Syslog output
Syslog output function allows messages received by Logmanager server to be forwarded to an external syslog server. Message goes through the whole Logmanager system, metadata are added, goes through parsers, and finally, it’s formatted to the JSON format. Contents of the JSON message are identical to that, how is the message stored in the database of the Logmanager server and how it is visible in the dashboards. The message in this state is sent via the syslog protocol to the external syslog server. Sending is done via the TCP protocol. There are 6 options to select syslog output message format version.
Syslog output has the following restrictions:
- If the remote side is not responding or not able to accept messages, messages will be lost.
Table shows all available information: syslog server address (Host), syslog server port (Port), user description (Description), message format version (Version), and enabled status (Enabled).
Filter fields are above the table. Data may be filtered by any single column. In case of using filters above more columns, the AND term is applied.
If you need to add a new syslog output, click on the green plus icon in the main table in the upper right corner.
Enter the following data into the prepared form:
- Syslog output server IP: IP address of the external syslog server, required value.
- Syslog output server port: port of the external syslog server, required value.
- Description: user description.
- Version: message format version (4 options in definition).
- Enabled: enabled status.
Adding of the syslog output is done by clicking on the Create button, canceling of the completed form, and returning back to the main table is done by clicking on the Cancel button.
To ensure sending to a remote server, we need to create an alert. In the main menu, select an alert and click on the plus icon in the main table in the upper right corner.
After you create the alert, you select the Message in the blocks and find the block “send message event to remote syslog “remote syslog name””
Editing of the syslog output can be started by clicking on the blue pencil icon, which is shown at the end of the row.
Form identical to the form for adding a new syslog output is now shown.
Change of the syslog output is done by clicking on the save button, canceling of the completed form and returning back to the main table is done by clicking on the Cancel button.
Deletion of a syslog output is done by clicking on the red cross icon, which is shown at the end of the row.
After clicking on the cross, a new dialog window Delete a syslog output is opened, and the name of the syslog output to be deleted is shown for checking. To continue and delete the syslog output, click on the yes button, to cancel, click on the no button.
There are following options to select syslog output message format:
- Current version (for legacy purposes)
- Forward original message that should be formated as follow:
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg.raw'
Real example:
<123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: <123> program data data data
- Forward Logmanager JSON message with source IP address information:
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser'.'msg.meta.src.ip@ip.ptr' forwarder: 'msg'
Real example:
<123>Mar 3 12:30:53 LM.fortigate.fg.office.ad forwarder: {"meta":{"src_ip":"8.8.8.8"}}
- Forward Logmanager JSON message with parser information
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' LM.'msg.meta.parser' forwarder: 'msg'
Real example:
<123>Mar 3 12:30:53 Logmanager.fortigate forwarder: {"meta":{"src_ip":"8.8.8.8"}}
- Forward unchanged/original raw field
'raw'
Real example:
<123>Mar 3 12:30:53 hostname: message
- Forward original raw field with source ip information and original syslog headers
<PRIVAL_from_original_message>'msg.meta.timestamp - formated as MMM D HH:mm:ss' 'meta.src.ip' forwarder: 'raw'
Real example:
<123>Mar 3 12:30:53 "meta.src.ip" forwarder: "raw"