Use the syslog protocol in KSS NG

The syslog protocol in Kiwi Syslog Server NG (KSS NG) provides a standard method of handling log messages, centralizing logs, message labeling, and creating a secure environment. Learn how to use the syslog protocol in KSS NG using facilities, levels, priority values, ports, and the RFC 3164 header format.

Syslog facilities

Syslog facility values are a way of determining which process of the system or application created a syslog message. Since the syslog protocol was originally written on Berkeley Software Distribution Unix (BSD), the facilities reflect the names of Unix processes and daemons.

To view the facility number of syslog messages:

1. In the KSS NG web console, click the Events tab.
2. Select the user display you want to view from the dropdown.
3. View the facility number in the Events columns that contain the syslog messages.
4. Click the Facility tab under Filters on the left to filter messages by facility number.

You can also view the syslog facilities for each event by setting up an Events widget in the user dashboard. See Add and customize widgets in the KSS NG dashboard.

Use the table below to determine the source of the syslog messages you receive.

Available facilities

Facility value	Description
0	Kernel messages
1	User-level messages
2	Mail system messages
3	System daemon messages
4	Security and authorization messages
5	Messages generated internally by KSS NG
6	Line printer subsystem messages
7	Network news subsystem messages
8	UUCP subsystem messages
9	Clock daemon messages
10	Security and authorization messages
11	FTP daemon messages
12	NTP subsystem messages
13	Log audit messages
14	Log alert messages
15	Clock daemon messages
16	Local use 0 (Local0) messages
17	Local use 1 (Local1) messages
18	Local use 2 (Local2) messages
19	Local use 3 (Local3) messages
20	Local use 4 (Local4) messages
21	Local use 5 (Local5) messages
22	Local use 6 (Local6) messages
23	Local use 7 (Local7) messages

If you are receiving messages from a Unix system, it is suggested you use the user-level facility as your first choice. Local0 through to Local7 are not used by Unix and typically used by networking equipment. For example, Cisco routers use Local6 or Local7.

Syslog severity levels

Use syslog severity levels to determine how urgent or important each log message is. You can use severity levels to prioritize, respond, and set up protocols for your company's response to events by urgency.

To view the severity level of syslog messages:

1. In the KSS NG web console, click the Events tab.
2. Select the user display you want to view from the dropdown.
3. View the Level number in the Events columns that contain the syslog messages. This is the severity level value.
4. Click the Level tab under Filters on the left to filter messages by severity level.

You can also view the severity levels of syslog messages by setting up widgets in the user dashboard. See Add and customize widgets in the KSS NG dashboard.

Severity levels range from 0 (most urgent) to 7 (least urgent). See the table below.

Severity levels

Severity level	Description
0	Emergency — System failure This can include events such as kernel panic or major hardware failure that can affect multiple servers, sites, and applications.
1	Alert — Action must be taken immediately Should be corrected immediately - notify staff who can fix the problem - example is loss of backup ISP connection
2	Critical — Critical conditions This includes critical events such as loss of primary ISP connection or hard drive failure that should be corrected immediately.
3	Error — Error conditions This includes non-urgent failures that affect functionality, such as failed login attempts. They should be relayed to system administrators and resolved within a given time
4	Warning — Warning conditions This includes warning of potential errors or failure if action is not taken, such as high memory usage or drives reaching disk capacity.
5	Notice — Normal but significant condition This includes normal operational messages that contain noteworthy events, such as configuration changes or password account changes.
6	Informational — Informational messages This includes normal operational messages, such as system startups or user logins, that do not require action.
7	Debug — Debug-level messages This includes messages with detailed information related to debugging used by developers or system administrators, such as variable values or function calls.

It is recommended to use the Notice or Informational severity level for normal messages.

Syslog priority values

Syslog priority values are used to indicate the importance of a syslog message by using both the facility and severity levels of the message and ranges from 1 to 191, with no leading zeros or spaces. Priority values are enclosed in <> delimiters and are included at the beginning of each syslog message.

The priority value is calculated using the following formula: Priority = Facility * 8 + Level

See the following example of a priority value of 34 in a syslog message:

<34>Sep 11 11:01:53 myhost: This is a test log message.

Syslog ports

KSS NG can listen for UDP messages and TCP messages. Syslog messages are typically sent using UDP. Some networking devices, such as the Cisco PIX firewall, can send messages using TCP to ensure each packet is received and acknowledged by KSS NG.

• When sending messages using UDP, the default destination port is 514.
• When sending messages using TCP, the default destination port is 1468.

For ports used by KSS NG, review the KSS NG system requirements.

Syslog RFC 3164 header format

KSS NG uses the RFC 3164 header format for formatting syslog messages. The RFC 3164 header format consists of a priority value, header (containing the timestamp and hostname), and generated text message in each syslog message. See the table below for details.

Name of component	Description
PRI	The syslog priority value that is calculated using the facility number and severity level of the syslog message.
HEADER	Contains the TIMESTAMP and HOSTNAME fields of the device sending the message. Single space characters must follow each field. TIMESTAMP - Contains the local date and time that the syslog message was created. TIMESTAMP immediately trails the following > from the PRI component. HOSTNAME - Contains the self-defined hostname. If it does not have a hostname, this field will contain the IP address.
MSG	Contains the generated text message, which consists of TAG and CONTENT fields. TAG - Contains the name of the program or process that generated the syslog message. The TAG field is a string of alphanumeric characters that must not exceed 32 characters. Any non-alphanumeric characters will terminate the TAG field and KSS NG will assume they are the starting characters of the CONTENT field. CONTENT - Contains the detailed information about the event. The first character of the CONTENT field that signifies the conclusion of the TAG field is the left square bracket character ("["), a colon character (":"), or a space character.

The format of the syslog message appears as <PRI>TIMESTAMP HOSTNAME TAG CONTENT. See an example of a syslog message from Kiwi SyslogGen that is formatted according to the RFC 3164 standard:

<34>Jul 10 12:00:00 192.168.1.1 SyslogGen This is a test message.