Syslog packets and what they contain

Understanding the syslog format enables you to more easily configure how Sidewinder logs are parsed.

A syslog packet consists of three parts: <PRI>, HEADER, and MSG.

Table 1. Parts of the syslog packet
Section	Description
<PRI>	Contains facility and priority information. The Log Server automatically extracts the Facility value from the <PRI> part and converts it to the Syslog Facility field in SMC logs. You do not define patterns for mapping this section in the Logging Profile.
HEADER	Contains a time stamp and the host name or IP address of a device. The Log Server automatically extracts the data in the HEADER part. You must define patterns for mapping this section in the Logging Profile.
MSG	Contains the text of the syslog message. In the Logging Profile, you define the mapping for parsing this part of the syslog packet.

This example shows a tcpdump view of a syslog record from a Sidewinder firewall:

The example includes the <PRI>, HEADER, and MSG fields.

The syslog message is:

LOCAL0.NOTICE: Dec 5 13:57:28 sidewinder auditd: date="2016-12-05 18:57:28 +0000",
fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,
hostname=test.vm.local,event="session begin",application=any,netsessid=6971f5845b898,
srcip=172.18.1.23,srcport=64189,srczone=internal,protocol=6,dstip=172.31.13.212,
dstport=443,dstzone=external,rule_name="any from protected to outbound",cache_hit=0,
start_time="2016-12-05 18:57:28 +0000"\n

In this syslog event, the value of the <PRI> field is LOCAL0.NOTICE.

The HEADER field is Dec 5 13:57:28 sidewinder auditd:

The MSG field is:

date="2016-12-05 18:57:28 +0000",fac=f_kernel_ipfilter,area=a_general_area,
type=t_nettraffic,pri=p_major,hostname=test.vm.local,event="session begin",
application=any,netsessid=6971f5845b898,srcip=172.18.1.23,srcport=64189,
srczone=internal,protocol=6,dstip=172.31.13.212, dstport=443,dstzone=external,
rule_name="any from protected to outbound",cache_hit=0,
start_time="2016-12-05 18:57:28 +0000"\n