FrameFlow v2016.6 added syslog monitoring. Let’s learn a bit more about the syslog protocol and how to make the most of it with FrameFlow.
What is Syslog and What Are Its Uses?
What is Syslog? It’s a protocol used by Linux based systems and various types of networking gear. Syslog messaging works in a fashion that is similar to SNMP traps in that you configure your syslog devices to send messages to a central server which decides how to handle them. For example, your Cisco switch can be configured to send syslog messages when link status changes for any port or to send messages when console logins fail.
Syslog is a very generic protocol that allows for multiple uses. Each syslog message includes two standard codes. The first is called the “facility code” and it can have one of 24 different values that help to categorize each syslog message. Unfortunately, many of these were set in stone in the early days of Unix so they are rarely applicable now. For example, code 6 is reserved for messages about the “line printer subsystem.” Luckily the protocol designers added 8 generic facility codes called local0 through local7. These local codes are the ones that are typically used now.
The second is called the “priority level” code and it has 8 values of its own: Emergency, Alert, Critical, Error, Warning, Notice, Informational, and Debug. These are often used for filtering messages. For example, you could configure a device to only send syslogs for emergency and critical conditions.
In addition to the two standard codes is the message itself, which is a text string that can contain any message that the device wants to deliver. There are no standards to define the content of the message so manufacturers typically define their own on a case by case basis.
FrameFlow Syslog Receiver
Starting with v2016.6, the FrameFlow monitoring service includes a syslog receiver. That means you can configure your devices to send syslog to your FrameFlow system and they will automatically be received and recorded. The next step is monitoring. In your FrameFlow configuration, add a new event monitor and select the Syslog event monitor. It has options to convert the priority and facility codes into text strings. It also has options to scan the syslog message for specified keywords and text strings. There are four keyword fields corresponding to the four severity levels implemented for FrameFlow alerts.
Event Monitor Configuration
The Syslog event monitor runs locally on the FrameFlow system. Since it does not need to reach out over the network, it runs very quickly and that’s good news because you probably want to get timely alerts about incoming systems. For the reasons above, it’s usually a good idea to set the event monitor run on a fairly fast schedule, perhaps every 15 seconds or even faster.
Syslog Wrap Up
We hope you’ve enjoyed this summary of the syslog protocol, how it’s used and how you can monitor it using FrameFlow. To get started with it just make sure you are running v2016.6 or later and then add your syslog event monitor.