Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Syslog output

The syslog output function allows messages received by the Logmanager server to be forwarded to an external syslog server. The message goes through the whole Logmanager system, metadata are added, it goes through parsers, and finally, it’s formatted to the JSON format. Contents of the JSON message are identical to how the message is stored in the database of the Logmanager server and how it is visible on the dashboards. The message in this state is sent via the syslog protocol to the external syslog server. Sending is done via the TCP protocol. There are 6 options to select syslog output message format version.

Limitations

Syslog output has the following restrictions:

  • If the remote side is not responding or not able to accept messages, messages will be lost.

Syslog output menu

Table shows all available information: syslog server address (Host), syslog server port (Port), user description (Description), message format version (Version), and enabled status (Enabled).

Syslog output

Syslog output

Filter fields are above the table. Data may be filtered by any single column. In case of using filters above more columns, the AND term is applied.

Adding a syslog output

If you need to add a new syslog output, click the green plus icon in the main table in the upper right corner.

Enter the following data into the prepared form:

  • Syslog output server IP: IP address of the external syslog server, required value.
  • Syslog output server port: port of the external syslog server, required value.
  • Description: user description.
  • Version: message format version (4 options in definition).
  • Enabled: enabled status.
Adding a syslog output

Adding a syslog output

To ensure the sending to a remote server, we need to create an alert. In the main menu, select an alert and click the plus icon in the main table in the upper right corner.

Adding a new alert

Adding a new alert

After you create the alert, you select the Message in the blocks and find the block “send message event to remote syslog “remote syslog name””

Notifications settings

Notifications settings

Editing a syslog output

Editing of the syslog output can be started by clicking the blue pencil icon, which is shown at the end of the row.

Editing a syslog output

Editing a syslog output

Form identical to the form for adding a new syslog output is now shown.

Deleting a syslog output

Deletion of a syslog output is done by clicking the red cross icon, which is shown at the end of the row.

Deleting a syslog output

Deleting a syslog output

After clicking the cross, a new dialog window Delete a syslog output is opened, and the name of the syslog output to be deleted is shown for checking.

More options of a syslog output

There are following options to select syslog output message format:

  1. Current version (for legacy purposes)
  2. Forward original message that should be formated as follow:
    <PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg.raw'
    

    Real example:

    <123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: <123> program data data data
    
  3. Forward Logmanager JSON message with source IP address information:
    <PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg'
    

    Real example:

    <123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: {"meta":{"src_ip":"8.8.8.8"}}
    
  4. Forward Logmanager JSON message with parser information
    <PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser' forwarder: 'msg'
    

    Real example:

    <123>Mar 3 12:30:53 Logmanager.fortigate forwarder: {"meta":{"src_ip":"8.8.8.8"}}
    
  5. Forward unchanged/original raw field
    'raw'
    

    Real example:

    <123>Mar 3 12:30:53 hostname: message
    
  6. Forward original raw field with source ip information and original syslog headers
    <PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' 'meta.src.ip' forwarder: 'raw'
    

    Real example:

    <123>Mar 3 12:30:53 "meta.src.ip" forwarder: "raw"