Articles in this section

See more

SCS KB 1011: Using Acronis Backup with remote syslog

  • Updated
Follow

Applies to:

Acronis Backup 12.5 Hardened Edition

Use Case

There is a requirement to forward all Acronis Backup logs to a central syslog server.

Solution

NXLog can be used to forward events from Acronis Backup logs to a central syslog server.

A sample NXLog configuration is provided below.

Replace the Output Host value, line 108 below, with your syslog server hostname or IP address.

Some input files are only present on the management server, or when specific features are configured. You will need to review the logs in your environment and enable these input sources as appropriate.

Example nxlog.conf
Panic Soft
#NoFreeOnExit TRUE
 
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
 
<Extension _syslog>
 Module xm_syslog
</Extension>
 
# Present on both client and server
<Input file_mms>
 Module im_file
 File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\MMS\\mms.0.log'
 <Exec>
 $SourceName = 'AcronisBackup-MMS';
 </Exec>
</Input>
 
# Present on both client and server
<Input file_zmqcs>
 Module im_file
 File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\MMS\\zmq_client_sessions.0.log'
 <Exec>
 $SourceName = 'AcronisBackup-zmqcs';
 </Exec>
</Input>
 
# Present on both client and server
<Input file_sp>
 Module im_file
 File 'C:\\ProgramData\\Acronis\\ServiceProcess\\*.log'
 <Exec>
 $SourceName = 'AcronisBackup-SP';
 </Exec>
</Input>
 
# Management Server only
#<Input file_mgmtsrv>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\AMS\\logs\\ManagementServer.0.log'
# <Exec>
# $SourceName = 'AcronisBackup-AMS';
# </Exec>
#</Input>
 
# Management Server only
#<Input file_asn>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\BackupAndRecovery\\ASN\\logs\\asn-*.log'
# <Exec>
# $SourceName = 'AcronisBackup-ASN';
# </Exec>
#</Input>
 
# Not present unless Acronis Removable Storage Manager (ARSM) is configured
#<Input file_arsm>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\ARSM\\arsm.0.log'
# <Exec>
# $SourceName = 'AcronisBackup-ARSM';
# </Exec>
#</Input>
 
# Management Server only
#<Input file_ns>
# Module im_file
# File 'C:\\ProgramData\\Acronis\\NotificationService\\Logs\\notification_service.log'
# <Exec>
# $SourceName = 'AcronisBackup-NS';
# </Exec>
#</Input>
 
<Processor acronis_proc>
 Module pm_null
 <Exec>
 $SyslogFacility = 'AUDIT';
 
 if $raw_event =~ /error/i {
 $Severity = 'ERROR';
 } else {
 $Severity = 'INFO';
 }
 if $raw_event =~ /^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}):\d{3}-\d{2}:\d{2} \d+ ([0-9A-Z]{9}: .*)$/ {
 $EventTime = strptime($1, '%Y-%m-%dT%H:%M:%S');
 $Message = $2;
 if $Message =~ /^I/ { $Severity = 'INFO'; }
 #log_info('EventTime=[' + $EventTime + '], SourceName=[' + $SourceName + '], Message=[' + $Message + ']');
 } else {
 log_info('regex failed, raw_event=[' + $raw_event + ']');
 }
 </Exec>
</Processor>
 
# Send events to remote syslog server
# Replace Host value below
<Output udp>
 Module om_udp
 Host SYSLOG_HOSTNAME_OR_IP_ADDRESS
 Port 514
 Exec to_syslog_bsd();
</Output>
 
# Routes
# Add file input sources to route below when they are enabled (un-commented) above.
<Route file_to_syslog>
 # Acronis Backup Client
 Path file_mms, file_zmqcs, file_sp => acronis_proc => udp
 # Acronis Backup Management Server
 #Path file_mms, file_zmqcs, file_mgmtsrv, file_asn, file_arsm, file_sp, file_ns => udp
 #Path file_mms, file_zmqcs, file_mgmtsrv, file_sp, file_ns => acronis_proc => udp
</Route>

Related articles