Overview

Syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by cOS Stream is well suited to automated message processing, filtering and searching.

Although the exact format of each log entry depends on how a Syslog receiver works, most are very much alike. The way in which logs are read is also dependent on how the Syslog receiver works. Syslog daemons on UNIX servers usually log to text files, line by line.

Message Format

Most Syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data:

Feb 5 2000 09:45:23 firewall.ourcompany.com

This is followed by the text the sender has chosen to send.

Feb 5 2000 09:45:23 firewall.ourcompany.com EFW: DROP:

Subsequent text is dependent on the event that has occurred.

In order to facilitate automated processing of all messages, cOS Stream writes all log data to a single line of text. All data following the initial text is presented in the format name=value. This enables automatic filters to easily find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry.

The Syslog ALG

cOS Stream provides an ALG that can filter Syslog traffic as it passes through the firewall. The ALG is not applicable to Syslog traffic generated by the firewall itself. This feature is fully explained in Section 10.5, Syslog ALG.

Limiting the Sending Rate

The configuration of a log receiver can also include the property SendRateLimit. This setting specifies how many log messages cOS Stream may send per second. Log messages that exceed this limit are dropped. The default value is 2000 messages per second.

This setting can be useful in scenarios where the receiving log server might become overloaded. The value should never be set too low, as this may result in important events not being logged.