You are here

How does the syslog message format look like?

This article provides examples which illustrate how the log messages are sent to the syslog server, how they are formated and which columns are normally used.

The following message types are possible to send. The configuration has to be done in the Airlock Configuration Center under "Alerting" > "Syslog Forwarding".

  • System errors        
  • All requests (summary line)        
  • Blocked requests        
  • Request aggregations (events)

In the next sections all these messages types are described in detail.

System errors

Example of a system error message:

May 11 10:40:48 scrooge disk-health-nurse[26783]: [ID 702911 user.error] m:SY-mon-full-500 c:H : partition health measures for /var did not suffice - still using 96% of partition space

The message can be split in to the following columns:

Column 1 = "May 11 10:40:48"               > Timestamp
Column 2 = "scrooge"                       > Loghost
Column 3 = "disk-health-nurse[26783]:"     > Application/Process
Column 4 = "[ID 702911 user.error]"        > Syslog facility.level
Column 5 = "m:SY-mon-full-500"             > Message ID
Column 6 = "c:H : partition health..."     > Message [possibly including rid, sid, ip]

All requests (summary line)

Example of a summary message:

May 11 10:00:39 scrooge SG_child[808]: [ID 748625 user.info] m:WR-SG-SUMMARY c:X  vhost:iscrooge61.seclutions.com:80 (http) GET / => http://bali/ , status:200 , redirection URL:<n/a> , referer:<n/a> , mapping:bali , request size: 421 , backend response size: 12960 , audit token:- , time statistics (microseconds): [request total 16617 , allow/deny filters 1290 , backend responsiveness 11845 , response processing 1643 , ICAP reqmod <n/a> , ICAP respmod <n/a> ] timestamp: [2012-05-11 10:00:39] [ rid:T6zHJ38AAAEAAAo2BCwAAAMk sid:910e5dd02df49434d0db9b445ebba975 ip:172.18.61.2 ]The message contains the following columns:

Column 1 = "May 11 10:00:39"               > Timestamp
Column 2 = "scrooge"                       > Loghost
Column 3 = "SG_child[808]:"                > Application/Process
Column 4 = "[ID 748625 user.info]"         > Syslog facility.level
Column 5 = "m:WR-SG-SUMMARY"               > Message ID
Column 6 = "c:X  vhost:..."                > Message [including time statistics and rid, sid, ip]

For more information about the content of the sumary message see:
https://techzone.ergon.ch/files/downloads/manuals/online-manual-4.2.5.1/requestSummary.html

Blocked requests

The following message is an example of a block message sent over syslog:

May 11 11:32:40 scrooge SG_child[1829]: [ID 748625 user.info] m:WR-SG-BLOCK-111-00 c:Y th:BLOCK , no allow rule matched for request with entryurl:http://iscrooge61.seclutions.com:80/bali/fdss on mapping:bali [ rid:T6zcuH8AAAEAAGxyAqYAAAAQ sid:f49bd3707766384f3bccc3ca31dbd55b ip:172.18.61.2 ]

The following columns are part of such kind of messages:

Column 1 = "May 11 11:32:40"               > Timestamp
Column 2 = "scrooge"                       > Loghost
Column 3 = "SG_child[1829]:"               > Application/Process
Column 4 = "[ID 748625 user.info]"         > Syslog facility.level
Column 5 = "m:WR-SG-BLOCK-111-00"          > Message ID
Column 6 = "c:Y th:BLOCK, no allow..."     > Message [including rid, sid, ip]

For the description of all block message codes see:
https://techzone.ergon.ch/files/downloads/manuals/online-manual-4.2.5.1/blockSummary.html

Request aggregations (events)

The following message represents an example of an event message:

May 11 10:18:22 scrooge Web-Requests: May 11 10:18:22 @IunAIir1----7k-- EVENT_WR-Y-attack-600 SG_child[823]: [event.error] Possible attack - 5 blocked requests within 120 seconds (see TechID:attack-alert for instructions to adjust the threshold)This message results in following colums:

Column 1 = "May 11 10:18:22"               > Timestamp
Column 2 = "scrooge"                       > Loghost
Column 3 = "Web-Requests:..."              > Component
Column 4 = "EVENT_WR-Y-attack-600"         > Event message ID
Column 5 = "SG_child[823]:"                > Application/Process
Column 6 = "[event.error]"                 > Event message level
Column 7 = "Possible attack..."            > Message

On the following manual page there are listed all possible event codes including their description:
https://techzone.ergon.ch/files/downloads/manuals/online-manual-4.2.5.1/events.html

Knowledge Base Categories: