Score:0

Why some companies like cisco follow different syslog messaging format rather than rfc 3164 (BSD syslog) and rfc 5424 (IETF syslog)?

pk flag

According to my understanding the popular syslog formats are:

  • RFC 3124 (BSD syslog):

    Format: < priority >timestamp hostname application: message

    Example: <133>Feb 25 14:09:07 webserver syslogd: restart

  • RFC 5424 (IETF syslog):

    Format: < priority >VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

    Example: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

But Lets see other company's log formats:

  • Cisco:

    Example: *Jan 18 03:02:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

  • Fortinet (Here you can see syslog in key-value pair. Is this even syslog?)

    Example: <190>date=2015-03-30 time=14:42:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83879670 srcip=12.130.136.122 srcport=48137 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=log-only from="[email protected]" to="[email protected]" sender="[email protected]" recipient="[email protected]" sentbyte=15369 rcvdbyte=46 direction=outgoing msg="general email log" subject="Novos Treinamentos para Certificação Trend Micro" size="15360" attachment=no

  1. Does that mean syslog format can be modified according to their needs. Then how can SIEM softwares can parse these logs if different companies follow different syslog formats?.
  2. What's the point of having a RFC then if different companies follow different logging practice?
  3. My Last question, Are these even syslog formats?
cn flag
`how can SIEM softwares can parse these logs if different companies follow different syslog formats?` Because they are simple. Splunk can parse a lot of data structures. It doesn't need to be in Syslog format.
Allan avatar
pk flag
@GregAskew Thanks. You Made it clear :)
Score:1
mx flag

As a very short answer: because an RFC does not change the existing code base written in 15-25 years.

All kinds of Syslog formats have been developed and used since the early 1980s (AFAIK the concept originated in sendmail, and the first syslog daemon was part of 4.3 BSD in 1986). With the Unix Wars and the end of BSD everyone was free to build what they needed and there was little incentive to standardize anything. A mimimal standard would have been "everything the BSD syslogd can process", and even then many implementations consciously deviated from that, for example to add key=value or TCP support.

RFC 3124 is an informational RFC from 2001. It is not normative (in the sense of "this is Syslog and anything else is not"), but rather it takes the approach "look what's out there and describe a small common ground".

RFC 5424 as a proposed standard has that normative approach. But it is from 2009, and even at that time it is "just another optional standard", becaus it was (and still is) virtually impossible to change all the existing and useful code out there.

JPvRiel avatar
fr flag
I think the wrong RFC was referenced. RFC 3164 vs RFC 3124. The former talks about BSD syslog. The latter about network congestion.
mx flag
Thank you for noticing! I fixed it in the post.
mx flag
One snarky comment: in 2001 there was also a proposed standard, [RFC 3195](https://datatracker.ietf.org/doc/html/rfc3195). It was designed on top of XML and BEEP. That was so out of touch with real users that AFAIK nobody used it in any production-like setup.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.