Skip to Content

Syslog file naming conventions

Within the logs directory, syslog records are written in chronological order, continuously appended with information. Each file in the logs directory is given the name yyyy-mm-dd.log, representing the date that the syslog information was collected. At midnight, the file is closed, and not touched again by the syslog process. A new file is started for a particular date. This file naming convention makes it very easy to sort the data or drop old data from the system (such as via the CO-Maint.exe program, discussed further.)

Within the syslog files are records one message per line, consisting of the following information:

  • Date—The first space-delimited field of the message is the date that the message was received, and is in yyyy/mm/dd format. This corresponds to the date of the file name and is included to permit easy processing by third-party scripts.                   

  • Time—The second space-delimited field of the message is the time that the message was received, and is in hh:mm:ss twenty-four-hour format. 

    Warning

    Note

    This is the time at the BMC Defender Server that the message was received and exists in addition to any timestamp within the message content.

    The time value reflects the time zone of the host platform, which many sites like to set to GMT, but which can easily be a local time as well. 

  • IP Address—The third space-delimited field of the message is the IP address of the device that sent the message. It is the address detected by the BMC Defender Server and exists in addition to any address within the message content. This IP address value can be overridden by the Messages > Configure > Overrides > Device screen, replaced with an arbitrary IP address based upon certain patterns that match the message.
  • Facility—The fourth space-delimited field of the message is the textual facility contained in the message. Each syslog message requires a facility to be specified. (If for some reason a message is received without a facility code, the message is still logged, and a default facility of internal is specified.) The list of text values corresponding to the facility codes is found in Syslog-protocol. This facility can be overridden by the Messages > Configure > Overrides > Facility screen, replaced with an arbitrary text string based upon certain patterns that match the message.
  • Severity—The fifth space-delimited field of the message is the textual severity contained in the message. Each syslog message requires severity to be specified. If no severity exists, the severity of debugging is assumed. There are eight severity codes: debug, info, notice, warning, error, critical, alert, and emergency. The severities are defined by the syslog standard discussed in Syslog-protocol. The severity can be overridden by the Messages > Configure > Overrides > Severity screen, replaced with some other severity based upon certain patterns that the message.
  • Message Content—The remainder of the message, to the end-of-line, is the arbitrary message content. The syslog standard specifies a maximum of 1024 characters, but the BMC Defender Server logs up to 2000 characters per message before truncating the message content. Within the message might be any clear text ASCII characters, as well as non-ASCII control characters. The content is defined by the developer or originator of the message.

The first five fields are space delimited. Following these fields (to the end of a line) is the syslog message content, that is completely arbitrary in nature.

Related topics

BMC-Defender-Server-services-and-processes

Using BMC Defender Server applications

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.2