Syslog Receiver

 Top  Previous  Next

Syslog

The Syslog Receiver is based on RFC 3164 and listens for Syslog messages.  By default, the Receiver listens for Syslog on UDP port 514 or TCP port 601.

Auto Assign

By default, the Syslog Receiver monitor item will be automatically assigned to any agent that sends syslog messages to the ELM server using the specified protocol and port number.  If unchecked, you must manually assign the monitor item to agents.

Event Filters

By default, the Syslog Receiver defaults to collecting all syslog messages when there isn't an Include Filter assigned to it.  See Event Filters for further information.

Categories

Displays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories.

Agents

Displays the Agents to which the Monitor is assigned.  Click to select or deselect Agents. Right click or click the New link to deploy a new agent.

Properties Tab

This read-only tab displays the properties of the selected object and the values for those properties.

Syslog Device Configuration

Before ELM receives any Syslog messages, the device sending Syslog has to be configured, and usually this is done in a syslog.conf file.  A common format for this file designates facility, severity, and destination.

Generic Examples:

facility.severity[;facility.severity]

destination

Meaning

kern.*

@PDC1

Send all messages from the kernel facility to server PDC1.

*.err

@redmond

Send all messages with a severity of error to server REDMOND

cron.warning;ntp.alert

@corp3

Send messages from the cron facility with a severity of warning and
from the ntp facility with a severity of alert to the server CORP3.

These are generic examples, please consult the documentation for your specific device for details about its Syslog functionality.

Syslog to Event Log Record Layout

When ELM receives Syslog messages, the Syslog record format is converted to a Windows event log record style format.

Syslog messages have the following fields which ELM maps to the corresponding event record fields listed:

 

Syslog Message

Event Record

Facility

Category

Severity

Event Type

Priority

Event ID

Header

Message

Message

Message

Syslog messages have 24 Facilities.  These are converted to event categories by ELM according to the following mapping:

Number

Syslog Facility

Event Category

0

Kernel

kern

1

User

user

2

Mail

mail

3

Daemon

daemon

4

Auth

auth

5

Syslog

syslog

6

Lpr

lpr

7

News

news

8

UUCP

uucp

9

Cron

cron

10

Security

authpriv

11

FTP Daemon

ftp

12

NTP

ntp

13

Log Audit

audit

14

Log Alert

alert

15

Clock Daemon

clock

16

Local0

local0

17

Local1

local1

18

Local2

local2

19

Local3

local3

20

Local4

local4

21

Local5

local5

22

Local6

local6

23

Local7

local7

Syslog messages have 8 Severities or Levels.  These are converted to event types by ELM according to the following mapping:

Number

Syslog Severity

Event Type

0

Emergency

Error

1

Alert

Error

2

Critical

Error

3

Error

Error

4

Warning

Warning

5

Notice

Warning

6

Info

Informational

7

Debug

Informational

Syslog messages have 192 Priorities.  The lower the number, the higher the priority.  These are calculated from the Facility and Level according to the following formula, and are used by ELM for the Event ID:

Facility * 8 + Severity = Priority (Event ID)

Examples:

Facility

*

Multiplier

+

Severity

=

Priority
(Event ID)

Mail (2)

*

8

+

Error (3)

=

19

Clock Daemon (15)

*

8

+

Warning (4)

=

124

Kernel (0)

*

8

+

Emergency (0)

=

0