LogLogic, Inc. Proprietary and Confidential LogLogic Syslog Alert Format Quick Reference Guide Software Release: 5.3 Document Release: March 2012 Part No: LL22000-00E05300000 This manual supports LogLogic software release 5.1 and later releases until replaced by a newer edition.
22
Embed
LogLogic Syslog Alert Format Quick Reference Guide Alert Format Quick Reference Guide Software Release: ... — Describes how to install and upgrade ... 10 Syslog Alert Format Quick
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
LogLogic, Inc. Proprietary and Confidential
LogLogic
Syslog Alert Format Quick Reference Guide
Software Release: 5.3
Document Release: March 2012
Part No: LL22000-00E05300000
This manual supports LogLogic software release 5.1 and later releases until replaced by a newer edition.
This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.
Trademarks
"LogLogic" and the LogLogic logo are registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company product names are trademarks or registered trademarks of their respective owners.
Notice
The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.
The LogLogic® Appliance-based solution enables you to capture and manage log data from all types of sources in your enterprise. LogLogic appliances install within 10 minutes and begin collecting and aggregating data from connected log sources immediately.
This document describes the LogLogic Syslog Alert Message format.
AudienceThis document is intended for LogLogic customers who are working with LogLogic’s Syslog alert messages. The LogLogic documentation describes the features and components for the LogLogic appliances.
Related DocumentsThe LogLogic documentation is available on the Solutions CD or on the LogLogic Technical Support website – http://www.loglogic.com/services/support. The documentation includes Portable Document Format (PDF) files and Online Help accessible from the LogLogic user interface.
To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader at http://www.adobe.com.
The following documents contain information about the LogLogic Appliances:
LogLogic Release Notes — Provides information specific to the release including product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic support web site periodically for further updates.
LogLogic Hardware Installation Guide — Describes how to get started with your LogLogic Appliance. In addition, the guide includes details about the Appliance hardware for all models.
LogLogic Installation and Upgrade Guide — Describes how to install and upgrade the LogLogic Appliance software.
LogLogic User Guide — Describes how to use the LogLogic solution, viewing dashboard, managing reports, managing alerts, and performing searches.
LogLogic Administration Guide — Describes how to administer the LogLogic solution including all Manangement and Administration menu options.
LogLogic Log Source Configuration Guides — Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the LogLogic solution.
LogLogic Collector Guides — Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site Protector.
LogLogic Web Services API Implementation Guide — Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administrate the system.
LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the LogLogic Syslog alert message format.
LogLogic Online Help — Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.
Technical SupportAt LogLogic, we are committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance may be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic appliances.
Documentation SupportYour feedback on LogLogic documentation is important to us. Send us e-mail at [email protected] if you have questions or comments. Your comments will be reviewed directly by the LogLogic professionals who create and update the documentation.
In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.
ConventionsLogLogic documentation uses the following conventions:
Caution: Highlights important situations that could potentially damage data or cause system failure.
IMPORTANT! Highlights key considerations to keep in mind.
Note: Provides additional information that is useful but not always essential.
Tip: Highlights guidelines and helpful hints.
This guide also uses the following conventions to highlight code and command-line elements:
Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).
Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:
username: system
home directory: home\app
Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:
LogLogic_home_directory\upgrade\
Straight brackets signal options in command-line syntax.
ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]
Alerts are an important way of sending immediate notification on events. The LogLogic appliance has three ways of sending out alerts: using email, SNMP trap, and Syslog format. This document specifies the format of Syslog alert messages sent by the LogLogic appliance to Syslog receivers. You can integrate your systems and applications with the LogLogic appliance by parsing and analyzing the received alert messages.
The common and specific message attributes are a set of name/value pairs (Name="Value") that conform to the following rules:
The order of the name/value pairs is NOT significant.
Syslog messages sent/received by LogLogic are limited to 65535 characters.
One or more spaces are allowed between each name/value pair.
The number of spaces in a value is always significant.
New lines (\n) and binary characters are not possible in Syslog alert messages. Binary characters are converted to \xNN, where NN is the hex value of the binary character. If there is a new line value, then it becomes \x0A in the final Syslog alert message.
All values appear between quotation marks("Value").
Double quotation marks ("") are escaped by a backslash (\") if found in the attribute value.
Backslashes (\) are escaped with a backslash (\\)
To specify names not part of the LogLogic specifications, you must specify them as follows: name (starts with a character), followed by numbers, characters, and underscores.
The following sections provide details and alert message samples:
LogLogic reserves the right to change the message format in future revisions to suit the need of our customers and development partners. The format has been designed to support some types of future extensions while maintaining backward compatibility. Possible types of changes include:
The addition of name/value pairs to be inserted at any location in the message
The text of the Summary attribute may change for readability or to provide additional information
SYSLOG HEADER ComponentsThe SYSLOG_HEADER conforms to RFC3164. The format is:
PRIORITY TIME_STAMP HD_LOGAPP_IP
where
PRIORITY::= <133>
Note: LogLogic currently does not enable users to specify the Syslog severity or facility on a per-alert basis. Therefore, for all alerts we use a fixed Syslog priority value of <133>, which indicates the facility “local0” and a severity level of “notice”.
TIME_STAMP::= MONTH DATE HOUR ':' MINUTE ':' SECOND YEAR
HD_LOGAPP_IP::= IP address of LogLogic appliance
LogLogic IDThe LogLogic_ID is a string of the following format:
%LOGLOGIC-X-05XXYY: where
X — Single digit representing the Syslog severity. At this time, the value is always 5.
05XXYY — Unique six digit LogLogic ID code, where
XX — AlertType
YY — AlertSubType
Table 1 on page 11 provides a list of unique LogLogic ID codes and their associated Alert Type and Alert Subtypes if applicable.
10 Syslog Alert Format Quick Reference Guide
Syslog Alert Message Format
Table 1 LogLogic ID and associated Alert Types and Alert Subtypes