The syslog
module is a dissection module: its purpose is to take an Orchids event, parse one of its text fields and return a refined Orchids events, with additional fields. Typically, the syslog
module is meant to dissect text coming from the textfile
or bintotext
modules, assuming it is in syslog format.
The syslog format is the format of system-wide log files on Linux, such as /var/log/messages
, or logs of Cisco routers.
There are two slightly differing format: the legacy syslog format and the RFC5424 format. If you can use the latter, fine. A lot of systems still use the legacy syslog format, which has lines resembling the following:
Jan 27 11:32:06 laramie dhclient: DHCPREQUEST on eth0 to 192.168.30.1 port 67
The legacy syslog format has a major drawback: its date field does not mention the year (in most common cases). The RFC5424 format does not suffer from this problem. For example, the date Jan 27 11:32:06
above would typically appear in RFC5424 format as 2017-01-27T11:32:06Z
, which specifies the year (2017). The RFC5424 also solves the problem of which time zone the time is given in.
The question of the year (legacy syslog)
To palliate the missing year problem in legacy syslog events, Orchids allows you to specify a starting year, see ‘Configuration options’ below.
Orchids then decides to increment the year by one when it encounters a legacy syslog record whose date looks like it is in the past, compared to the previous legacy syslog record. For example:
Dec 27 23:34:55 laramie syslogd: exiting on signal 15 Jan 01 05:51:16 laramie sendmail[103]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 0: cannot open: No such file or director
will be taken by Orchids as an indication that one year has passed between the first and the second event. Assuming we started in year 2014, the first event would be considered to have taken place on Dec 27 2014, 23:34:55, while the second one would be assumed to have taken place on Jan 01 2015, 05:51:16.
On the other hand, the following will not increment the year.
Jan 27 11:32:06 laramie dhclient: DHCPREQUEST on eth0 to 192.168.30.1 on port 67 Jan 27 13:00:32 laramie kernel: current->tss.cr3 = 00510000, ^Lr3 = 00510000
The algorithm Orchids uses may change, but as of January 22, 2015, it is as follows: let diff=(month-of-current-event minus month-of-last-event) mod 12. If diff ≥ 6, then increment the year, otherwise leave it unchanged. Note that years can only change when the month changes.
Structured data (RFC5424 syslog)
Each RFC5424 syslog event contains optional structured data. Consider the following RFC5424 syslog event:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@0 iut="3" eventSource="Application" eventID="1011"][examplePriority@0 class="high"] 'su root' failed for lonvick on /dev/pts/8
The structured data is the collection of so-called sd-elements between square brackets: [exampleSDID@0 iut="3" eventSource="Application" eventID="1011"]
and [examplePriority@0 class="high"]
.
You will retrieve them in the .syslog.data
field, which is a two-dimensional Orchids array. There is one such array per RFC5424 syslog event, and one obtains its fields by writing .syslog.data
[⟨id⟩][⟨parameter⟩]. In the example above, .syslog.data
will be equal to:
id | parameter | value |
---|---|---|
"exampleSDID@0" |
"iut" |
"3" |
"exampleSDID@0" |
"eventSource" |
"Application" |
"exampleSDID@0" |
"eventId" |
"1011" |
"examplePriority@0" |
"class" |
"high" |
In other words, in that example, .syslog.data
["exampleSDID@0"
]["eventId"
] will return "1011"
.
Configuration options
<module syslog>
-
DefaultStartYear
nnnn: set the starting year to nnnn; nnnn can be a number, interpreted as an year, or of the form +n (meaning the current year plus n), or of the form –n (meaning the current year minus n).
Only affects dissecting legacy syslog.
Examples include:DefaultStartYear +0
to set the starting year to the current year,
DefaultStartYear -3
to set it three years back, or
DefaultStartYear 2010
to set it to the year 2010. Default is
DefaultStartYear +0
. StartYear
tag nnnn: set a starting year that is specific to syslog records whose dissection tag is tag. The syntax of nnnn is as for theDefaultStartYear
nnnn directive. This allows one to set different starting dates to syslog records coming from different sources.
Only affects dissecting legacy syslog.
For example, if you have written the following in orchids-inputs.conf:INPUT textfile "/var/log/messages" DISSECT syslog textfile "/var/log/messages"
then
StartYear "/var/log/messages" 2010
will state that the starting year forsyslog
records read from the/var/log/messages
file is 2010, not the default starting year as described byDefaultStartYear
.
</module>
Admissible sources are:
- a text file such as
/var/log/messages
,/var/log/syslog
, or/var/log/user.log
for example, read through thetextfile
module (offline detection); - a Unix TCP socket such as
/dev/log
, read through thesockunix
andbintotext
modules (detection from an online, local feed); - a UDP Internet socket, read through the the
udp
andbintotext
modules (for remote feeds).
Fields
The last field is .syslog.msg
, available for further dissection; the dissection key is .syslog.prog
. Dissecting the latter is typically handled through the generic
module.
Field | Type | Mono? | Description |
---|---|---|---|
.syslog.facility |
uint |
so-called facility (kernel, user, mail, daemon, etc.); see SYSLOG_FACILITY_ * macrosin $OCONF/rules/syslog.h (this field is optional) |
|
.syslog.severity |
uint |
severity of the message; see SYSLOG_SEVERITY_ * macrosin $OCONF/rules/syslog.h (this field is optional) |
|
.syslog.version |
uint |
version of the syslog facility | |
.syslog.time |
ctime |
✓ | date of the event — with year inferred as described above in case of legacy syslog |
.syslog.host |
str |
host name | |
.syslog.repeat |
uint |
message repetition: do as through the current syslog record was received this many times (this field is optional, and for legacy syslog only) |
|
.syslog.pid |
uint |
process id of the event source (this field is optional, and for legacy syslog only) |
|
.syslog.procid |
str |
process id of the event source (RFC5424 only) (this field is optional) |
|
.syslog.msgid |
str |
message id (RFC5424 only) | |
.syslog.data |
[[str |
structured data array mapping id and parameter to value (RFC5424 only) | |
.syslog.prog |
str |
program name | |
.syslog.msg |
str |
the message |