I was doing some tests with the newly introduced PRTG Syslog-Receiver Sensor. Now I have the problem that I don’t know how the syslog message has to be sent that PRTG will be able to interpret the message correct for recognizing the additional fields like “Name of the App”, “Process ID”, “Msg ID” and “Data”. Right now our devices (Paloalto Firewall) are sending the messages in a format that the whole message will be displayed in the “Message” field.
Not all fields are included in both formats.
If the whole message is in the message field there is usually a problem with parsing the timestamp at the beginning of the message (there are a lot of different formats).
You can activate the "Log Data to Disk" option at the very end of the syslog sensor settings and send us the the generated logfile to check the message format. The file is located in the "'Logs (Debug)\" folder and has the name "UDP Debug Port x.log" (with X the port number used for the syslogs).
In my case there is not the whole message in the message field. The field identifier (the one between Facility and Severity) seems to work. There it looks like that any other sign than an alphanumeric character is identified as an separator (for example: identier,message........). Are there some other separators to use that after the message the other field will be recognized?
If you are using BSD style syslog messages and the timestamp is read correctly please read section 4.1.3 of the RFC:
The MSG part has two fields known as the TAG field and the CONTENT field. The value in the TAG field will be the name of the program or process that generated the message. The CONTENT contains the details of the message. This has traditionally been a freeform message that gives some detailed information of the event. The TAG is a string of ABNF alphanumeric characters that MUST NOT exceed 32 characters. Any non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field. Most commonly, the first character of the CONTENT field that signifies the conclusion of the TAG field has been seen to be the left square bracket character ("["), a colon character (":"), or a space character. This is explained in more detail in Section 5.3.
The other fields (beyond severity, facility, timestamp) are only available in the new syslog format.
I also recently fired up the new syslog sensor and was able to recieve messages, although some fields are missing.
I send the log data via the rfc5424 format, example:
<30>1 2014-07-31T13:47:30.957146+02:00 host1 snmpd 23611 - - Connection from UDP: [127.0.0.1]:58374->[127.0.0.1]
and the sensor puts facility, severity, hostname and msg into the according fields.
However timestamp misses the microseconds, and the app-name + procid is completely missing.
Am I missing something or is the sensor parser not yet complete/robust?
Regards, Andreas John
This sensor is still in Beta so it's not yet "complete" in the sense that there are still a few bugs that we are working out. The app-name + procid not showing is a bug that is going to be fixed in one of the next versions (it should be in the preview version soon) but the milliseconds is something that we ignore from the messages.
Thanks for your reply,
I'm glad to see that the bugs are known and handled, so I happily wait for the next version.
Regards Andreas John