Syslog / CEF format

Options
StefanZ
StefanZ Posts: 190  Master Member
First Anniversary 10 Comments Friend Collector First Answer

I am wondering why all logs I send to my Graylog server are prepended with the facility ID.

This breaks the auto-parsing on CEF / syslog messages and one must instead handle a RAW input with custom filters.

Example Log:

<142>May 17 13:14:28 usgflex200 CEF:0|ZyXEL|USG FLEX 200|5.36(ABUI.1)|0|IKE|4|devID=aaaaaabbbbbb src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx spt=500 dpt=500 dvchost=usgflex200 msg=The cookie pair is : 0xfd348ce9397121212 / 0x75e6d538831121212 cat=IKE ZYlevel=info ZYnote=IKE_LOG

The <142> seems to be the Facility Code "Local 1".
BUT WHY is it prepended to the real message? If I remember correctly, the NWA50AX AccessPoints exhibit the same behaviour.

Since I expect others to have the same problem:
Has anyone here built any GROK extractors for Zyxel Logs? Preferably CEF format, because the pure "Syslog" setting seems to give less details.

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    It's about the syslog message header.

    The first 5 bits 10001 maps to facility Local 1

    The last 3 bits 110 maps to level INFO

    Raw data binary 10001110 to decimal is 142.

    Is the prepended number in syslog also can be seen in other brand device ?

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Ah, great info! Thank you!

    OK, so generally the leading facility / level info allow it easy to sort the messages for logging servers with little effort – but break native CEF parsing. At least I found nothing to support that this is part of the official format.

Security Highlight