Skip to content

Commit

Permalink
Document syslog message structure per platform
Browse files Browse the repository at this point in the history
  • Loading branch information
@mirceaulinic
mirceaulinic committed Nov 7, 2017
1 parent e18ab3a commit e6da009
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 71 deletions.
32 changes: 13 additions & 19 deletions docs/syslog/eos.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,21 @@
Arista EOS
==========

In general, the structure of the syslog messages generated by EOS has the
following format:

.. _syslog-eos-pri:
``<PRI><datetime> <hostname> <process-name>: %<facility-name>-<severity>-<tag>: <MSG>``

PRI
---
Where:

In addition to the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_ classification, EOS defines the following facilities:
- ``hostname``: The device that generated the message. To ensure that the hostname is included, follow the instructions from :ref:`device-configuration-eos`.
- ``datetime``: The time when the message was generated in the format: ``MMM dd hh:mm:ss``.
- ``process-name``: The name of the process that generated the mesage.
- ``facility-name``: The name of the Facility.
- ``severify``: The value of the Severity.
- ``tag``: The syslog message tag.

+----------------+------------------------------------------------+
| Numerical code | Facility |
+----------------+------------------------------------------------+
| 0 | kernel messages |
+----------------+------------------------------------------------+

.. _syslog-eos-header:

HEADER
------

.. syslog-eos-msg:
MSG
---
Examples:

``<149>Apr 16 11:04:17 edge01 Rib: %BGP-3-NOTIFICATION: received from neighbor 194.53.172.97 (AS 2611) 6/1 (Cease/maximum number of prefixes reached) 0 bytes
``
38 changes: 37 additions & 1 deletion docs/syslog/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,44 @@ in the following documents, individually:
PRI
---

The Priority value is calculated by first multiplying the Facility number by 8
and then adding the numerical value of the Severity. For example, a kernel
message (Facility=0) with a Severity of Emergency (Severity=0) would have a
Priority value of 0.

In addition to the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_ classification, each platform defines additional
values for Facility and Severity which may differ from a platform to another.
values for Facility which may differ from a platform to another.

The Severity however usually respects the standard:

+----------------+------------------+------------------------------------------+
| Numerical code | Severity level | Description |
+================+==================+==========================================+
| 0 | emergency | System panic or other condition that |
| | | causes the router to stop functioning |
+----------------+------------------+------------------------------------------+
| 1 | alert | Conditions that require immediate |
| | | correction, such as a corrupted |
| | | system database |
+----------------+------------------+------------------------------------------+
| 2 | critical | Critical conditions, such as hard errors |
+----------------+------------------+------------------------------------------+
| 3 | error | Error conditions that generally have less|
| | | serious consequences than errors in the |
| | | emergency, alert, and critical levels |
+----------------+------------------+------------------------------------------+
| 4 | warning | Conditions that warrant monitoring |
+----------------+------------------+------------------------------------------+
| 5 | notice | Conditions that are not errors but |
| | | might warrant special handling |
+----------------+------------------+------------------------------------------+
| 6 | info | Events or nonerror conditions of interest|
+----------------+------------------+------------------------------------------+
| 7 | debug | Software debugging messages (these appear|
| | | only if a technical support |
| | | representative has instructed you to |
| | | configute this severity level |
+----------------+------------------+------------------------------------------+

.. _syslog-header:

Expand Down
34 changes: 16 additions & 18 deletions docs/syslog/iosxr.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,25 @@
Cisco IOS-XR
============

In general, the structure of the syslog messages generated by IOS-XR has the
following format:

.. _syslog-iosxr-pri:
``<PRI><messageid>: <hostname> <linecard>:<datetime>: <process-name>[<process-id>]: %<facility-name>-<severity>-<tag>: <MSG>``

PRI
---
Where:

In addition to the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_ classification, IOS-XR defines the following facilities:
- ``messageid``: The ID number of the message.
- ``hostname``: The device that generated the message. To ensure that the hostname is included, follow the instructions from :ref:`device-configuration-iosxr`.
- ``linecard``: The linecard slot.
- ``datetime``: The time when the message was generated in the format: ``MMM dd hh:mm:ss.fff`` or ``MMM dd hh:mm:ss.fff ZZZ``.
- ``process-name``: The name of the process that generated the mesage.
- ``process-id`` The PID of the process that generated the message.
- ``facility-name``: The name of the Facility.
- ``severify``: The value of the Severity.
- ``tag``: The syslog message tag.

+----------------+------------------------------------------------+
| Numerical code | Facility |
+----------------+------------------------------------------------+
| 0 | kernel messages |
+----------------+------------------------------------------------+
Examples:

.. _syslog-iosxr-header:

HEADER
------

.. _syslog-iosxr-msg:

MSG
---
``<149>2647599: vmx01 RP/0/RSP1/CPU0:Mar 28 15:08:30.941 UTC: bgp[1051]: %ROUTING-BGP-5-MAXPFX : No. of IPv4 Unicast prefixes received from 1.2.3.4 has reached 94106, max 125000``

``<187>94307: gw2.acy1 LC/0/2/CPU0:Jul 7 20:16:14.834 : ifmgr[214]: %PKT_INFRA-LINK-3-UPDOWN : Interface TenGigE0/2/0/4, changed state to Down``
71 changes: 57 additions & 14 deletions docs/syslog/junos.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,68 @@
Junos
=====

.. _syslog-junos-pri:
In general, the structure of the syslog messages generated by Junos has the
following format:

PRI
---
``<PRI><datetime> <hostname> <process-name>[<process-id>]: <syslog-tag>: <MSG>``

In addition to the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_ classification, Junos defines the following facilities:
Where:

+----------------+------------------------------------------------+
| Numerical code | Facility |
+----------------+------------------------------------------------+
| 0 | kernel messages |
+----------------+------------------------------------------------+
- ``datetime``: The time when the message was generated in the format: ``MMM dd hh:mm:ss``.
- ``hostname``: The device that generated the message.
- ``process-name``: The name of the process that generated the mesage.
- ``process-id`` The PID of the process that generated the message.
- ``syslog-tag``: The Junos tag of the syslog message. To see all the possible tags, execute ``help syslog ?``.

.. _syslog-junos-header:
Examples:

HEADER
------
``<25>Jun 21 14:03:12 vmx01 eswd[2902]: ESWD_BPDU_BLOCK_ERROR_DISABLED: ge-0/0/17.0: bpdu-block disabled port``

.. _syslog-junos-msg:
``<87>Jul 5 05:52:44 vmx01 rpd[1848]: bgp_read_message:2764: NOTIFICATION received from 1.2.3.4 (External AS 1234): code 6 (Cease) subcode 5 (Connection Rejected)``

.. _syslog-junos-pri:

MSG
PRI
---

Junos defines the following facilities, based on the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_:

+----------------+------------------+---------------------+------------------------------------+
| Numerical code | Standard keyword | Junos facility name | Description |
+================+==================+=====================+====================================+
| 0 | kern | LOG_KERN | Actions performed or errors |
| | | | encountered by the Junos kernel |
+----------------+------------------+---------------------+------------------------------------+
| 1 | user | LOG_USER | Actions performed or errors |
| | | | encountered by user-space processes|
+----------------+------------------+---------------------+------------------------------------+
| 3 | daemon | LOG_DAEMON | | Actions performed or errors |
| | | | | encountered by system processes |
+----------------+------------------+---------------------+------------------------------------+
| 4 | auth | LOG_AUTH | | Authentication and authorization |
| | | | | attempts |
+----------------+------------------+---------------------+------------------------------------+
| 5 | syslog | LOG_SYSLOG | | Actions performed or errors |
| | | | | encountered by the Junos system |
| | | | | logging utility |
+----------------+------------------+---------------------+------------------------------------+
| 7 | news | LOG_NEWS | | Network news subsystem |
+----------------+------------------+---------------------+------------------------------------+
| 10 | authpriv | LOG_AUTHPRIV | | Authentication and authorization |
| | | | | attempts that can be viewed by |
| | | | | superusers only |
+----------------+------------------+---------------------+------------------------------------+
| 11 | ftp | LOG_FTP | | Actions performed or errors |
| | | | | encountered by the FTP process |
+----------------+------------------+---------------------+------------------------------------+
| 12 | ntp | LOG_NTP | | Actions performed or errors |
| | | | | encountered by the Network |
| | | | | Time Protocol (NTP) |
+----------------+------------------+---------------------+------------------------------------+
| 15 | cron | LOG_CRON | | Actions performed or errors |
| | | | | encountered by the cron process |
+----------------+------------------+---------------------+------------------------------------+

To see the messages that are under a specific facility, Junos allows you to
check that using the following command: ``help syslog facility <junos facility name>``,
e.g., ``help syslog facility LOG_USER``.
31 changes: 12 additions & 19 deletions docs/syslog/nxos.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,20 @@
Cisco NX-OS
===========

In general, the structure of the syslog messages generated by IOS-XR has the
following format:

.. _syslog-nxos-pri:
``<PRI><hostname>: <datetime>: %<facility-name>-<severity>-<tag>: <MSG>``

PRI
---
Where:

In addition to the `standard PRI <https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/ietfsyslog-pri.html>`_ classification, NX-OS defines the following facilities:
- ``hostname``: The device that generated the message.
- ``datetime``: The time when the message was generated in the format: ``MMM dd hh:mm:ss.fff ZZZ``.
- ``facility-name``: The name of the Facility.
- ``severify``: The value of the Severity.
- ``tag``: The syslog message tag.

+----------------+------------------------------------------------+
| Numerical code | Facility |
+----------------+------------------------------------------------+
| 0 | kernel messages |
+----------------+------------------------------------------------+

.. _syslog-nxos-header:

HEADER
------

.. _syslog-nxos-msg:

MSG
---
Examples:

``<190>sw01.pdx01: 2017 Jul 28 14:42:46 UTC: %AUTHPRIV-6-SYSTEM_MSG: pam_unix(dcos_sshd:session): session opened for user luke by (uid=0) - dcos_sshd[12977]
``

0 comments on commit e6da009

Please sign in to comment.