Syslog / CEF format
I am wondering why all logs I send to my Graylog server are prepended with the facility ID.
This breaks the auto-parsing on CEF / syslog messages and one must instead handle a RAW input with custom filters.
Example Log:
<142>May 17 13:14:28 usgflex200 CEF:0|ZyXEL|USG FLEX 200|5.36(ABUI.1)|0|IKE|4|devID=aaaaaabbbbbb src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx spt=500 dpt=500 dvchost=usgflex200 msg=The cookie pair is : 0xfd348ce9397121212 / 0x75e6d538831121212 cat=IKE ZYlevel=info ZYnote=IKE_LOG
The <142> seems to be the Facility Code "Local 1".
BUT WHY is it prepended to the real message? If I remember correctly, the NWA50AX AccessPoints exhibit the same behaviour.
Since I expect others to have the same problem:
Has anyone here built any GROK extractors for Zyxel Logs? Preferably CEF format, because the pure "Syslog" setting seems to give less details.
All Replies
-
It's about the syslog message header.
The first 5 bits 10001 maps to facility Local 1
The last 3 bits 110 maps to level INFO
Raw data binary 10001110 to decimal is 142.
Is the prepended number in syslog also can be seen in other brand device ?
1 -
Ah, great info! Thank you!
OK, so generally the leading facility / level info allow it easy to sort the messages for logging servers with little effort – but break native CEF parsing. At least I found nothing to support that this is part of the official format.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight