Syslog output
The syslog output function allows messages received by the Logmanager server to be forwarded to an external syslog server. The message goes through the whole Logmanager system, metadata are added, it goes through parsers, and finally, it’s formatted to the JSON format. Contents of the JSON message are identical to how the message is stored in the database of the Logmanager server and how it is visible on the dashboards. The message in this state is sent via the syslog protocol to the external syslog server. Sending is done via the TCP protocol. There are 6 options to select syslog output message format version.
Syslog output has the following restrictions:
- If the remote side is not responding or not able to accept messages, messages will be lost.
Table shows all available information: syslog server address (Host), syslog server port (Port), user description (Description), message format version (Version), and enabled status (Enabled).
Syslog output
Filter fields are above the table. Data may be filtered by any single column. In case of using filters above more columns, the AND term is applied.
If you need to add a new syslog output, click the green plus icon in the main table in the upper right corner.
Enter the following data into the prepared form:
- Syslog output server IP: IP address of the external syslog server, required value.
- Syslog output server port: port of the external syslog server, required value.
- Description: user description.
- Version: message format version (4 options in definition).
- Enabled: enabled status.
Adding a syslog output
To ensure the sending to a remote server, we need to create an alert. In the main menu, select an alert and click the plus icon in the main table in the upper right corner.
Adding a new alert
After you create the alert, you select the Message in the blocks and find the block “send message event to remote syslog “remote syslog name””
Notifications settings
Editing of the syslog output can be started by clicking the blue pencil icon, which is shown at the end of the row.
Editing a syslog output
Form identical to the form for adding a new syslog output is now shown.
Deletion of a syslog output is done by clicking the red cross icon, which is shown at the end of the row.
Deleting a syslog output
After clicking the cross, a new dialog window Delete a syslog output is opened, and the name of the syslog output to be deleted is shown for checking.
There are following options to select syslog output message format:
- Current version (for legacy purposes)
- Forward original message that should be formated as follow:
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg.raw'Real example:
<123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: <123> program data data data - Forward Logmanager JSON message with source IP address information:
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg'Real example:
<123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: {"meta":{"src_ip":"8.8.8.8"}} - Forward Logmanager JSON message with parser information
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser' forwarder: 'msg'Real example:
<123>Mar 3 12:30:53 Logmanager.fortigate forwarder: {"meta":{"src_ip":"8.8.8.8"}} - Forward unchanged/original raw field
'raw'Real example:
<123>Mar 3 12:30:53 hostname: message - Forward original raw field with source ip information and original syslog headers
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' 'meta.src.ip' forwarder: 'raw'Real example:
<123>Mar 3 12:30:53 "meta.src.ip" forwarder: "raw"