Syslog heartbeat and monitoring

Question

Does anybody know how or even if, since I can't locate much on it, syslog offers any heartbeat mechanism?

I'm specifically thinking about how to monitor the devices that offer up syslog messages.

I'm not specifically looking to use an external solution, but instead something syslog possibly offers itself, which can be monitored/interrogated and flagged if something is down.

Or is their a standard lightweight tcp-based heartbeat protocol which runs on win/linux/bsd/solaris/aix/hp-ux?

Answer 1

Motivation

Maybe you already solved your problem but didn't post your solution or maybe you gave up on that and you're still waiting. I had the same problem and found an answer. Here it is:

SYSLOG

Syslog itself offers "mark". Actually this is a heartbeat.

An syslog entry looks like this:

Nov 23 17:37:00 192.168.160.115 -- MARK --

mark: messages generated by syslogd itself that contain only a timestamp and the string “--MARK--”. To specify how many minutes should transpire between marks, invoke syslogd with the -m [minutes] flag.

[Source: http://www.linuxjournal.com/article/5476 ]

NXLOG

If you want the same for NXLOG you can do this by using the Module im_mark:

<Input mark>
   Module        im_mark         // Module
   MarkInterval  40              // Interval in minutes
   Mark          -- MARK --      // Message
</Input>

[Source: https://nxlog.org/node/295#im_mark ]

A log from nxlog on Windows looks like this:

Nov 24 09:21:57 192.168.160.123 MSWinEventLog   1       N/A     77
Tue Nov 24 09:21:57 2015        N/A     nxlog-ce        N/A     N/A    
N/A     WKS-HC02        N/A  -- MARK --       N/A

You could use the following RegEx to trigger on such logentries:

(\w+\s+\d+\s+\d+:\d+:\d+) ([\w.-]+).*--\s*MARK\s*--