Documentation forKiwi Syslog Server

Script variables — Legacy

This snippet is used for legacy 9.8.3 topics that link to a KSS NG topic of the same name.

Fields, a globally accessible object, passes variables to and from the script. Variables are used to store data values you receive from messages. To access a variable, prefix "Fields." to the variable name. Use the following variables for scripts used with Kiwi Syslog Server.

Depending on the read/write permissions you set for the action or scheduled task, the variables can be modified and returned for use in the syslog program.

Fields.VarFacility

Details The facility value of the message.
Type Integer (0-32767)
Range 0 to 23. List of syslog facility values.

Fields.VarLevel

Details The level value of the message.
Type Integer (0-32767)
Range 0 to 7. List of syslog level values.

Fields.VarInputSource

Details The message input source.
Type Integer (0-32767)
Range 0 to 4. 0=UDP, 1=TCP, 2=SNMP, 3 = KeepAlive, 4 = TLS/Syslog

Fields.VarPeerAddress

Details

The IP address of the sending device in nnn.nnn.nnn.nnn format. If another syslog collector forwards the message, this value contains the original sender's address.

Example A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3).

The field value would be 192.168.1.1.

Example B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3).

The field value would be 192.168.1.1.
Type String
Format nnn.nnn.nnn.nnn (Values are not zero padded.)
Example 192.168.1.67

Fields.VarPeerName

Details If you enable DNS lookup options and a lookup is successful, this field only contains a resolved host name. Otherwise, this field contains the same value as VarPeerAddress in the format nnn.nnn.nnn.nnn. The name identifies the host portion of the fully qualified domain name (FQDN). It does not contain the domain suffix.
Type String
Format myhost

Fields.VarPeerDomain

Details

The domain name of the resolved FQDN. This is the domain suffix. It does not contain the host name. If you enable DNS lookup options, and a lookup is successful, this field only contains a value. Otherwise, this field contains an empty string ("").
Type String
Format mydomain.com

Fields.VarCleanMessageText

Details The modified message text (for example, header removed, DNS lookups, original address removed, and Cisco date removed).
Type String
Example %SEC-6-IPACCESSLOGP: list 101 denied udp 10.0.0.3 (firewall) (137) -> 216.7.14.105 (webserver.company. com) (137), 1 packet

Fields.VarDate

Details The date the message was received by the syslog program.
Type String (10 bytes)
Format YYYY-MM-DD
Example 2005-03-17

Fields.VarTime

Details The time the message was received by the syslog program.
Type String (8 bytes)
Format HH:MM:SS
Example 23:10:04

Fields.VarMilliSeconds

Details The time the message was received by the syslog program, in milliseconds past the second.
Type String (3 bytes)
Range 000 to 999
Format nnn (three bytes, zero padded)

Fields.VarSocketPeerAddress

Details

The IP address of the device, or the closest syslog collector, that sent the message.

Example A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)

The field value would be 192.168.1.2.

Example B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3)

The field value would be 192.168.1.3.
Type String
Format nnn.nnn.nnn.nnn (Values are not zero padded.)
Example 192.168.1.67

Fields.VarPeerAddressHex

Details

The IP address of the device that sent the message converted to an 8 digit hex value.

The IP Mask and IP Range filters use a hex address. If you make changes to the VarPeerAddress and want to use the IP Mask or Range filters, you must also make changes to the VarPeerAddressHex field.
Type String (8 bytes)
Range 00000000 to FFFFFFFF
Example C0A80102 (192.168.1.2 converted to 2 byte zero padded hex)

Fields.VarPeerPort

Details The UDP/TCP port that the message was sent from.
Type Integer (0-65535)
Range 0 to 65535
Typically A value greater than 1023

Fields.VarLocalAddress

Details The IP address that the message was sent to on this machine.
Type String
Examples 127.0.0.1, 192.0.2.0

Fields.VarLocalPort

Details The local machine UDP/TCP port that received the message.
Type Integer (0-65535)
Range 0 to 65535
Typically 514 for UDP, 1468 for TCP, 162 for SNMP

Fields.VarPriority

Details The message priority value.
Type Integer (0-32767)
Range 0 to 191

Fields.VarRawMessageText

Details

The message as it was received before modification (includes <pri> tag, original address, and so on).

This field is read only. Changing the field within the script does not modify the equivalent program variable.

Custom fields

Custom fields are dynamic and clear with each new message. Use these fields to hold script results so you can use them in Log to file or Log to Database actions.

Use the %VarCustom01 Insert message content or counter option or the AutoSplit syntax to pass a field to actions as parameters. You can also break up a message into separate fields through the script and then log them to a file or database in separate fields.

The current field values can be viewed from the Statistics view window under the Counters tab. The custom stats are included in the daily statistics e-mail.

There are 16 of each custom field type - global fields and custom statistic fields - available. Values from 1 to 9 are zero padded (VarCustom01 not VarCustom1).

Inter-script fields: Fields.VarGlobal01 to Fields.VarGlobal16

These static fields do not change with each message. Use these fields to pass values from one script to another or to delay value modification of the same script. Use the %VarGlobal01 Insert message content or counter option or the AutoSplit syntax to pass these values to actions as parameters.

Custom script fields: Fields.VarStats01 to Fields.VarStats16

These static fields do not change with each message. Use these fields to hold your custom statistics and counters. Use the %VarStats01 Insert message content or counter option to pass these values to actions as parameters.

Set names and initial values of the Statistics fields from the Scripting option.

Control and timing fields: Fields.VarGlobal01 to Fields.VarGlobal16

Fields.ActionQuit

Details

Set this field to define what occurs after you run the script.

  • A value of 0 means the program continue on to the next action in the rule.
  • A value of 1 to 99 means skips the next n actions within this rule (1 = skip the next 1 action, 3 = skip the next 3 actions).
  • A value of 100 means jump to the next rule.
  • A value of 1000 means skip all rules and stop processing this message.

A value of 0 is assumed if no value is set.
Type Integer (0-32767) Range: 0 to 1000
Enum 0=No skip, 1-99=skip next n actions, 100=skip to next rule, 1000=stop processing message

Fields.SecondsSinceMidnight

Details The number of seconds elapsed since midnight.
Type Long (0-2 billion)
Range 0 to 86400

Fields.SecondsSinceStartup

Details The number of seconds elapsed since the program started.
Type Long (0-2 billion)