Re: [logs] Syslog payload format

From: Jason Haar (Jason.Haarat_private)
Date: Tue Dec 17 2002 - 18:22:27 PST

  • Next message: Darren Reed: "Re: [logs] Tamper Proof Logging"

    On Tue, Dec 17, 2002 at 01:00:02PM -0500, Bennett Todd wrote:
    > Beyond that, the next two whitespace-delimited fields are pretty
    > widely agreed on; the second is the hostname, and the third is
    > program[pid]:. After that comes free text.
    
    There is other information you're missing out there. What about the facility
    and priority tags? I know that the syslog server itself "sees" those tags,
    but are we meant to go out-of-band to find that out ourselves when dealing
    with syslog records? As it is, most people do the equivalent of 
    
    mail.* /var/log/maillog
    
    - so you know it's facility==mail, but you have no idea from the contents
    what priority it is...
    
    hell, I do
    
    *.* -/var/log/messages
    
    I get around this with syslog-ng. Currently our syslog entries are created
    via:
    
    template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") 
    
    so that I get records like:
    
    2002-12-18T02:16:03+0000 pix_rtr local4 warning %PIX-4-106023: 
    Deny udp src outside:6.6.7.8/39854 dst dmz1:1.2.3.4/32775 by
    access-group \"internet-to-dmz1\"
    
    Oh yeah - and a LOT of records have no concept of pid...
    
    -- 
    Cheers
    
    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:02:08 PST