Chat now with support
Chat with Support

syslog-ng Store Box 6.0.5 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB Glossary

The HEADER message part

The HEADER part contains the following elements:

  • VERSION: The version number of the syslog protocol standard. Currently this can only be 1.

  • ISOTIMESTAMP: The time when the message was generated in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+-ZONE), for example: 2006-06-13T15:58:00.123+01:00.

  • HOSTNAME: The machine that originally sent the message.

  • APPLICATION: The device or application that generated the message.

  • PID: The process name or process ID of the syslog application that sent the message. It is not necessarily the process ID of the application that generated the message.

  • MESSAGEID: The ID number of the message.

 NOTE:

The syslog-ng application supports other timestamp formats as well, like ISO, or the PIX extended format. The timestamp used in the IETF-syslog protocol is derived from RFC 3339, which is based on ISO 8601. For details, see the ts_format() option in The syslog-ng Premium Edition 7.0.32 Administrator Guide.

The STRUCTURED-DATA message part

The STRUCTURED-DATA message part may contain meta-information about the syslog message, or application-specific information such as traffic counters or IP addresses. STRUCTURED-DATA consists of data elements enclosed in brackets ([]).

In the following example, you can see two STRUCTURED-DATA elements:

[exampleSDID@0 iut="3" eventSource="Application" eventID="1011"][examplePriority@0 class="high"]

An element consists of an SD-ID (its identifier), and one or more parameters. Each parameter consists of a name and a value (for example, eventID="1011").

On SSB, the parameters (name-value pairs) parsed from these elements can be searched. From the example above, the following name-value pairs are parsed:

.sdata.exampleSDID@0.iut=3
.sdata.exampleSDID@0.eventSource=Application
.sdata.exampleSDID@0.eventID=1011
.sdata.examplePriority@0.class=high

The syslog-ng application automatically parses the STRUCTURED-DATA part of syslog messages, which can be referenced in macros (see The syslog-ng Premium Edition 7.0.32 Administrator Guide for details).

The MSG message part

The MSG part contains the text of the message itself. The encoding of the text must be UTF-8 if the BOM character is present in the message. If the message does not contain the BOM character, the encoding is treated as unknown. Usually messages arriving from legacy sources do not include the BOM character.

The Welcome Wizard and the first login

This section describes the initial steps of configuring SSB. Before completing the steps below, unpack, assemble, and power on the hardware. Connect at least the external network interface to the local network, or directly to the computer from which SSB will be configured.

 NOTE:

For details on unpacking and assembling the hardware, see "syslog-ng Store Box Hardware Installation Guide" in the Installation Guide. For details on how to create a high availability SSB cluster, see "Installing two SSB units in HA mode" in the Installation Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating