for Windows: https://docs.microfocus.com/doc/386/24.4/omucptwindowseventloghtml

for Unix: https://docs.microfocus.com/doc/386/24.4/omptlogfilehtml

You cannot send syslogs to OBM directly. You need to have Operations Agent to read the logs locally then generate events and send them to OBM.

that link is for Windows Event logs, but i am looking for Syslogs,

Hello,

Sure - please see the Sys_SunSolarisSyslog logfile example.  You can copy this policy.  Please see https://docs.microfocus.com/doc/386/24.4/omptlogfilehtml for more infomation.

This assumes your syslog infrastructure means that events end up in a log file at some point (e.g. rsyslog and syslog-ng).  At this point, you'll have a format a little like this:

<34>Mar 10 12:45:23 client1 sshd[1357]: Accepted password for user1 from 192.168.1.101 port 22 ssh2
<165>Mar 10 12:45:25 client1 sudo[1360]: pam_unix(sudo:session): session opened for user root by (uid=1000)
<34>Mar 10 12:45:26 client1 sshd[1371]: Accepted password for user2 from 192.168.1.102 port 22 ssh2
<174>Mar 10 12:45:28 client1 sudo[1373]: pam_unix(sudo:session): session closed for user root
<165>Mar 10 12:45:35 client2 sshd[1450]: Accepted password for user1 from 192.168.2.101 port 22 ssh2
<174>Mar 10 12:45:37 client2 sudo[1453]: pam_unix(sudo:session): session opened for user root by (uid=1001)
<34>Mar 10 12:45:42 client2 sshd[1461]: Accepted password for user2 from 192.168.2.102 port 22 ssh2
<174>Mar 10 12:45:45 client2 sudo[1464]: pam_unix(sudo:session): session closed for user root

Log files depend on your implementation, the relevent logs files may include:

/var/log/syslog
/var/log/messages
/var/log/secure
/var/log/auth.log
/var/log/remote.log
/var/log/remote-client.log

Thanks

if i choose Log File Entry policy, there i need to mention the "Log file path". What should i mention here. Please note, its a syslog generated from a Network SNMP device, not a typical log file where we can specify the path and collect it. Also i dont find that Sys_SunSolarisSyslog logfile example on that link you provided.

Hello,

Syslog messages send from SNMP devices are generated and configured to send syslog messages to a remote syslog server using UDP (default port 514) or TCP. The syslog message be in a structured format which the syslog server will process. The syslog server (e.g., rsyslog, syslog-ng, or Graylog) listens on the configured port and parses the incoming logs based on priority, facility and/or content and is configurable. The syslog server then writes the logs to log file which OA12 and the logfile policy can then process.

The name of the log file depends on the syslog server type being used - usually something like /var/log/syslog or /var/log/messages but depends on syslog server type. The log files are then rotated and/or archived or deleted.

The policy will need to process the contents of /var/log/syslog or /var/log/messages (actual file name depends on syslog server type).

I hope this helps.

Hello Roopesh,

Now that you mention SNMP traps, you probably will need to download a MIB from the provider and create a policy.

Most providers of devices that can send SNMP traps have SNMP MIB's that you can download from their web page.

That SNMP MIB describes (among other things) which SNMP traps such a device can send.

You can use the SNMP MIB(s) and create a SNMP Trap policy using mib2policy from it.

See here for more information:

https://docs.microfocus.com/doc/386/24.4/snmptrapshtml

Best regards,

Tobias