Prior to 6.5.6, Indeni would generate Syslog messages that did not conform to RFC-5424.
It was therefore difficult for Syslog messages to be consumed and analyzed by 3rd party customer tools.
Starting 6.5.6, the following events trigger the sending of a Syslog message:
- Issue created
- Issue resolved
- Issue archived
- Issue unarchived
- Issue item added
- Issue item archived
- Issue item has been automatically marked as resolved
- Note added to issue
- Issue is now in a ‘cooldown’ period
- Issue relapsed while in ‘cooldown’
- User logged in to the system
Syslog Message Format
The Syslog message format is comprised of 3 elements:
- HEADER – PRI VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID
- STRUCTURE-DATA – “-” This field is empty in our implementation and is represented by a dash sign “-”
- MSG – The MSG part contains a free-form message that provides information about the events. The character set used in MSG is in Unicode format, encoded using UTF-8.
Message Priority (PRI)
The Syslog message’s priority (PRI) represents both the Facility and Severity and is calculated according to the following formula:
PRI = Facility number * 8 + Severity
The Facility number’s default value is 17 (Local Use 1 – see table below).
This value can be changed from the UI (see screenshot below)
The severity is derived by the issue severity in the Indeni system (Critical, Error, warning and informational, numerical code 2,3,4 & 6 respectively).
Indeni supports Version 1 only
The Timestamp is generated in accordance with RFC3339.
The HOSTNAME field identifies the indeni server that originally sent the syslog message. Indeni uses the Indeni Server’s Hostname if that is not available, use the IP address.
Note: It is possible to use the device name (name assigned to a device monitored by Indeni for which the alert was generated) instead, making APP-NAME reflect the Indeni hostname
Indeni use a Null value represented by ‘-‘ (unless the hostname is configured to the device name – see note above)
Indeni use a Null value represented by ‘-‘
Indeni uses the alert ID as the message ID, unless in case of a “USER_LOGIN” which is used for user login and logout.
Syslog Message Example
In this example, we will consider Issue_ID 17950 “No NTP servers configured”.
When the warning message was first created, the syslog message should look like this:
In this example, PRI is 139 using the default Facility of 17 and severity value of 3 for Error.
PRI = 8 * 17 + 3 = 139
The VERSION is 1 and the message was created on March 23, 2020 at 10:52 am UTC, 3 milliseconds into the next second. The message is originated from the indeni host. The APP_NAME is unknown. The PROCID is unknown. The MSGID is “ISSUE_ID”. There is no STRUCTURED-DATA present in the message; this is indicated by “-” in the STRUCTURED-DATA field. The MSG is “4726 device= CP-R80.20-VSX1-1 ip=10.11.94.72 Headline=High CPU usage per core(s) description=Some CPU cores are under high usage.”
If the user chooses the alternate format, the syslog message should look like this: