Syslog Collection UDR Types

Owned by Jenni Wallin
Last updated: Apr 25, 2023 by Former user (Deleted)
2 min read

This section describes the UDR types that are used with the Syslog Collection agent.

SyslogMessageUDR

The fields in the SyslogMessageUDR follows the naming conventions but are based on the Syslog specification. For further information about the fields described in this section, see RFC5424 and RFC3164. The latter is only applicable if the incoming messages are not compliant with RFC5424.

FieldDescription
AppName (string)

This field contains APP-NAME, which identifies the device or application that originated the message.

Facility (int)

This field contains the numerical code of the facility in the Priority value (PRIVAL).

HostName (string)

This field contains HOSTNAME and identifies the machine that originally sent the Syslog message.

Msg (string)

This field contains MSG, a free-form message that provides information about the event.

MsgId (string)

This field contains MSGID and is used to identify the message type. For example, a firewall might use the MSGID "TCPIN" for incoming TCP traffic and "TCPOUT" for outgoing TCP traffic.

ProcId (string)

This field contains PROCID. The PROCID field is often used to provide the process name or process ID associated with a Syslog system.

Severity (int)This field contains the numerical code of the severity in the Priority value (PRIVAL). It is used to specify the type of program that is logging the message.
StructuredData (map<string,map<string,map>>)

This field contains STRUCTURED-DATA.

This field is stored in a map that in itself contains maps of SD-ELEMENT. An SD-ELEMENT consists of a key and parameter key-value pairs. The key is referred to as SD-ID. The key-value pairs are referred to as SD-PARAM.

SD-ID is case-sensitive and uniquely identify the type and purpose of the SD-ELEMENT.

Each SD-PARAM consists of a key, referred to as PARAM-NAME, and a value, referred to as PARAM-VALUE.

STRUCTURED-DATA

Example - Using StructuredData field in APL

consume {
 SyslogMessageUDR myUDR = (SyslogMessageUDR) input;
 //Note the space between the angle brackets!
 map<string,map<string,string>> myData = input.StructuredData;
//..
}
Timestamp (string)

 This field contains TIMESTAMP.

Version (int)

This field indicates the compliance level of the incoming messages.

0 - Compliant with RFC3164

1 - Compliant with RFC5424

If the message contains PRI followed by VERSION, the agent will interpret it as compliant with RFC5424. If the message does not contain PRI or VERSION, it will be interpreted as compliant with RFC3164.

RFC5424 is more restrictive compared to RFC3164, and deviations from the specification in any of the subsequent message fields will cause decoding errors.

Example - SyslogMessageUDR based on RFC5424 compliant message

Message

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...

Expected UDR field values

AppName: evntslog
Facility: 20
Hostname: mymachine.example.com
Msg: BOMAn application event log entry..
MsgId: ID47
ProcId: null
Severity: 5
StructuredData: {exampleSDID@32473={eventID=1011, eventSource=Application, iut=3}}
Timestamp: 2003-10-11T22:14:15.003Z 
Version: 1

Example - SyslogMessageUDR based on RFC3164 compliant message with PRI

Message

<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8

Expected UDR field values

AppName: null
Facility: 4
Msg: su: 'su root' failed for lonvick on /dev/pts/8
Hostname: mymachine
MsgId: null
ProcId: null
Severity: 2
StructuredData: null
Timestamp: Oct 11 22:14:15
Version: 0 

Example - SyslogMessageUDR based on RFC3164 compliant message without PRI

Message

"Use the BFG!"

Expected UDR field values

AppName: null
Facility: 0
Hostname: null
MsgId: null
Msg: Use the BFG!
ProcId: null
Severity: 0
StructuredData: null 
Timestamp: null
Version: 0