SysLog Receiver

Definition

Protocol

SysLog

 

 

Description

Receive SysLog messages on Port (default 514).

 

 

Comments

The hostname used is the default network interface.
If Port is missing, blank or invalid, 514 is used.

Event Field Contents
ev:host sending host
ev:app SysLog
ev:log host/facility:priority:processName:receivingPort
ev:srctime formatted time
ev:protocol “SysLog”

Code names are extracted.

Syslog specific:
The following fields will contain values if they exist in the incoming SysLog message:

ev:syslog.facility facility code (mappings)
ev:syslog.priority priority code (mappings)
ev:syslog.processName process name
ev:syslog.processId processId
ev:syslog.timestamp timestamp extracted from message
ev:syslog.message message

Special XML characters are translated according to the XML character translation table.

 

Example

<source objectId="SyslogRecv1" type="SysLogReceiver" stdout="FS.DemoAlive">
	<parameter type="Port">154</parameter>
</source>
 

Event Mapping

Incoming message 

{
	facility: syslog
	priority: warning
	processName:
	timestamp: Nov 10 01:24:12
	message: This is Syslog test </event> message number 002
}

Resulting XML 

<?xml version="1.0"?>
<event xmlns:ev="http://www.eventgnosis.com/xml">
	<ev:host>TANJIN</ev:host>
	<ev:app>Syslog</ev:app>
	<ev:log>TANJIN/syslog:warning::514</ev:log>
	<ev:srctime>2003.11.10 02:24:12 CET</ev:srctime>
	<ev:protocol>Syslog</ev:protocol>
	<ev:syslog.facility>syslog</ev:syslog.facility>
	<ev:syslog.priority>warning</ev:syslog.priority>
	<ev:syslog.processName></ev:syslog.processName>
	<ev:syslog.processId>0</ev:syslog.processId>
	<ev:syslog.timestamp>Nov 10 01:24:12 </ev:syslog.timestamp>
	<ev:syslog.message>This is Syslog test &lt;/event&gt; message number 002</ev:syslog.message>
	<ev:msg>This is Syslog test &lt;/event&gt; message number 002</ev:msg>
</event>
 

Facility Name Mappings

Numerical Code

Returned Name

Description

0

kernel

kernel messages

1

user

user-level messages

2

mail

mail system

3

daemon

system daemons

4

auth

security/authorization messages

5

syslog

messages generated internally by syslogd

6

lpr

line printer subsystem

7

news

network news subsystem

8

uucp

UUCP subsystem

9

cron

clock daemon

16

local0

local use 0

17

local1

local use 1

18

local2

local use 2

19

local3

local use 3

20

local4

local use 4

21

local5

local use 5

22

local6

local use 6

23

local7

local use

other

unknown facility='facility code'

unknown facility

 

Priority Name Mappings

Numerical Code

Returned Name

Description

0

panic

Emergency: system is unusable

1

alert

Alert: action must be taken immediately

2

critical

Critical: critical conditions

3

error

Error: error conditions

4

warning

Warning: warning conditions

5

notice

Notice: normal but significant condition

6

info

Informational: informational messages

7

debug

Debug: debug-level messages

unknown

unknown level='unknown level code number'

unknown level of priority