User Guide for Resource Manager Essentials 4.0 (With LMS 2.5)
Understanding Syslog Formats
Downloads: This chapterpdf (PDF - 154.0 KB) The complete bookPDF (PDF - 9.12 MB) | Feedback

Understanding Syslog Formats

Table Of Contents

Understanding Syslog Formats

Understanding Syslog Formats

Devices are expected to complaint with the following rules while sending syslogs:

Device should include PRI as recommended by RFC 3164

Device optionally sends Timestamp information in RFC recommended format in the header. Since the RFC recommendation does not include the TIMEZONE information, it will be assumed that the device will send the local time and it will be assumed that the device and Server are in the same time zone.

Device optionally sends Hostname information in the header.

To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally in the message part of the syslog packet. Such timestamps should be prefixed with some separator character (like * or :), so the syslog daemons (like unix syslogd) don't treat them as header information, which could cause 'unix syslogd' to mis-interpret the time information, as they usually ignore the TZ part of the Timestamp.

Considering the above, devices should send syslogs in one of the following formats:

Format A

<187> [timestamp in RFC prescribed format] [device dns name | ip 
address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] 

Format B

<187> [timestamp in RFC prescribed format] [device dns name | ip 
address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss 
Examples of good syslog messages: [ as sent by the device ]
<187>%PIX-4-106023 description
<187>Mar 23 10:21:03 %PIX-4-106023 description
<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT  -8:00 %PIX-4-106023 
<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT  -8:00 
%PIX-4-106023 description

The device will ensure that the device IP address or DNS name if defined is maintained in the message header as the source IP address or source DNS name irrespective of the interface out of which the syslog message is sent.

The syslog message will be sent on the network to the NMS (Network management station) using UDP, the UDP socket sent to will be the well known UDP socket for syslog (514).

The payload of the message will be proceeded by the logging facility code enclosed in angle braces (<>) that the receiving Syslog daemon will use for routing the message. Logging facility at the logging system is mapped to a log file on the system. The logging facility codes map as follows:

(5<<3) = Syslog

(23-16<<3) = Local 0 to Local 7

4The combination FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC must be UNIQUE for a given message, so that Syslog Analyzer can provide non-trivial syslog support.

See the section, "Enabling and Tracking Syslogs Using Syslog Analyzer and Collector" for details.