In normal processing, the Syslog Adapter will tail the contents of a syslog file. When tailing a file, the adapter processes only new messages added to the file. Tailing provides constant monitoring of the syslog file while the adapter is running. If tailing is disabled, the Syslog Adapter parses and processes the file once.
Determine which messages in the syslog file are important in the deployment. Network administrators can explain any practices in their network that result in syslog messages and can recommend which syslog messages are appropriate for processing. Note that by default, only messages related to devices in the topology are used by the Syslog Adapter: all other messages are ignored. This behavior can be reconfigured, but processing other syslog messages might add to processing time significantly.
To expand syslog processing, choose additional messages that will generate notifications and determine what information the notifications will contain. Messages can be selected based on source and content to create notifications. With appropriate logic in the my_hook_syslog.asl file, information retrieved from the messages can be used to customize the notifications. You can use the Adapter Scripting Language (ASL) to modify my_hook_syslog.asl and specify the appropriate processing.
If you consider more extensive customization of notifications, remember that Syslog Adapter hook script processing is single-threaded: the more logic performed on each notification, the longer the processing time and potential bottleneck.
Revise your solution architecture diagram to respond to your syslog processing design. “Syslog Adapter added to the solution architecture diagram” on page 88 provides a typical example.