Documentation forKiwi Syslog Server

Syslog message modifiers

This documentation is for legacy Kiwi Syslog Server versions 9.8.3 and older.

When a message arrives, various modifications can be made to the message to ensure that it fits within the specified bounds. The length of the message can be reduced, an invalid priority can be corrected and extra CR and LF characters can be removed.

  1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
  2. Click Modifiers.
  3. Specify the following options:

    Replace non-printable characters with <ASCII value>

    Some routers or hosts may send messages that contain control characters in the message text. For example, multi-line messages will contain carriage returns and line feeds. If you enable this option, instead of trying to display control characters, the equivalent ASCII value will be displayed.

    For example, when a carriage return is received, it will be replaced with a <013> instead.

    Remove CR/LF from end of messages

    Some routers or hosts send messages with a CR/LF attached to the end of the message text. This will cause the log files to be double spaced.

    Check this box if you want to remove all trailing CR/LF characters from the messages.

    Remove imbedded date and time from Cisco messages

    When a Cisco device sends a Syslog message, it adds its own time stamp to the message. You may want to remove these extra time stamps to save space or make the logged files more readable.

    This option works by looking for a particular Cisco message format. It will work with the following known Cisco date and time formats:

    • Format for timestamp with timezone

      47: *Mar 1 00:45:43 UTC: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console

    • Format for uptime

      49: 00:54:46: %SYS-5-CONFIG_I: Configured from console by console

    • Format for timestamp localtime with msec

      50: *Mar 1 00:56:30.475: %SYS-5-CONFIG_I: Configured from console by console

    • Format for timestamp localtime with msec and timezone

      51: *Mar 1 00:58:52.767 UTC: %SYS-5-CONFIG_I: Configured from console by console

    • Format for timestamp

      53: *Mar 1 01:11:17: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console

    Allow messages with priority > 191 (use default priority)

    Each Syslog message has a priority code at the beginning of the message. Normally with Unix systems and router devices, this priority code has a value between 0 and 191. Sometimes devices send messages with a priority code higher than 191. Even though the priority value can be higher than 191, there is no standard to define priority levels or facilities above 191.

    If this option is enabled, messages received with a priority higher than 191 will have their priorities set to the default priority setting.

    Allow messages with no priority (use default priority)

    Some routers and hosts may send messages that contain no priority code in the message. In situations where this occurs you can apply a default priority to the message. Check this box and then set the default priority you want to use, from the drop down lists.

    A normal Syslog message has a priority code at the start of the message text.

    Example. <100>This is a test message

    The priority value should be between 0 and 191 for standard Unix priority codes

    Maximum message length (bytes)

    This option allows you to limit the maximum message size of incoming messages. You may want to change this to a lower value than the default 4096 bytes if you are only expecting small messages.

    This limit allows the program to reject oversize messages sent by hackers or errors in transmission.

    Some Syslog Servers may crash when receiving large packets, this option limits the size of the packet that the program will accept and process.

    The Syslog RFC 3164 states that legal Syslog messages may not exceed 1024 bytes in length. (Not including packet headers)

  4. Click Apply to save your changes.