|
<< Click to Display Table of Contents >> Navigation: ELM Console (MMC) > Monitoring and Management > Agents and Monitors Library > All Monitors > Syslog Receiver |
The Syslog Receiver is based on RFC 3164 and listens for Syslog messages. By default, the Receiver listens for Syslog on UDP port <%SYSLOG_UDP_PORT%> or TCP port <%SYSLOG_TCP_PORT%>.
By default, the Syslog Receiver monitor item will be automatically assigned to any agent that sends syslog messages to the ELM server using the specified protocol and port number. If unchecked, you must manually assign the monitor item to agents.
By default, the Syslog Receiver defaults to collecting all syslog messages when there isn't an Include Filter assigned to it. See Event Filters for further information.
Displays the Monitoring Categories to which the Monitor is assigned. Click to select or deselect Monitoring Categories. Right click to create or edit Monitoring Categories.
Displays the Agents to which the Monitor is assigned. Click to select or deselect Agents. Right click or click the New link to deploy a new agent.
Before ELM receives any Syslog messages, the device sending Syslog has to be configured, and usually this is done in a syslog.conf file. A common format for this file designates facility, severity, and destination.
Generic Examples:
facility.severity[;facility.severity] |
destination |
Meaning |
kern.* |
@PDC1 |
Send all messages from the kernel facility to server PDC1. |
*.err |
@redmond |
Send all messages with a severity of error to server REDMOND |
cron.warning;ntp.alert |
@corp3 |
Send messages from the cron facility with a severity of warning and |
These are generic examples, please consult the documentation for your specific device for details about its Syslog functionality.
When ELM receives Syslog messages, the Syslog record format is converted to a Windows event log record style format.
Syslog messages have the following fields which ELM maps to the corresponding event record fields listed:
Syslog Message |
Event Record |
Facility |
Category |
Severity |
Event Type |
Priority |
Event ID |
Header |
Message |
Message |
Message |
Syslog messages have 24 Facilities. These are converted to event categories by ELM according to the following mapping:
Number |
Syslog Facility |
Event Category |
0 |
Kernel |
kern |
1 |
User |
user |
2 |
||
3 |
Daemon |
daemon |
4 |
Auth |
auth |
5 |
Syslog |
syslog |
6 |
Lpr |
lpr |
7 |
News |
news |
8 |
UUCP |
uucp |
9 |
Cron |
cron |
10 |
Security |
authpriv |
11 |
FTP Daemon |
ftp |
12 |
NTP |
ntp |
13 |
Log Audit |
audit |
14 |
Log Alert |
alert |
15 |
Clock Daemon |
clock |
16 |
Local0 |
local0 |
17 |
Local1 |
local1 |
18 |
Local2 |
local2 |
19 |
Local3 |
local3 |
20 |
Local4 |
local4 |
21 |
Local5 |
local5 |
22 |
Local6 |
local6 |
23 |
Local7 |
local7 |
Syslog messages have 8 Severities or Levels. These are converted to event types by ELM according to the following mapping:
Number |
Syslog Severity |
Event Type |
0 |
Emergency |
Error |
1 |
Alert |
Error |
2 |
Critical |
Error |
3 |
Error |
Error |
4 |
Warning |
Warning |
5 |
Notice |
Warning |
6 |
Info |
Informational |
7 |
Debug |
Informational |
Syslog messages have 192 Priorities. The lower the number, the higher the priority. These are calculated from the Facility and Level according to the following formula, and are used by ELM for the Event ID:
Facility * 8 + Severity = Priority (Event ID)
Examples:
Facility |
* |
Multiplier |
+ |
Severity |
= |
Priority |
Mail (2) |
* |
8 |
+ |
Error (3) |
= |
19 |
Clock Daemon (15) |
* |
8 |
+ |
Warning (4) |
= |
124 |
Kernel (0) |
* |
8 |
+ |
Emergency (0) |
= |
0 |
The syslog receiver has the ability to parse messages and insert that information into an event log format for use with Event Views and Reporting.
In order to use this functionality you will first need to export a syslog receiver to xml and then open the file in a text editor. By default the following properties/modifiers examples are empty but you can customize them with regular expressions for parsing of message field information.
TimeModifier="MessageRegularExpression=end="([^"]*)"
In this example when the keyword "end" is found followed by an = sign then the time stamp following, that is contained in quotes is extracted and inserted into the time generated event message field.
ComputerModifier="MessageRegularExpression=dhost="([^"]*)"
In this example when the keyword "dhost" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the computer name event message field.
LogModifier=""
CustomCategory=""
EventIdModifier=""MessageRegularExpression=eventid="([^"]*)"
In this example when the keyword "eventid" is found followed by an = sign then the number following, that is contained in quotes is extracted and inserted into the Event ID event message field.
MessageModifier=""
UserModifier="MessageRegularExpression=suser="([^"]*)"
In this example when the keyword "suser" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the User event message field.
CategoryModifier="MessageRegularExpression=name="([^"]*:)"
In this example when the keyword "name" is found followed by an = sign then the word following, that is contained in quotes is extracted and inserted into the Category name event message field.