Using Logger to Send File Data to SYSLOGD

If you find yourself needing to have the contents of an ASCII text file written to syslog, then consider the use of the logger command. This comes with most Unix distributions and has also been ported to the Windows platform.

There may be times whereby an application or system only logs to a text file and this data needs to be collected into your log management solution. For this example, I’ll assume an ASCII text file with single line entries is the log file and its name is logdata.log. In this scenario, you can utilize the logger command utility to read each line of the file and send it to the local Syslog daemon.

The logger command has some useful command line parameters that can be useful to gain additional control over how the log messages are written to syslog. There are subtle differences between the Unix-based and Windows logger command as seen in the syntax below:

Unix-based logger:

logger [-isd] [-f file] [-p pri] [-t tag] [-u socket] [message …]

Windows-based logger:

logger [-?] [-is] [-f file] [-p pri] [-t tag] [-a port] [-l loghost] [-m udp tcp 3195raw] [message ..]

An example in Unix is shown below:

logger –f logdata.log –p local4.alert Transaction rejected due to invalid data type. Where the following is true: logdata.log is the file containing the log messages to be written to syslog. local4.alert is the facility and severity the log message will have when written to syslog. “Transaction rejected due to invalid data type.” is the message that is written to syslog.

An example in Windows is shown below:

logger –f logdata.log –p local4.alert –a 514 –l lrx3.host.com –m tcp Transaction rejected due to invalid data type.

Where the following is true:

logdata.log is the file containing the log messages to be written to syslog. local4.alert is the facility and severity the log message will have when written to syslog. 514 is the port the syslog server is listening on. lrx3.host.com is the syslog server host that is receiving the log messages from Logger. tcp is the protocol the syslog server is expecting. “Transaction rejected due to invalid data type.” is the message that is written to syslog.

Typically, this will be a scheduled job that will execute this vs. manually running this from a command line. If logger exits successfully it will have a return code of “0” – otherwise it will be a value higher than “0”. I used this on a past deployment, where AIX kernel auditing was writing to a file (binary converted to ASCII text) and I needed to collect this data.

I utilized logger by scheduling a cron job to pipe the AIX kernel audit log file to the logger command, which in turn wrote this to the local syslog daemon. Because I didn’t specify a file logger used standard input, which in this case was the output of the binary to ASCII conversion process.

If you find yourself in any similar situations, consider the use of logger.

More From the Author

Controlling Access to Windows 2008 Event Logs
Enhance Your Audit Trail

Striking the Balance Between Machine and Human Analysis VirusTotal SIEM Integration SmartResponse Shell