Administrator Handbook Table of contents version française

Syslog messages

Introduction

LoriotPro as a Syslog Server can receive syslog messages sent by systems (linux and Unix) and network devices.
The LoriotPro Syslog server provides a central point for collecting and processing system logs (syslog). These system logs are useful later for troubleshooting and auditing.

Syslog message can be filtered by LoriotPro on multiple conditions and can trigger actions that will notify the administrator of a system or network default and  security breach.

The Syslog system provides the transport and storage mechanisms for event notification messages, in the form of Logs. Syslog is a de-facto standard defined by RFC3164 for logging system events. It was commonly and initially used by Unix systems, later on by network devices (router syslog, switch syslog, firewall syslog) and more recently by firewalls. It will be very efficient in a Cisco device architecture for the collection of PIX syslog and Cisco syslog generated by routers and switches).

Example of Syslog messages console of LoriotPro.

syslog window

Remark : LUTEUS has also release a complete solution for syslog message management called SYSLOG COLLECTOR. The Syslog collector is far most powerful than this embedded Syslog Server with limited feature. Consult the Syslog Collector documentation on our WEB www.loriotpro.com site for more details.

Syslog message filters  can be set on :

When syslog message filters are matched the following actions can be triggered.

These last two actions could be triggered by a cumulative count of the same message.

Syslog message format

A syslog message is an ASCII string that consists of :

Priority is encoded as an ASCII string enclosed by the angle brackets < and > at the beginning of the string. Message priority is the ASCII integer encoding of an 8-bit quantity. This quantity is a combination of a 3-bit field (bits 0 through 2) used for message level and a 5-bit field (bits 3 through 7) used for the message facility.

Syslog messages come in 8 severity levels ranging from emergencies (most severe) to debugging (least severe).

LoriotPro Icône Numerical Severity Code

           0

       Emergency: system is unusable

           1

       Alert: action must be taken immediately

           2

       Critical: critical conditions

emergency syslog

           3

      Error: error conditions

alert syslog

           4

       Warning: warning conditions

error syslog

           5

       Notice: normal but significant condition

critical

           6

      Informational: informational messages

notice syslog

           7

      Debug: debug-level messages


Syslog messages are generally categorized on the basis of the source programs that generate them. These source program can be the operating system itself, a process or an application.
These categories, called facility, are represented by integers.

Numerical Code Facility

           0            

kernel messages

           1            

user-level messages

           2            

mail system

           3            

system daemons

           4            

security/authorization messages

           5            

messages generated internally by Syslog

           6            

line printer subsystem

           7            

network news subsystem

           8            

UUCP subsystem

           9            

clock daemon

          10            

security/authorization messages

          11            

FTP daemon

          12            

NTP subsystem

          13            

log audit

          14            

log alert

          15            

clock daemon

          16            

local use 0  (local0)

          17            

local use 1  (local1)

          18            

local use 2  (local2)

          19            

local use 3  (local3)

          20            

local use 4  (local4)

          21            

local use 5  (local5)

          22            

local use 6  (local6)

          23            

local use 7  (local7)

 

Managing Syslog Message

Syslog messages can be acknowledged undividually or by group. Acknowledged syslog are in light grey on a withe background.

ack syslog

Syslog message displayed in the syslog windows can be managed form the contextual menu.


menu syslog

Table of the syslog contextual menu options

menu syslog

Acknowledge selected syslog messages

menu syslog

Acknowledge all syslog messages

syslog acknowledge

Clear only the Acknowledge syslog messages

menu syslog

Clear all syslog messages

menu syslog

Clear selected syslog messages

 

Defining syslog filters

Filter rules are sets of filters gathered in a filter list. Each time a Syslog message arrives, it is analyzed against each rule in the list, sequentially processing from top to bottom.

By default few rules are defined to displays syslog and send default event. The first rule match all syslog messages, next rules are not processed (option next filter at No).

syslog filters

A rule contains conditions and actions. If the conditions are satisfied, actions are executed.

A single Syslog message can match multiple filter rules and triggers multiple actions.

Among the possible actions, one is able to stop the walking process through the filter list and jump to the processing of the next incoming message. 

Editing syslog filter rules

To create, move and delete rules use the button of the filter window.

Button

Explanation

syslog

Insert a new filter rule in the list above an existing selected rule.

syslog

Insert a new filter rule in the list below an existing selected rule.

syslog

Insert a new filter rule at the top of the list.

syslog

Insert a new filter rule at the bottom of the list.

syslog

Move the selected filter rule up.

syslog

Move the selected filter rule down.

syslog

Suppress the selected filter rule.

 

Syslog filter rule options

Columns

Explanation

IP Address
IP Mask

This is a condition field. The agent process checks that the source IP address of the sender matches the IP address and network mask specified here.
Example
IP (0.0.0.0) Mask  (0.0.0.0). All IP source addresses are accepted.
IP (10.0.0.0) Mask  (255.0.0.0). All IP addresses pertaining to the network 10.xxx.xxx.xxx are accepted.
IP (10.45.25.63) Mask (255.255.255.255). Only this host is accepted.

 

syslog

A double-click on this field in the filter list allows you to modify this parameter.

Facility

This field allows you to filter messages according to their Facility type. The Facility field is defined initially on the device that sends the Syslog message.

syslogsyslog  syslog 

The  « –1 all » choice matches all types of facility values.

Level

This field allows you to filter messages according to their Facility Level value. The Facility field is defined initially on the device that sends the Syslog message.

.syslog

The  « –1 all » choice matches all types of facility level values.

String 1

A Syslog message is a simple character string. The field “String 1” allows you to filter messages based on a match between this string and the contents of the message.

syslog
A double-click on the field allows you to specify the search string.

syslog

An empty string (null) will allow any message to match this condition.

Offset

If the offset is specified the predefined string (String 1) will have to start at this precise position.
 Note:
This option could be useless because message contents could change and thus the offset is no longer viable.

And/Or

A second condition on a second string can be added. Boolean “or” and “and” operators can be applied to both strings.
syslog

String 2

This is the second string that can be defined as a condition.

Offset

Offset that c an be applied on this second string. Offset specified the number of characters from the string’s beginning.

Column

Explanation

 Case

The case of the string is either sensitive or not. If sensitive, uppercase and lowercase characters are not the same.
syslog

Action

If all the previous conditions are satisfied then a basic action is executed.

syslog

Actions Explanation

00 none 

The message is cleared from memory, nothing happens.

01 log 

The message is saved to a file whose name is defined in the Log File column.

02 display 

The message is displayed in the syslog window. syslog

03 display 1 The message is displayed in the syslog window 1.custom 1
04 display 2 The message is displayed in the syslog window 2. custom 2
05 display 5 The message is displayed in the syslog window 3. custom 3

06 log+display 

The message is saved to a file defined in the Log File column and displayed in the syslog window. syslog

LoriotPro

If all the conditions are satisfied and if an IP address is defined in this field the agent will send a LoriotPro event message (proprietary format) to this address. The next fields, Event and Level, are used to build the message. However, the event number should be different from 0.
Note:
The LoriotPro message content is a copy of the Syslog message content.

Event

The event number use in the LoriotPro event format.

Level

The severity level used by the LoriotPro event format.

syslog

Icons

Functions

Remark

criticité des événements snmp

Message of level 0

internal

criticité des événements snmp

Message of level 1

notification

criticité des événements snmp

Message of level 2

low severity

criticité des événements snmp

Message of level 3

high severity

criticité des événements snmp

Message of level 4

very high severity

criticité des événements snmp

Message of level 5

user defined

criticité des événements snmp

Message of level 6

user defined

criticité des événements snmp

Message of level 7

user defined

criticité des événements snmp

Message of level 8

user defined

Syslog

If all the filtering conditions are satisfied and if an IP address is defined in this field the agent will send a Syslog message to this address.
The Threshold value sets the number of incoming messages needed to satisfy this filter rule before sending a Syslog message.

Threshold Is used to trigger the sending of a LoriotPro or Syslog message upon a predefined count.
Example: If the value is set to 3, a LoriotPro and/or a Syslog message will be sent only when three incoming syslog messages of that type will be seen.
Next Filter This option allows you to stop the filter rule list processing. The next rules in the list are not processed if the NO option is selected.
Log File If all the conditions are satisfied and if the action is log or log+display the message is appended to the file specified here. The final file name is built from this name and from the current date. The file follows the csv format and is text readable.
Note:
A new file is automatically created each 24 hours.
   
   

 

Syslog on UNIX LINUX system


In a UNIX operating system, the kernel and other internal components generate messages and alerts. These messages are typically stored in a file system or relayed to another device in the form of syslog messages.
The internal daemon, called Syslogd, handles the syslog process. This daemon is an integral part of most UNIX/Linux distributions and does not need to be downloaded or installed.

 

SYSLOG on a Cisco IOSed device

Few commands are required on the Cisco device to enable it to send syslog message to the LoriotPro syslog server.

In config mode enter:

llogging ip_address

Specify the IP address of the LoriotPro syslog server

To change the minimum severity level that is sent to syslog, use the logging trap configuration command.

ogging trap level

In order to send debugging output to the Loriotpro syslog server, issue logging trap debugging at the configuration prompt.

Router-1603-Cisco(config)#logging trap ?
  <0-7>          Logging severity level
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)
  <cr>

By default, Cisco IOS sends all messages of informational (severity 6) and above to the syslog server.
That means that everything except debugging output will be received by the Loriotpro syslog server.
If you need to store the debugging output for later research, you have to send debugging output too.

Warning : It’s important to remember the effect that syslog logging has on the network device. If the device is sending too much logging information to the LoriotPro syslog server, it can affect its performance and also overload the network. If the number of syslog debugging messages is going to be voluminous, use this command with great care and attention.

Configure the PIX to Send Syslog

Configuring a PIX for sending syslog message requires few commands but depend from the PIX version.

Furthermore , the syslog messages generated by a Cisco PIX Firewall begin with a percent sign (%) and are slightly different than the IOS syslog messages.

Following is the format of syslog messages generated by a Cisco PIX Firewall:

  %PIX-Level-Message_number: Message_text

PIX 4.0.x-4.1.x

The syslog syntax is:
syslog host #.#.#.# (where #.#.#.# is the syslog servers address)
syslog output X.Y (where X is the logging facility and Y is the level)

How does the X number translate to logging facility?

Break down the X number into binary. The last four bits comprise the local facility.

As an example, since 22 = 00010110, and the last four bits=0110=decimal 6, this is local6. (A shortcut is to take the X value and subtract 16. For example, 22-16=6, or local6.)
The Y number is the level. As an example, if Y=2, messages sent would include those at level 2 (critical), level 1 (alert), and level 0 (emergency). The PIX levels are 0-7; these should not be confused with the logging facilities (which are local0-local7).

Examples:

syslog 20.7

20 equals local4 logging facility.
.7 is the level. 7 means debug to the PIX (all messages are logged).

syslog 23.2

23 equals local7 logging facility
.2 is the level. 2 means critical to the PIX (critical, alert, and emergency messages are logged).


PIX 4.2.x and Later


The syntax for syslog changed in PIX Software releases 4.2.x. Instead of the syslog host #.#.#.# command, use the new logging host #.#.#.# command. In 4.2.x, the logging facility and level definitions are the same, but instead of using the syslog output X.Y command, you need to have these two statements:

logging facility X

logging trap Y

The level is no longer expressed as a number. It is expressed as the name of the level. This is an example:

syslog output 20.7

logging facility 20 (local4)
logging trap debugging (debugging through emergency)


PIX 4.3.x and Later


In 4.3.x and later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent.
In addition to these commands:

You can issue these commands:

This results in having all messages, except message 111005 (that is, "End configuration"), sent with timestamps.

RemarkBecause the 111005 message is a Notification level sysloge, it is not seen if the level on the PIX is set for Emergency, Alert, Critical, Error, or Warning.

This is an example of a time-stamped non-111005 message. (The first timestamp is from our UNIX server and the second is from the PIX.)

Apr 25 13:15:35 10.31.1.53 Apr 25 1999 13:23:00: %PIX-5-111007:       

 


www.loriotpro.com