Applies to:
Use Case
There is a requirement to forward all Acronis Backup logs to a central syslog server.
Solution
NXLog can be used to forward events from Acronis Backup logs to a central syslog server.
A sample NXLog configuration is provided below.
Replace the Output Host value, line 108(bolded) below, with your syslog server hostname or IP address.
Some input files are only present on the management server, or when specific features are configured. You will need to review the logs in your environment and enable these input sources as appropriate.
Example nxlog.conf
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
# Present on both client and server
<Input file_mms>
Module im_file
File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\MMS\\mms.0.log'
<Exec>
$SourceName = 'AcronisBackup-MMS';
</Exec>
</Input>
# Present on both client and server
<Input file_zmqcs>
Module im_file
File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\MMS\\zmq_client_sessions.0.log'
<Exec>
$SourceName = 'AcronisBackup-zmqcs';
</Exec>
</Input>
# Present on both client and server
<Input file_sp>
Module im_file
File 'C:\\ProgramData\\Acronis\\ServiceProcess\\*.log'
<Exec>
$SourceName = 'AcronisBackup-SP';
</Exec>
</Input>
# Management Server only
#<Input file_mgmtsrv>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\AMS\\logs\\ManagementServer.0.log'
# <Exec>
# $SourceName = 'AcronisBackup-AMS';
# </Exec>
#</Input>
# Management Server only
#<Input file_asn>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\ASN\\logs\\asn-*.log'
# <Exec>
# $SourceName = 'AcronisBackup-ASN';
# </Exec>
#</Input>
# Not present unless Acronis Removable Storage Manager (ARSM) is configured
#<Input file_arsm>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\ARSM\\arsm.0.log'
# <Exec>
# $SourceName = 'AcronisBackup-ARSM';
# </Exec>
#</Input>
# Management Server only
#<Input file_ns>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\NotificationService\\Logs\\notification_service.log'
# <Exec>
# $SourceName = 'AcronisBackup-NS';
# </Exec>
#</Input>
<Processor acronis_proc>
Module pm_null
<Exec>
$SyslogFacility = 'AUDIT';
if $raw_event =~ /error/i {
$Severity = 'ERROR';
} else {
$Severity = 'INFO';
}
if $raw_event =~ /^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}):\d{3}-\d{2}:\d{2} \d+ ([0-9A-Z]{9}: .*)$/ {
$EventTime = strptime($1, '%Y-%m-%dT%H:%M:%S');
$Message = $2;
if $Message =~ /^I/ { $Severity = 'INFO'; }
#log_info('EventTime=[' + $EventTime + '], SourceName=[' + $SourceName + '], Message=[' + $Message + ']');
} else {
log_info('regex failed, raw_event=[' + $raw_event + ']');
}
</Exec>
</Processor>
# Send events to remote syslog server
# Replace Host value below
<Output udp>
Module om_udp
Host SYSLOG_HOSTNAME_OR_IP_ADDRESS
Port 514
Exec to_syslog_bsd();
</Output>
# Routes
# Add file input sources to route below when they are enabled (un-commented) above.
<Route file_to_syslog>
# Acronis Backup Client
Path file_mms, file_zmqcs, file_sp => acronis_proc => udp
# Acronis Backup Management Server
#Path file_mms, file_zmqcs, file_mgmtsrv, file_asn, file_arsm, file_sp, file_ns => udp
#Path file_mms, file_zmqcs, file_mgmtsrv, file_sp, file_ns => acronis_proc => udp
</Route>