Syslog Receiver

Top  Previous  Next

Syslog

The Syslog Receiver is based on RFC 3164 and listens for Syslog messages.  By default, the Receiver listens for Syslog on UDP port 514 or TCP port 601.

Auto Assign

By default, the Syslog Receiver monitor item will be automatically assigned to any agent that sends syslog messages to the ELM server using the specified protocol and port number.  If unchecked, you must manually assign the monitor item to agents.

Event Filters

By default, the Syslog Receiver defaults to collecting all syslog messages when there isn't an Include Filter assigned to it.  See Event Filters for further information.

Categories

Displays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories.

Agents

Displays the Agents to which the Monitor is assigned.  Click to select or deselect Agents. Right click or click the New link to deploy a new agent.

 

Syslog Device Configuration

Before ELM receives any Syslog messages, the device sending Syslog has to be configured, and usually this is done in a syslog.conf file.  A common format for this file designates facility, severity, and destination.

Generic Examples:

facility.severity[;facility.severity]

destination

Meaning

kern.*

@PDC1

Send all messages from the kernel facility to server PDC1.

*.err

@redmond

Send all messages with a severity of error to server REDMOND

cron.warning;ntp.alert

@corp3

Send messages from the cron facility with a severity of warning and
from the ntp facility with a severity of alert to the server CORP3.

These are generic examples, please consult the documentation for your specific device for details about its Syslog functionality.

Syslog to Event Log Record Layout

When ELM receives Syslog messages, the Syslog record format is converted to a Windows event log record style format.

Syslog messages have the following fields which ELM maps to the corresponding event record fields listed:

 

Syslog Message

Event Record

Facility

Category

Severity

Event Type

Priority

Event ID

Header

Message

Message

Message

Syslog messages have 24 Facilities.  These are converted to event categories by ELM according to the following mapping:

Number

Syslog Facility

Event Category

0

Kernel

kern

1

User

user

2

Mail

mail

3

Daemon

daemon

4

Auth

auth

5

Syslog

syslog

6

Lpr

lpr

7

News

news

8

UUCP

uucp

9

Cron

cron

10

Security

authpriv

11

FTP Daemon

ftp

12

NTP

ntp

13

Log Audit

audit

14

Log Alert

alert

15

Clock Daemon

clock

16

Local0

local0

17

Local1

local1

18

Local2

local2

19

Local3

local3

20

Local4

local4

21

Local5

local5

22

Local6

local6

23

Local7

local7

Syslog messages have 8 Severities or Levels.  These are converted to event types by ELM according to the following mapping:

Number

Syslog Severity

Event Type

0

Emergency

Error

1

Alert

Error

2

Critical

Error

3

Error

Error

4

Warning

Warning

5

Notice

Warning

6

Info

Informational

7

Debug

Informational

Syslog messages have 192 Priorities.  The lower the number, the higher the priority.  These are calculated from the Facility and Level according to the following formula, and are used by ELM for the Event ID:

Facility * 8 + Severity = Priority (Event ID)

Examples:

Facility

*

Multiplier

+

Severity

=

Priority
(Event ID)

Mail (2)

*

8

+

Error (3)

=

19

Clock Daemon (15)

*

8

+

Warning (4)

=

124

Kernel (0)

*

8

+

Emergency (0)

=

0

 

Parsing Syslog mesages

Available in 7.0.193.1 or later. The syslog receiver has the ability to parse messages and insert that information into an event log format for use with Event Views and Reporting.

In order to use this functionality you will first need to export a syslog receiver to xml and then open the file in a text editor.  By default the following properties/modifiers examples are empty but you can customize them with regular expressions for parsing of message field information.

TimeModifier="MessageRegularExpression=end="([^"]*)"

In this example when the keyword "end" is found followed by an = sign then the time stamp following, that is contained in quotes is extracted and inserted into the time generated event message field.

ComputerModifier="MessageRegularExpression=dhost="([^"]*)"

In this example when the keyword "dhost" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the computer name event message field.

LogModifier=""

CustomCategory=""

EventIdModifier=""MessageRegularExpression=eventid="([^"]*)"

In this example when the keyword "eventid" is found followed by an = sign then the number following, that is contained in quotes is extracted and inserted into the Event ID event message field.

MessageModifier=""

UserModifier="MessageRegularExpression=suser="([^"]*)"

In this example when the keyword "suser" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the User event message field.

CategoryModifier="MessageRegularExpression=name="([^"]*:)"

In this example when the keyword "name" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the Category name event message field.