down for maintenance, upgrades, backups, and unexpected failures. That is, when PI is shut down, Bufserv will continue to collect data for the interface, making it undesirable to write SHUTDOWN events to the PI points for this interface.
I/O Rate Tag Configuration
An I/O Rate point can be configured to receive 10-minute averages of the total number of exceptions per minute that are sent to PI by the interface. An exception is a value that has passed the exception specifications for a given PI point. Since 10-minute averages are taken, the first average is not written to PI until 10 minutes after the interface has started. One I/O Rate tag can be configured for each copy of the interface that is in use.
Monitoring I/O Rates on the Interface Node
For NT and UNIX nodes, the 10-minute rate averages (in events/minute) can be monitored with a client application such as ProcessBook.
Configuring I/O Rate Tags with PI-ICU (NT-Intel)
The PI-Interface Configuration & Management Utility (PI-ICU) provides a user interface for creating and managing IORates Tags.
[pic]
PI-ICU currently allows for one I/O Rate tag to be configured for each copy of the interface that is in use. Some interfaces allow for multiple I/O Rates tags.
Enable IORates for this Interface
The Enable IORates for this interface check box enables or disables IORates for the current interface. To disable IORates for the selected interface, uncheck this box. To enable IORates for the selected interface, check this box.
Tag Status
The Tag Status column indicates whether the IORates tag exists in PI. The possible states are:
• Created – This status indicates that the tag exist in PI
• Not Created – This status indicates that the tag does not yet exist in PI
• Deleted – This status indicates that the tag has just been deleted
• Unknown – This status indicates that the ICU is not able to access the PI Server
In File
The In File column indicates whether the IORates tag listed in the tag name and the event counter is in the IORates.dat file. The possible states are:
• Yes – This status indicates that the tag name and event counter are in the IORates.dat file
• No – This status indicates that the tag name and event counter are not in the IORates.dat file
Event Counter
The Event Counter correlates a tag specified in the iorates.dat file with this copy of the interface. The command line equivalent is /ec=x, where x is the same number that is assigned to a tag name in the iorates.dat file.
Tagname
The tag name listed under the Tagname column is the name of the IORates tag.
Snapshot
The Snapshot column holds the snapshot value of the IORates tag, if the IORates tag exists in PI. The Snapshot column is updated when the IORates/Status Tags tab is clicked, and when the interface is first loaded.
Right Mouse Button Menu Options
Create
Create the suggested IORates tag with the tag name indicated in the Tagname column.
Delete
Delete the IORates tag listed in the Tagname column.
Rename
Allows the user to specify a new name for the IORates tag listed in the Tagname column.
Add to File
Adds the tag to the IORates.dat file with the event counter listed in the Event Counter Column.
Search
Allows the user to search the PI Server for a previously defined IORates tag.
Configuring I/O Rate Tags Manually
There are two configuration steps:
Configuring the PI Point on the PI Server
Create an I/O Rate Tag with the following point attribute values.
|Attribute |Value |
|PointSource |L |
|PointType |float32 |
|Compressing |0 |
|ExcDev |0 |
Configuration on the Interface Node
For the following examples, assume that the name of the PI tag is syslog001, and that the name of the I/O Rate on the home node is sy_io_syslog001.
1. Edit/Create a file called iorates.dat in the PIHOME\dat directory. The PIHOME directory is defined either by the PIPCSHARE entry or the PIHOME entry in the pipc.ini file, which is located in the \WinNT directory. If both are specified, the PIPCSHARE entry takes precedence.
Since the PIHOME directory is typically C:\PIPC, the full name of the iorates.dat file will typically be C:\PIPC\dat\iorates.dat.
Add a line in the iorates.dat file of the form:
sy_io_syslog001, x
where sy_io_syslog001 is the name of the I/O Rate Tag and x corresponds to the first instance of the /ec=x flag in the startup command file. X can be any number between 2 and 34 or between 51 and 200, inclusive. To specify additional rate counters for additional copies of the interface, create additional I/O Rate tags and additional entries in the iorates.dat file. The event counter, /ec=x, should be unique for each copy of the interface.
2. Set the /ec=x flag on the startup command file of the interface to match the event counter in the iorates.dat file.
The interface must be stopped and restarted in order for the I/O Rate tag to take effect. I/O Rates will not be written to the tag until 10 minutes after the interface is started.
Startup Command File
Command-line arguments can begin with a / or with a -. For example, the /ps=M and –ps=M command-line arguments are equivalent.
For NT, command file names have a .bat extension. The NT continuation character (^) allows one to use multiple lines for the startup command. The maximum length of each line is 1024 characters (1 kilobyte). The number of flags is unlimited, and the maximum length of each flag is 1024 characters.
The PI-Interface Configuration & Management Utility (PI-ICU) provides a tool specifically for configuring this Interface startup command file.
[pic]
The PI-Syslog control for PI-ICU has 5 sections. A yellow text box indicates that an invalid value has been entered, or that a required value has not been entered.
Communication
The Interface listens on one UDP port. This port can be set here.
Time
Values can be sent to PI with timestamps either rounded to the nearest second or with sub-second precision.
Debug
Debug messages are written to the PIPC.log file with each new message the interface receives. Use this only when debugging as large log files can result.
System digital state
The interface is capable of writing a digital state to all points at startup. This is useful to differentiate times when the interface is stopped to times when no messages are received from a device.
Additional arguments
Other command line arguments can be added here.
Command-line Parameters
|Parameter |Description |
|/port= |The parameter specifies the UDP port number on which the interface listens for syslog |
|Optional |messages from the devices. If not specified, the default syslog port 514 is used. Of |
| |course, this number must match the one specified as the destination port in the |
| |configuration of logging host for the devices. |
|/db |If /db is present in the command line, the interface is enabled to log the debugging |
|Optional |messages. Note that this option allows the interface to print general debugging messages|
| |about the interface running and is not related with the UserInt1 point attribute that |
| |enables logging the debugging messages for each individual PI point. |
|/sst |By default the timestamp of values written to PI are rounded to the nearest second. If |
|Optional |/sst is present, values are sent with sub-second precision. |
|/sds=”State” |Write this system digital state to all interface Points at interface startup. This is |
|Optional, strongly recommended|very useful because it may be a long time after startup before any message is detected. |
|/ps=x |The /ps flag specifies the point source for the interface. X is not case sensitive and |
|Required |can be any single character. For example, /ps=P and /ps=p are equivalent. |
| |The point source that is assigned with the /ps flag corresponds to the PointSource |
| |attribute of individual PI Points. The interface will only attempt to load those PI |
| |points with the appropriate point source. |
|/id=x |The /id flag is used to specify the interface identifier. |
|Required |The interface identifier is a string that is no longer than 9 characters in length. |
| |UniInt concatenates this string to the header that is used to identify error messages as |
| |belonging to a particular interface. See the section called “Error and Informational |
| |Messages” for more information, page 49. |
| |UniInt always uses the /id flag in the fashion described above. This interface also uses |
| |the /id flag to identify a particular interface copy number that corresponds to an |
| |integer value that is assigned to Location1. For this interface, one should use only |
| |numeric characters in the identifier. For example, |
| |/id=1 |
|/host=host:port |The /host flag is used to specify the PI Home node. Host is the IP address of the PI |
|Optional |Server node or the domain name of the PI Server node. Port is the port number for TCP/IP|
| |communication. The port is always 5450 for a PI 3 Server and 545 for a PI 2 Server. It is|
| |recommended to explicitly define the host and port on the command line with the /host |
| |flag. Nevertheless, if either the host or port is not specified, the interface will |
| |attempt to use defaults. |
| |Defaults: |
| |The default port name and server name is specified in the pilogin.ini or piclient.ini |
| |file. The piclient.ini file is ignored if a pilogin.ini file is found. Refer to the |
| |PI-API Installation Instructions manual for more information on the piclient.ini and |
| |pilogin.ini files. |
| |Examples: |
| |The interface is running on a PI Interface Node, the domain name of the PI 3 home node is|
| |Marvin, and the IP address of Marvin is 206.79.198.30. Valid /host flags would be: |
| |/host=marvin |
| |/host=marvin:5450 |
| |/host=206.79.198.30 |
| |/host=206.79.198.30:5450 |
|/stopstat |If the /stopstat flag is present on the startup command line, then the digital state Intf|
|or |shut will be written to each PI Point when the interface is stopped. |
|/stopstat= |If /stopstat=digstate is present on the command line, then the digital state, digstate, |
|digstate |will be written to each PI Point when the interface is stopped. For a PI 3 Server, |
|Default: |digstate must be in the system digital state table. For a PI 2 Server, where there is |
|/stopstat= |only one digital state table available, digstate must simply be somewhere in the table. |
|”Intf shut” |UniInt uses the first occurrence in the table. |
|Optional |If neither /stopstat nor /stopstat=digstate is specified on the command line, then no |
| |digital states will be written when the interface is shut down. |
| |Examples: |
| |/stopstat=”Intf shut” |
| |The entire parameter is enclosed within double quotes when there is a space in digstate. |
|/ec=x |The first instance of the /ec flag on the command line is used to specify a counter |
|Optional |number, x, for an I/O Rate point. If x is not specified, then the default event counter |
| |is 1. Also, if the /ec flag is not specified at all, there is still a default event |
| |counter of 1 associated with the interface. If there is an I/O Rate point that is |
| |associated with an event counter of 1, each copy of the interface that is running without|
| |/ec=x explicitly defined will write to the same I/O Rate point. This means that one |
| |should either explicitly define an event counter other than 1 for each copy of the |
| |interface or one should not associate any I/O Rate points with event counter 1. |
| |Configuration of I/O Rate points is discussed in the section called “I/O Rate Tag |
| |Configuration,” p. 31. |
|/q |When the /q flag is present, Snapshots and exceptions are queued before they are sent to |
|Optional |the PI Server node. |
| |The maximum queue size is close to 4000 bytes. The queue is flushed between scans if it |
| |is not filled. |
|/stsp |The /stsp parameter tells the interface to show all truncated Syslog packets. If this |
|Optional |parameter is omitted, the interface shows only the first 5 truncated Syslog messages for |
| |each device. |
| |See Appendix A: Error and Informational Messages for more information on truncated syslog|
| |packets. |
Sample PI_Syslog.bat File
The following is an example file:
rem Sample startup command file for the PI-Syslog Interface
rem
rem required parameters are
rem /ps (point source character)
rem /id (interface identifcation number)
rem
rem recommended paramters are
rem /host=:port# (name of PI Universal Data Server and port number)
rem /stopstat=”Intf Shut” (write Intf Shut to points when Interface shuts down)
rem
rem optional parameters are
rem /ec (reference to I/O Rate point)
rem /db (enable printing the debugging messages)
rem /stsp (enable showing all the truncated syslog packets)
rem /sds=”Scan On”(Write Scan On to tags at startup )
rem
.\pi_syslog.exe /ps=f /id=1 /host=pimachine:5450 /stopstat=”Intf Shut” /db /sds=”Scan On”
The above command line tells the Interface to:
• service PI points whose PointSource is f and Location1 is 1,
• send values to the PI 3 Server named pimachine,
• write Intf Shut to its list of points upon exit,
• write Scan On to all points at interface startup,
• as default, listen for Syslog messages on UDP port 514,
• print the interface debugging messages.
Interface Node Clock
The correct settings for the time and time zone should be set in the Date/Time control panel. If local time participates in Daylight Savings, from the control panel, configure the time to be automatically adjusted for Daylight Savings Time. The correct local settings should be used even if the interface node runs in a different time zone than the PI Server node.
Make sure that the TZ environment variable is not defined. The currently defined environment variables can be listed by going to Start | Settings | Control Panel, double clicking on the system icon, and selecting the environment tab on the resulting dialog box. Also, make sure that the TZ variable is not defined in an autoexec.bat file. When the TZ variable is defined in an autoexec.bat file, the TZ variable may not appear as being defined in the System control panel even though the variable is defined. Admittedly, autoexec.bat files are not typically used on NT, but this does not prevent a rogue user from creating such a file and defining the TZ variable unbeknownst to the System Administrator.
Security
If the home node is a PI 3 Server, the PI Firewall Database and the PI Proxy Database must be configured so that the interface is allowed to write data to the PI Server. See “Modifying the Firewall Database” and “Modifying the Proxy Database” in the PI Server manuals. Note that the Trust Database, which is maintained by the Base Subsystem, replaces the Proxy Database used prior to PI version 3.3. The Trust Database maintains all the functionality of the proxy mechanism while being more secure.
See “Trust Login Security” in the chapter “PI System Management” of the PI Universal Data Server System Management Guide.
If the interface cannot write data to a PI 3 Server because it has insufficient privileges, a –10401 error will be reported in the pipc.log file. If the interface cannot send data to a PI2 Server, it writes a –999 error. See the section “Appendix A: Error and Informational Messages” for additional information on error messaging.
Starting / Stopping the Interface
This section describes starting and stopping the interface once it has been installed as a service. See the UniInt End User Document to run the interface interactively.
[pic]
Starting Interface as a Service
If the interface was installed a service, it can be started from PI-ICU, the services control panel or with the command:
PIsyslog.exe –start
To start the interface service with PI-ICU, use the [pic] button on the PI-ICU toolbar.
A message will be echoed to the screen informing the user whether or not the interface has been successfully started as a service. Even if the message indicates that the service started successfully, make sure that the service is still running by checking in the services control panel. There are several reasons that a service may immediately terminate after startup. One is that the service may not be able to find the command-line arguments in the associated .bat file. For this to succeed, the root name of the .bat file and the .exe file must be the same, and the .bat file and the .exe file must be in the same directory. If the service terminates prematurely for whatever reason, no error messages will be echoed to the screen. The user must consult the pipc.log file for error messages. See the section “Appendix A: Error and Informational Messages,” for additional information.
Stopping Interface Running as a Service
If the interface was installed a service, it can be stopped at any time from PI-ICU, the services control panel or with the command:
PIsyslog.exe –stop
The service can be removed by:
PIsyslog.exe –remove
To stop the interface service with PI-ICU, use the [pic] button on the PI-ICU toolbar.
Buffering
For complete information on buffering, please refer to the PI API Installation Instructions.
PI Interface Node buffering consists of a buffering process which runs continuously on the local node, a PI-API library whose calls can send data to this buffering process, and a utility program for examining the state of buffering and controlling the buffering process.
Note: Change the Local Security Policy on Windows XP.
1. Open “Administrative Tools” from the control panel.
2. Open “Local Security Policy” from administrative tools.
3. Browse to “Security Options” under “Local Policies.”
4. Double click on “System Objects: Default owner for objects created by members of the Administrators group.”
5. Change the dropdown from “Object Creator” to “Administrators group.”
The behavior of Bufserv should now be the same on XP as it was for NT4 and 2000.
Configuring Buffering with PI-ICU (NT-Intel)
Buffering is enabled through the PI-Interface Configuration Utility’s Tools>API Buffering… menu. Unless buffering is explicitly enabled, the PI-API will not buffer data, sending data directly to the home node.
The API Buffering… dialog allows the user to view and configure the parameters associated with the API Buffering (bufserv) process. The user can start and stop the API Buffering process from the Service tab:
[pic]
Service Tab
The Service tab allows for some API Buffering service configuration. For further configuration changes, use the Services applet.
Service Name
The Service name displays the name of the API Buffering Service.
Display Name
The Display name displays the full name associated with the API Buffering service.
Log On As
Log on as indicates the Windows user account under which the API Buffering service is setup to start automatically on reboot or manually. To modify the user account or password under which bufserv runs, use the Microsoft Windows “Services” applet.
Dependencies
The Dependencies lists the Windows services on which the API Buffering service is dependent.
Service Startup Type
The Startup Type indicates whether the API Buffering service is setup to start automatically on reboot or manually on reboot, or is disabled.
• If the Auto option is selected, the service will be installed to start automatically when the machine reboots.
• If the Manual option is selected, the interface service will not start on reboot, but will require someone to manually start the service.
• If the Disabled option is selected, the service will not start at all.
Generally, the API Buffering service is set to start automatically.
Start / Stop Service
The Start / Stop buttons allow for the API Buffering service to be started and stopped.
After a change is made to any of the settings on the Settings tab, the Save button must be clicked, and then the service must be stopped and restarted for the changes to be picked up by bufserv.
Settings Tab
The Settings tab allows for configuration of the 7 configurable settings used by API Buffering. Default values are used if no other value is provided.
[pic]
Enable API Buffering
Enables the API Buffering feature.
Maximum File Size
Maximum buffer file size in kilobytes before buffering fails and discards events. Default value is 100,000. Range is 1 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Send Rate
Send rate is the time to wait between sending up to MAXTRANSFEROBJS to the server (milliseconds). Default value is 100. Range is 0 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Primary Memory Buffer Size
Primary memory buffer size is the size in bytes of the Primary memory buffer. Default value is 32768. Range is 64 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Secondary Memory Buffer Size
Secondary memory buffer size is the size in bytes of the Secondary memory buffer. Default value is 32768. Range is 64 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Max Transfer Objects
Max transfer objects is the maximum number of events to send between each SENDRATE pause. Default value is 500. Range is 1 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Pause Rate
When buffers are empty the buffering process will wait for this number of seconds before attempting to send more data to the home node. Default value is 2. Range is 0 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Retry Rate
When the buffering process discovers the home node is unavailable it will wait this number of seconds before attempting to reconnect. Default value is 120. Range is 0 to 2,000,000.
The Use Default button places the default value into the text box. To keep this value, click the Apply button.
Max Theoretical Send Rate
This is the theoretical max send rate is calculated like this:
max = MAXTRANSFEROBJS / SENDRATE * 1000
Default value is 5000.
There are no additional steps needed to install buffering after installing the PI-API. The delivered PI-API library supports both buffered and un-buffered calls.
Configuring Buffering Manually
Buffering is enabled through the use of a configuration file, piclient.ini. Unless this file is modified to explicitly enable buffering, the PI-API will not buffer data, sending data directly to the home node.
There are no additional steps needed to install buffering after installing the PI-API. The delivered PI-API library supports both buffered and un-buffered calls.
Note: When buffering is configured to be on, the bufserv process must be started before other programs using the PI-API, so that these programs can access the shared buffering resources. Any program that makes a connection to a PI Server has this requirement even if it does not write to PI.
Configuration of buffering is achieved through entries in the piclient.ini file. The file is found in the dat subdirectory of the PIHOME directory (typically c:\pipc\dat) under Windows NT. This file follows the conventions of Microsoft Windows initialization files with sections, keywords within sections and values for keywords. All buffering settings are entered in a section called [APIBUFFER]. To modify settings, simply edit the piclient.ini file in a text editor (Notepad on Windows) to the desired values.
The following settings are available for buffering configuration:
|Keywords |Values |Default |Description |
|BUFFERING |0,1 |0 |Turn off/on buffering. OFF = 0, ON = 1, |
|PAUSERATE |0 – 2,000,000 |2 |When buffers are empty the buffering process will wait |
| | | |for this long before attempting to send more data to the |
| | | |home node (seconds) |
|RETRYRATE |0 – 2,000,000 |120 |When the buffering process discovers the home node is |
| | | |unavailable it will wait this long before attempting to |
| | | |reconnect (seconds) |
|MAXFILESIZE |1 – 2,000,000 |100,000 |Maximum buffer file size before buffering fails and |
| | | |discards events. (Kbytes) |
|MAXTRANSFEROBJS |1 – 2,000,000 |500 |Maximum number of events to send between each SENDRATE |
| | | |pause. |
|BUF1SIZE |64 – 2,000,000 |32768 |Primary memory buffer size. (bytes) |
|BUF2SIZE |64 – 2,000,000 |32768 |Secondary memory buffer size. (bytes) |
|SENDRATE |0 – 2,000,000 |100 |The time to wait between sending up to MAXTRANSFEROBJS to|
| | | |the server (milliseconds) |
In addition to the [APIBUFFER] section, the [PISERVER] section may be used to define the default PI server and an optional time offset change that may occur between the client and server.
|Keywords |Values |Default |Description |
|PIHOMENODE |string |none |Windows default server is in pilogin.ini |
|DSTMISMATCH |0 – 2,000,000 |0 |The time that the server and client local time offset is |
| | | |allowed to jump. Typically, 3600 if the nodes are in time|
| | | |zones whose DST rules differ (seconds) |
Example piclient.ini File
On Windows NT the default server information is stored in the pilogin.ini file so the piclient.ini would only have the [APIBUFFER] section. The BUFFERING=1 indicates that buffering is on. The MAXFILESIZE entry in Kbytes of 100000 allows up to 100 Megabytes of data storage. Do not use commas or other separators in the numeric entries. The retry rate is set to 600 seconds meaning wait 10 minutes after losing a connection before retrying.
On NT a piclient.ini file might look like:
[APIBUFFER]
BUFFERING=1
MAXFILESIZE=100000
; The PI-API connection routines have a 1 minute default timeout.
RETRYRATE=600
Appendix A:
Error and Informational Messages
A string PI-Syslog ID is pre-pended to error messages written to the message log. ID is the interface instance number and is the value given by the /id flag on the startup command line.
Message Logs
Messages are written to PIHOME\dat\pipc.log at the following times. PIHOME is specified in the pipc.ini file in the system directory.
• When the interface starts many informational messages are written to the log. These include the version of the interface, the version of UniInt, the command-line parameters used and the number of points.
• As the interface loads points, messages are sent to the log if there are problems with the configuration of any points.
• If /db is used on the command line, then various additional informational messages are written to the log file both during interface startup and during normal operation.
• If /db is part of a tags ExDesc then additional messages are written to the log when this tag is processed
Messages
Interface Startup Errors
If the interface immediately exits upon startup, the most likely cause is that required command line parameters are not specified. PI-Syslog requires both of the following command line parameters:
/ps= (point source character)
/id= (interface identifaction number)
If you omit either of these parameters, the interface exits.
There are other reasons for the interface exiting upon startup. For example, the following messages may be found in the log file:
• Interface id (-2) must be a positive integer
• Port number (-514) must be a positive integer
Point Loading Errors
A PI point may be refused by the interface if it has some attributes that are not supported or are mutually exclusive, messages will be of the form
Tag test_tag(1201) refused: Description
The point will be unloaded from the interface and the digital state Configure will be written to the point.
For example:
• Tag test_tag(1201) refused: incorrect Facility specification.
If a PI point is defined to store the syslog message with some specific facility numbers, the ExDesc attribute of this point must specify the Facility filter. The Facility filter can specify a single number and/or a range of values. But if the range is something like “8-4”, the error message will be printed because the lower bound of the range is greater than the upper bound i.e. the range must be like “4-8”.
• Tag test_tag(1201) refused: incorrect Severity specification.
Similarly as the previous message, the range specification for Severity must have a format such as “3-5” instead of “5-3”.
• Tag test_tag(1201) refused: Facility specification out of range (must be in [0, 23])
Point Debugging Messages
Any PI point can be configured so that some additional debugging messages can be printed for this individual point via the Extended Descriptor switch /db. Examples of the debugging messages are:
• Tag test_tag(1201) refused: -id(1)/Location1(2) mismatch
• Tag test_tag(1201) has point-level debugging set
• Tag test_tag has Location2=1, Location3=0 and Location5=1
• Tag test_tag has ExDesc as: Facility=10, Severity=4, Host=any; Device=any; Level=any; FacilityName=PIX;
• Writing to tag test_tag From:127.0.0.1 Message: KLOG: %CDP-4-DUPLEXMISMATCH:Full/half duplex mismatch d
(This message will be truncated after 80 characters)
Run-time Error
There are occasions when the interface is not capable of processing messages as fast as they come in. In such a case, the interface can eat up memory until the interface crashes.
No customer has reported this problem, but the interface was tested with the following: 2K messages/minute for a total of 20 points to record those messages, on a machine w/ 128 MB memory, crashed the interface after 5 hours.
A message will now get printed if the queue grows beyond 1000 messages.
Interface-level Debugging
The interface can be set to write to the log additional informational messages at startup. This is done by setting the /db flag in the interface command line file. In addition to information written during the startup phase, the interface writes to the log each time it processes its internal queue of syslog messages. Examples of the debugging messages are:
• PI-Syslog 1> Processing syslog message queue 1 of 8. Device:127.0.0.1 Message: Jan 1 03:02:25 named[29356]: [ID 295310 daemon.warning] owner name gc._msdcs. IN secondary) is invalid – proceeding anyway
• PI-Syslog 1> Message 1 no match for Tag syslogtest
• PI-Syslog 1> Message 1 no match for Tag syslogtest1
• PI-Syslog 1> Message 1 match found for Tag syslogtest2
• PI-Syslog 1> Message 1 match found for Tag syslogtest3
Syslog Error Message
Syslog packet should not exceed 1024 bytes. Therefore, if a packet longer than 1024 bytes is received, the interface truncates the message and prints a warning message and the received message.
For example, if the message log file contains entries such as:
PI-Syslog 1> Syslog warning: The packet from 122.128.8.22 exceeds the limit of 1024 bytes:
PI-Syslog 1> Oct 10 2003 18:18:18 Test Machine: %PIX-4-166666: This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message! This is a long message
PI-Syslog 1> Truncated to 1024 bytes
it means that the interface receives a packet longer than 1024 bytes from device 122.128.8.22 and the packet is truncated to fit the 1024 bytes limit.
PI-Syslog prints only the first 5 truncated syslog packets that it receives from one device. If you want the interface to print all truncated messages, use the /stsp (“show truncated syslog packet”) command-line parameter.
System Errors and PI Errors
System errors are associated with positive error numbers. Errors related to PI are associated with negative error numbers.
On NT, descriptions of system and PI errors can be obtained with the pidiag utility:
\PI\adm\pidiag –e error_number
APPENDIX B:
PI_PIX Firewall Interface Compatibility
This interface is designed to replace the PI-PIX firewall interface with little or no modifications to existing configuration.
Migration
To replace an installation of the PI PIX interface with the PI Syslog interface the following procedure should be followed.
Manual Migration
1. Install the PI Syslog interface using the install kit provided.
2. Locate the directory the PI PIX interface is installed (typically PIPC\interfaces\Cisco PIX).
3. Identify and open with notepad the PI PIX interface startup file (typically pipix.bat)
4. Identify and open the example startup file for the PI Syslog interface (Typically PIPC\interfaces\Syslog\PISyslog.bat.new).
5. Copy the startup command line from the PIX startup file to the Syslog startup file, overwriting the Syslog startup file command line. The exception, however, is that the first command parameter should remain the name and path of the syslog executable rather than the name and path of the PI PIX interface executable.
6. Add the following two command line switches /sds=“Scan On” /sst (see the Compatibility section below).
7. Save the PI Syslog startup file as PISyslog.bat.
8. From the services applet in control panel, stop the PI PIX interface service.
9. Start the PI Syslog Interface service.
10. Edit the PI PIX interface service to “Manual” startup.
11. Confirm the Syslog interface is operating correctly.
12. Optionally, uninstall the PI PIX interface.
Migration Using the PI ICU
If the PI PIX interface has been configured using the PI ICU the above procedure can be performed also using the PI ICU.
1. Install the PI Syslog interface using the install kit provided.
2. Open the PI ICU and select the PI PIX interface from the “Interface” drop down text box
[pic]
3. Take note of the following settings
a. General Tab
i. Point Source
ii. Interface ID #
iii. Host
b. Uniint
i. Maximum stop time
ii. SDK timeout
iii. Initial SDK connection timeout
c. CiscoPixFire
i. Port
d. Service
i. Startup Type
ii. Log on as
iii. Dependencies
e. I\O Rates
i. Enable I\O Rates
ii. Tag Status (If “not created” you can ignore the I\O Rates configuration)
iii. Event Counter
iv. TagName
4. Create a new interface (Ctrl+N)
[pic]
5. Browse to the Syslog executable
6. Add the Point Source and Interface ID #(from above Step 3)
7. Copy the values from above to each ICU Tab in the following order
a. General
b. Uniint
c. Syslog – in addition to the Port value copied from the PIX Tab; the System Digital State and the Time settings need to be configured as shown (see compatibility section).
[pic]
d. I\O Rates
e. Service
8. At the Service Tab confirm the service is installed, do not start the service until the PI PIX interface service is stopped.
9. Start the Syslog interface and review the data.
10. Optionally, uninstall the PI PIX interface.
Compatibility
The PI PIX Interface would, by default, write Scan On to all points at interface startup, The PI syslog interface requires the command-line parameter /sds=“Scan On” to maintain this functionality.
The PI PIX Firewall Interface timestamped data with a sub-second component. The PI syslog interface requires the command line parameter /sst to enable the sub-second portion of the time to be sent to PI. It is not recommended to store times with the sub-second precision.
Count, Rate and User Points
The PIX Firewall Interface used Location2 to indicate User, Count and Rate points. To these points the interface would apply filters like Host as if the syslog message was from a PIX device.
Severity and Facility filters would, however, work for any syslog message. PI points configured with these location codes will still work with this interface, however, it is not recommended that Location2 = 1, 2 or 3 be used for new points. The current behavior of the Location2 = 1, 2 or 3 is similar to compatible Location3 values with “General” category points.
|Location2 |Type |Description |
|1 |User |This type of point can be used to record syslog messages in any format. |
| | |The specific information interesting to a user is extracted out of the log |
| | |messages and is written to a PI tag. A regular expression (RegExp) matching |
| | |pattern and substitution pattern specified in ExDesc is used to search |
| | |through the log messages and select the data. |
| | |Equivalent to: |
| | |Location2=5 |
| | |Location3=7 |
|2 |Count |The number of the syslog messages satisfying the filtering criteria specified|
| |(provided for backward|by ExDesc is counted over a user-defined interval and is stored as the point |
| |compatibility with the|value into the PI server. |
| |PIX Firewall |Equivalent to: |
| |Interface) |Location2=5 |
| | |Location3=5 |
|3 |Rate |The rate of the syslog messages satisfying the filtering criteria specified |
| |(provided for backward|by ExDesc is calculated over a user-defined interval and is stored to a PI |
| |compatibility with the|point. |
| |PIX Firewall |Equivalent to: |
| |Interface) |Location2=5 |
| | |Location3=6 |
Appendix C:
Extract from RFC3164 – 4.1.1 PRI
The PRI part MUST have three, four or five characters and will be bound with angle brackets as the first and last characters. The PRI part starts with a leading “” (‘greater-than’ character). The code set used in this part MUST be seven-bit ASCII in an eight-bit field as described in RFC 2234 [2]. These are the ASCII codes as defined in “USA Standard Code for Information Interchange” [3]. In this, the “” character has ABNF value %d62. The number contained within these angle brackets is known as the Priority value and represents both the Facility and Severity as described below. The Priority value consists of one, two, or three decimal integers (ABNF DIGITS) using values of %d48 (for “0”) through %d57 (for “9”).
The Facilities and Severities of the messages are numerically coded with decimal values. Some of the operating system daemons and processes have been assigned Facility values. Processes and daemons that have not been explicitly assigned a Facility may use any of the “local use” facilities or they may use the “user-level” Facility. Those Facilities that have been designated are shown in the following table along with their numerical code values.
|Numerical Code |Facility |
|0 |Kernel messages |
|1 |User-level messages |
|2 |Mail system |
|3 |System daemons |
|4 |Security/authorization messages* |
|5 |Messages generated internally by syslogd |
|6 |Line printer subsystem |
|7 |Network news subsystem |
|8 |UUCP subsystem |
|9 |Clock daemon** |
|10 |Security/authorization messages* |
|11 |FTP daemon |
|12 |NTP subsystem |
|13 |Log audit* |
|14 |Log alert* |
|15 |Clock daemon** |
|16 |Local use 0 (local0) |
|17 |Local use 1 (local1) |
|18 |Local use 2 (local2) |
|19 |Local use 3 (local3) |
|20 |Local use 4 (local4) |
|21 |Local use 5 (local5) |
|22 |Local use 6 (local6) |
|23 |Local use 7 (local7) |
• Various operating systems have been found to utilize Facilities 4, 10, 13 and 14 for security/authorization, audit and alert messages which seem to be similar.
** Various operating systems have been found to utilize both Facilities 9 and 15 for clock (cron/at) messages.
There are also different degrees of importance attached to the syslog packets. A device can be set to send messages at different Severities:
|Numerical Code |Severity |Description |
|0 |Emergency |System unusable |
|1 |Alert |Immediate action needed |
|2 |Critical |Critical condition |
|3 |Error |Error condition |
|4 |Warning |Warning condition |
|5 |Notice |Normal but significant condition |
|6 |Informational |Informational message |
|7 |Debug |Debug-level messages |
Revision History
|Date |Author |Comments |
|03-Jun-03 |DC |Initial draft using Skeleton version 1.12 |
|31-Mar-04 |MD |Initial release of Syslog Interface manual |
|02-Apr-04 |MD |Included Syslog ICU Control |
|29-Apr-04 |MD |Modified Appendix2 Migration Procedure |
|12-May-04 |CG |1.0.0.0 Rev B: changed pi_syslog to pisyslog; added periods; |
| | |formatted tables; fixed sections, headers & footers, and page |
| | |numbers; removed editing marks. |
|28-May-04 |CG |1.0.0.1 Rev A: increased version; added troubleshooting note |
| | |regarding potentially overflowing the queue |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
-----------------------
Windows NT
UDP
Device(s)
PI-Syslog Interface
PI-API
PI-SDK
PI Server
(Windows NT or Unix)
Service installed or uninstalled
Status of the Interface Service
Status of the ICU
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- why the school system is bad
- is the education system broken
- the school system is broken
- the education system is failing
- why the education system is good
- changing the school system essay
- the college system is broken
- calculator with the pi button
- how to cleanse the lymphatic system naturally
- the planets of the solar system song
- the organs in the circulatory system include
- label the conduction system of the heart