Syslog Monitoring with FrameFlow
Catch Incoming Syslog Messages and Alert Based on their Content
Syslog Monitoring with FrameFlow
FrameFlow v2016.6 added syslog monitoring. Let’s learn a bit more about the syslog protocol and how to make the most of it with FrameFlow.
What is Syslog and What Are Its Uses?
What is Syslog? It’s a protocol used by Linux based systems and various types of networking gear. Syslog messaging works in a fashion that is similar to SNMP traps in that you configure your syslog devices to send messages to a central server which decides how to handle them. For example, your Cisco switch can be configured to send syslog messages when link status changes for any port or to send messages when console logins fail.
Examples of Cisco syslog messages
Generic Protocol
Syslog is a very generic protocol that allows for multiple uses. Each syslog message includes two standard codes. The first is called the "facility code" and it can have one of 24 different values that help to categorize each syslog message. Unfortunately, many of these were set in stone in the early days of Unix so they are rarely applicable now. For example, code 6 is reserved for messages about the "line printer subsystem." Luckily the protocol designers added 8 generic facility codes called local0 through local7. These local codes are the ones that are typically used now.
The second is called the "priority level" code and it has 8 values of its own: Emergency, Alert, Critical, Error, Warning, Notice, Informational, and Debug. These are often used for filtering messages. For example, you could configure a device to only send syslogs for emergency and critical conditions.
In addition to the two standard codes is the message itself, which is a text string that can contain any message that the device wants to deliver. There are no standards to define the content of the message so manufacturers typically define their own on a case by case basis.
FrameFlow Syslog Receiver
Starting with v2016.6, the FrameFlow monitoring service includes a syslog receiver. That means you can configure your devices to send syslog to your FrameFlow system and they will automatically be received and recorded. The next step is monitoring. In your FrameFlow configuration, add a new event monitor and select the Syslog event monitor. It has options to convert the priority and facility codes into text strings. It also has options to scan the syslog message for specified keywords and text strings. There are four keyword fields corresponding to the four severity levels implemented for FrameFlow alerts.
Syslog Monitoring Options in FrameFlow