B-1
User Guide for Resource Manager Essentials 4.1
OL-11714-01
APPENDIX

B

Understanding Syslog Formats

Devices are expected to comply with the following rules while sending syslogs:
Device should include PRI as recommended by RFC 3164
Device could optionally send Timestamp information in RFC recommended format in the header.
The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that
the device sends the local time and that the device and Server are in the same time zone.
Device could optionally send Hostname information in the header.
To support devices that are in different time zones than the server, IOS allows configuring the
devices to send the Time Information along with TZ, optionally, in the message part of the syslog
packet.
Such timestamps should be prefixed with some separator character (like * or :), so the syslog
daemons (such as unix syslogd) do not treat them as header information. This could cause unix
syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.
Considering the above, devices should send syslogs in one of the following formats:
Format A
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy
Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ]
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Format B
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy
Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm]
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Examples of good syslog messages: [ as sent by the device ]
<187>%PIX-4-106023 description
<187>Mar 23 10:21:03 %PIX-4-106023 description
<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
The device ensures that the device IP address or DNS name if defined is maintained in the message
header as the source IP address or source DNS name irrespective of the interface out of which the syslog
message is sent.