SYSLOG Configuration Syntax

The SYSLOG Configuration is used to set up the Syslog Message collector. A number of optional settings can be configured through the SYSLOG Configuration which are shown below:

SUBSYS SYSLOG

ADD UDP_LISTENER (<port-number>)
ADD TCP_LISTENER (<port-number>[, terminator={NULL | CR | LF | CRLF}])
ADD TLS_LISTENER (<port-number>)
TLS_CERTCHAIN (<location of unified certificate chain pem file>)
TLS_PRIVATEKEY (<location of private key pem file>)
MAP DEVICE (<IncomingIp>[:<SyslogPort>][, device=<DeviceName>][, customer=<Customer>][, site=<Site>][, cluster=<ClusterName>][, vendor=<Vendor>][, type=<Type>])

Syntax Elements

ADD UDP_LISTENER

This statement is used to define the port number to listen for Syslog messages with UDP protocol. 

<port-number>The default setting is for the standard Syslog UDP port number 514 and normally this does not need to be changed. However, if an alternative port needs to be used then this statement should be modified to the required port number. Valid port numbers range from 1 to 65535.

ADD TCP_LISTENER

This statement is used to define the port number to listen for Syslog messages with TCP protocol. 

<port-number>The default setting is for the standard Syslog TCP port number 601 and normally this does not need to be changed. However, if an alternative port needs to be used then this statement should be modified to the required port number. Valid port numbers range from 1 to 65535.
terminator={NULL | CR | LF | CRLF}

An optional terminator can be added that allows customization for other delimiters that are supported in TCP Syslog messages. The non-transparent-framing method inserts a Syslog message into a frame and terminates it with a TRAILER character. The TRAILER is usually a single character and most often is ASCII LF (%d10).  However, other characters may also be used, with ASCII NUL (%d00)  being a prominent example.  Some devices may also emit a two-character TRAILER, which is usually CR or LF. Other supported delimeters include: NULL, CR, LF and CRLF.

The default is NULL.

ADD TLS_LISTENER

This statement is used to define the port number to listen for Syslog messages with TLS protocol. When using TLS as the protocol, key files must be specified using the TLS_CERTCHAIN and TLS_PRIVATEKEY statements.

<port-number>The default setting is for the standard Syslog TLS port number 6514 and normally this does not need to be changed. However, if an alternative port needs to be used then this statement should be modified to the required port number. Valid port numbers range from 1 to 65535.

TLS_CERTCHAIN

TLS_CERTCHAIN statement is used to specify the location of the 'unified certificate chain pem' file

<location of unified certificate chain pem file>This is the full absolute path and file name of the certificate pem file

TLS_PRIVATEKEY

TLS_PRIVATEKEY statement is used to specify the location of the servers 'private key pem' file.

<location of private key pem file>This is the full absolute path and file name of the private key pem file

MAP DEVICE

A 'Device Matching' functionality is used to tag messages with details of the device that they came from, i.e. Device name, Cluster name, Vendor, Type, Customer and Site. This is done automatically for some vendor device, e.g. Cisco Unified Communications Manager (CUCM), Cisco Unity Connection (CUC), SBC. For other devices, the MAP-DEVICE statement is an optional setting that can be used to manually specify message details based on the originating IP address.

<IncomingIp>

IP address of the syslog message as seen by the Monitoring Server.

<SyslogPort

Optional: The port number that the syslog message was sent to. If omitted this will default to all ports.

device=<DeviceName>

Optional: Name of this device.

customer=<Customer>

Optional: Name of customer who owns this device, e.g. 'Acme'.

site=<Site>

Optional: Name of site for this device, e.g. 'London'.

cluster=<ClusterName>

Optional: Name of the cluster to which the device belongs.

vendor=<Vendor>

Optional: Two character code representing the vendor of the top level entity being reported on. For a list of applicable codes see the Vendor and Type Codes for Syslog.

type=<Type>

Optional: Vendor-specific type of the device. For a list of applicable codes see the Vendor and Type Codes for Syslog.

Omitting any of the optional fields will mean that the particular data will not be captured and displayed.


Provide feedback on this article