7.0 - Google Search Appliance Help Center

Back to Home | Help Center | Log Out

Help Center

Home

Crawl and Index

Serving

Status and Reports

Connector Administration

Social Connect

Cloud Connect

GSA Unification

GSAⁿ

Administration

More Information
Crawling and Indexing
Spelling
Hexadecimal Notation
Font Families
Security and Error Handling
Syslog Reports

More Information > Syslog Reports

Overview

Syslog is a client-server protocol for forwarding log messages from the application or device that produces the logs to a syslog receiver. Use syslog to accumulate log messages on a system remote from the search appliance.

You configure syslog from the Administration > Network Settings page.

Messages sent from the search appliance to a syslog receiver are assigned the priority Informational. The search appliance sends message to the syslog receiver every 5 minutes.

The syslog facility value identifies the device from which a message originates. You can set the syslog facility to any local use level. The Facility setting has no effect on which messages are logged. For more details on the syslog protocol, see RFC 3164.

You can use syslog to generate your own reports on search appliance activity. The following sections have information on how to test a syslog setup and on the syslog message format.

Testing a Syslog Configuration

After you configure a syslog server from the Administration > Network Settings page, verify that the search appliance is sending syslog messages to your syslog server. You need a network utility that lets you listen on a socket and print everything that is received on the socket. The following example uses netcat, a free utility available for both Unix and Windows.

To test a syslog configuration:

Log in to the syslog server host.
Ensure that netcat is installed on the syslog server host.
On the syslog server host, open a terminal window.
Start netcat. For example, on a UNIX system, use the following command:
# nc -l -p 514 -u
Start a web browser and perform some searches on the search appliance.
Within ten minutes, web server log messages should begin to appear in the terminal window where netcat is running.

About the Syslog Message Format

Each syslog message has three parts.

The first part is called PRI (see the description of the syslog protocol (RFC 3164) for more more information).
The second part is the HEADER (see the description of the syslog protocol (RFC 3164) for for more information).
The third part is the MSG, the web server log message.

A typical syslog message looks like this:

<174>Jul 16 17:19:33 10.1.1.5 usage: 127.0.0.1 - - [16/Jul/2002:17:18:25 -0800] "GET /search?ie= &q=foot &site=my_collection &output=xml_no_dtd & client=my_collection &btnG=Search &access=p &lr= &ip=10.1.1.224 &proxystylesheet=my_collection &oe=HTTP/1.1" 200 1371 2 0.01

The following table contains information about the PRI and HEADER sections of the syslog message.

Syslog Syntax	Explanation
`<174>`	The PRI part of the syslog protocol (see RFC 3164).
`Jul 16 17:19:33`	The date the syslog wrote this record.
`10.1.1.5`	The IP address of the appliance.
`usage:`	You can ignore this field.

The following table contains information about the MSG section of the syslog message.

Syslog Message Section	Explanation
`127.0.0.1`	The IP address that requested the XML, that is, the XSLT proxy on the appliance.
`[16/Jul/2002:17:18:25 -0800]`	The time stamp of the request
`GET /search?...`	The HTTP request sent to the internal server, which is not the same as the request sent to the appliance. (Note that the client IP address is included with the "ip" parameter.)
`200`	The web server response code.
`1371`	The content length of the raw XML output by the internal server.
`2`	Estimate of the number of the results the search appliance has, not the number of results returned.
`0.01`	Time in seconds for the request to be handled