Score:0

Server

Why some companies like cisco follow different syslog messaging format rather than rfc 3164 (BSD syslog) and rfc 5424 (IETF syslog)?

Allan

7/28/23, 10:41 AM

According to my understanding the popular syslog formats are:

RFC 3124 (BSD syslog):

Format: < priority >timestamp hostname application: message

Example: <133>Feb 25 14:09:07 webserver syslogd: restart
RFC 5424 (IETF syslog):

Format: < priority >VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

Example: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

But Lets see other company's log formats:

Cisco:

Example: *Jan 18 03:02:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
Fortinet (Here you can see syslog in key-value pair. Is this even syslog?)

Example: <190>date=2015-03-30 time=14:42:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83879670 srcip=12.130.136.122 srcport=48137 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=log-only from="[email protected]" to="[email protected]" sender="[email protected]" recipient="[email protected]" sentbyte=15369 rcvdbyte=46 direction=outgoing msg="general email log" subject="Novos Treinamentos para Certificação Trend Micro" size="15360" attachment=no

Does that mean syslog format can be modified according to their needs. Then how can SIEM softwares can parse these logs if different companies follow different syslog formats?.
What's the point of having a RFC then if different companies follow different logging practice?
My Last question, Are these even syslog formats?

0 + 0

linux

unix

logging

syslog

rsyslog

Greg Askew

7/28/23, 11:25 AM

`how can SIEM softwares can parse these logs if different companies follow different syslog formats?` Because they are simple. Splunk can parse a lot of data structures. It doesn't need to be in Syslog format.

Allan

7/28/23, 1:19 PM

@GregAskew Thanks. You Made it clear :)

Score:1

Server

mschuett

7/28/23, 11:19 AM

As a very short answer: because an RFC does not change the existing code base written in 15-25 years.

All kinds of Syslog formats have been developed and used since the early 1980s (AFAIK the concept originated in sendmail, and the first syslog daemon was part of 4.3 BSD in 1986). With the Unix Wars and the end of BSD everyone was free to build what they needed and there was little incentive to standardize anything. A mimimal standard would have been "everything the BSD syslogd can process", and even then many implementations consciously deviated from that, for example to add key=value or TCP support.

RFC 3124 is an informational RFC from 2001. It is not normative (in the sense of "this is Syslog and anything else is not"), but rather it takes the approach "look what's out there and describe a small common ground".

RFC 5424 as a proposed standard has that normative approach. But it is from 2009, and even at that time it is "just another optional standard", becaus it was (and still is) virtually impossible to change all the existing and useful code out there.

0 + 0

JPvRiel

11/16/22, 10:29 AM

I think the wrong RFC was referenced. RFC 3164 vs RFC 3124. The former talks about BSD syslog. The latter about network congestion.

mschuett

11/16/22, 6:45 PM

Thank you for noticing! I fixed it in the post.

mschuett

7/28/23, 12:20 PM

One snarky comment: in 2001 there was also a proposed standard, [RFC 3195](https://datatracker.ietf.org/doc/html/rfc3195). It was designed on top of XML and BEEP. That was so out of touch with real users that AFAIK nobody used it in any production-like setup.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why some companies like cisco follow different syslog messaging format rather than rfc 3164 (BSD syslog) and rfc 5424 (IETF syslog)?

TH: เหตุใดบางบริษัทเช่น cisco จึงใช้รูปแบบการส่งข้อความ syslog ที่แตกต่างกันแทนที่จะเป็น rfc 3164 (BSD syslog) และ rfc 5424 (IETF syslog)

RO: De ce unele companii precum Cisco urmează un format de mesagerie syslog diferit, mai degrabă decât rfc 3164 (BSD syslog) și rfc 5424 (IETF syslog)?

RU: Почему некоторые компании, такие как cisco, используют другой формат обмена сообщениями системного журнала, а не rfc 3164 (системный журнал BSD) и rfc 5424 (системный журнал IETF)?

VI: Tại sao một số công ty như cisco tuân theo định dạng nhắn tin nhật ký hệ thống khác thay vì rfc 3164 (nhật ký hệ thống BSD) và rfc 5424 (nhật ký hệ thống IETF)?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.