Syslog Messages

Syslog is a widely used standard for message logging. It is used for computer management and security auditing as well as for general information, analysis and debugging messages. Syslog is supported by a wide variety of devices across multiple platforms and has become the standard logging solution on various systems.

The SYSLOG Record is used to hold the messages received by the Syslog Collector. The Syslog Collector (irsyslogcol.exe) runs on the Monitoring Server and is used to collect Syslog messages containing status and diagnostic information from monitored devices. If the environment consists of multiple Monitoring Servers, then for scalability, the collection of Syslog messages should be spread across all servers. To do this, each Monitoring Server should be set up to receive Syslog messages only for the systems being directly monitored by that server.

A technique of 'Device Matching' is used to automatically tag messages with details of the device that they came from; i.e. Device name, Cluster name, Vendor, Type, Customer and Site. This is done automatically for some vendor devices that are monitored, e.g. Cisco Unified Communications Manager (CUCM), Cisco Unity Connection (CUC) and SBC. 'Device Matching' populates the SYSLOG Record with this information from the following sources:

  • PrognosisNode (PNODES) Record

  • CallManagerGateway (CMGATEWY) Record

  • CISCODEV Configuration

  • SBC Configuration

‘Device Matching’ is only performed for the devices known to the current Monitoring Server, i.e. if the Syslog messages from a device are sent to a different Monitoring Server instead of the server currently monitoring the device, then automatic device matching will not be possible. The explicit specification will need to be done. As mentioned above, it is recommended that each Monitoring Server be set up to receive Syslog messages only for the devices being directly monitored by that server. This will ensure that device matching is carried out as well as spreading the load created by Syslog across different monitoring servers.

For other devices, the MAP-DEVICE statement in the SYSLOG Configuration can be used to manually specify the information, or overwrite the information from the automatic device matching, for each message based on the originating IP address.

If there are multiple devices associated with the same IP address, the DeviceName field will be populated with the text 'Multiple Devices Matched'. This indicates that the source of the Syslog message cannot be identified due to an IP address conflict. If the conflicting devices are from the same vendor, the Vendor field will be populated. The other fields will be reset to blank.

For details see the following sections:

Provide feedback on this article