Creating groups of agent handlers
A group of agent handlers consists of one or several agent handlers. When an agent must connect to an agent handler, the agent gives priority to the last handler that accepted its request. If the connection fails, the agent will randomly choose another handler from the group until its request is accepted.
After an agent handler is installed, it will automatically appear in the Agent handlers menu in the administration console. By default, it belongs to a group named New Group (agent handler_name). You can modify this default group or create others.
Agent logs can be sent to different syslog servers configured for each agent handler group. For example, configure several syslog servers to receive logs of varying levels of severity or with different content formats.
- Choose the Agent handlers menu.
- In the left panel, click on the + icon. The line New group appears.
- Click on Edit in the upper banner.
- In the Agent handler group settings, enter the Name of your agent handler group.
- If you want to send agent logs from this agent handler group to syslog servers, click on Add a server and define the following parameters:
- Address: enter the IP address or DNS name of the syslog server,
- Protocol: choose TCP, UDP or TCP/TLS,
- Port: enter the port number used for syslog; TCP 1468 by default.
- Transfer type: choose the parameter defined during the installation of the syslog server,
- Message format: choose the message format:
- simple text mode (like the messages displayed in the Agent logs menu),
- raw JSON format containing all the technical data,
- CEF format,
- IDMEF format.
- Message language: Select the language if necessary,
- You can indicate a maximum message size in bytes,
- Choose the minimum severity of logs to send to this server.
- Click on Save in the upper banner.
- Situation: One of the syslog servers configured in an agent handler group is not receiving any logs from agents.
- Cause: There may be an error in the TCP/TLS configuration of the syslog server.
- Solution: Start by checking that the syslog server is indeed running in TCP.
If this is the case, check the logs that the agent handler generated. If there is an issue with the TCP/TLS configuration, the agent handler will generate a log identifying the malfunctioning syslog server, and describing the possible causes.
If you do not see this log, try restarting the agent handler to force logging. Wait at least one minute after restarting.
Based on the indications in the log, review the TCP/TLS configuration of the syslog server.
You can also check the minimum log severity that you have set, so that they can be sent to the syslog server .