Syslog Receiver |
Previous Next |
SyslogThe Syslog Receiver is based on RFC 3164 and listens for Syslog messages. By default, the Receiver listens for Syslog on UDP port 514 or TCP port 601. Auto AssignBy default, the Syslog Receiver monitor item will be automatically assigned to any agent that sends syslog messages to the ELM server using the specified protocol and port number. If unchecked, you must manually assign the monitor item to agents. Event FiltersBy default, the Syslog Receiver defaults to collecting all syslog messages when there isn't an Include Filter assigned to it. See Event Filters for further information. CategoriesDisplays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories. AgentsDisplays the Agents to which the Monitor is assigned. Click to select or deselect Agents. Right click or click the New link to deploy a new agent.
Syslog Device ConfigurationBefore ELM receives any Syslog messages, the device sending Syslog has to be configured, and usually this is done in a syslog.conf file. A common format for this file designates facility, severity, and destination. Generic Examples:
These are generic examples, please consult the documentation for your specific device for details about its Syslog functionality. Syslog to Event Log Record LayoutWhen ELM receives Syslog messages, the Syslog record format is converted to a Windows event log record style format. Syslog messages have the following fields which ELM maps to the corresponding event record fields listed:
Syslog messages have 24 Facilities. These are converted to event categories by ELM according to the following mapping:
Syslog messages have 8 Severities or Levels. These are converted to event types by ELM according to the following mapping:
Syslog messages have 192 Priorities. The lower the number, the higher the priority. These are calculated from the Facility and Level according to the following formula, and are used by ELM for the Event ID: Facility * 8 + Severity = Priority (Event ID) Examples:
Parsing Syslog mesagesAvailable in 7.0.193.1 or later. The syslog receiver has the ability to parse messages and insert that information into an event log format for use with Event Views and Reporting. In order to use this functionality you will first need to export a syslog receiver to xml and then open the file in a text editor. By default the following properties/modifiers examples are empty but you can customize them with regular expressions for parsing of message field information. TimeModifier="MessageRegularExpression=end="([^"]*)" In this example when the keyword "end" is found followed by an = sign then the time stamp following, that is contained in quotes is extracted and inserted into the time generated event message field. ComputerModifier="MessageRegularExpression=dhost="([^"]*)" In this example when the keyword "dhost" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the computer name event message field. LogModifier="" CustomCategory="" EventIdModifier=""MessageRegularExpression=eventid="([^"]*)" In this example when the keyword "eventid" is found followed by an = sign then the number following, that is contained in quotes is extracted and inserted into the Event ID event message field. MessageModifier="" UserModifier="MessageRegularExpression=suser="([^"]*)" In this example when the keyword "suser" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the User event message field. CategoryModifier="MessageRegularExpression=name="([^"]*:)" In this example when the keyword "name" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the Category name event message field.
|