Syslog / CEF format
I am wondering why all logs I send to my Graylog server are prepended with the facility ID.
This breaks the auto-parsing on CEF / syslog messages and one must instead handle a RAW input with custom filters.
Example Log:
<142>May 17 13:14:28 usgflex200 CEF:0|ZyXEL|USG FLEX 200|5.36(ABUI.1)|0|IKE|4|devID=aaaaaabbbbbb src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx spt=500 dpt=500 dvchost=usgflex200 msg=The cookie pair is : 0xfd348ce9397121212 / 0x75e6d538831121212 cat=IKE ZYlevel=info ZYnote=IKE_LOG
The <142> seems to be the Facility Code "Local 1".
BUT WHY is it prepended to the real message? If I remember correctly, the NWA50AX AccessPoints exhibit the same behaviour.
Since I expect others to have the same problem:
Has anyone here built any GROK extractors for Zyxel Logs? Preferably CEF format, because the pure "Syslog" setting seems to give less details.
All Replies
-
It's about the syslog message header.
The first 5 bits 10001 maps to facility Local 1
The last 3 bits 110 maps to level INFO
Raw data binary 10001110 to decimal is 142.
Is the prepended number in syslog also can be seen in other brand device ?
1 -
Ah, great info! Thank you!
OK, so generally the leading facility / level info allow it easy to sort the messages for logging servers with little effort – but break native CEF parsing. At least I found nothing to support that this is part of the official format.
0
Categories
- All Categories
- 392 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 81 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 914 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 907 Nebula FAQ
- 415 Security FAQ
- 236 Switch FAQ
- 206 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 138 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight