1

According to my understanding the popular syslog formats are:

  • RFC 3124 (BSD syslog):

    Format: < priority >timestamp hostname application: message

    Example: <133>Feb 25 14:09:07 webserver syslogd: restart

  • RFC 5424 (IETF syslog):

    Format: < priority >VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

    Example: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

But Lets see other company's log formats:

  • Cisco:

    Example: *Jan 18 03:02:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

  • Fortinet (Here you can see syslog in key-value pair. Is this even syslog?)

    Example: <190>date=2015-03-30 time=14:42:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83879670 srcip=12.130.136.122 srcport=48137 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=log-only from="newsletterslatin@trendmicro.rsys1.com" to="mail2@x.x" sender="newsletterslatin@trendmicro.rsys1.com" recipient="mail2@x.x" sentbyte=15369 rcvdbyte=46 direction=outgoing msg="general email log" subject="Novos Treinamentos para Certificação Trend Micro" size="15360" attachment=no

  1. Does that mean syslog format can be modified according to their needs. Then how can SIEM softwares can parse these logs if different companies follow different syslog formats?.
  2. What's the point of having a RFC then if different companies follow different logging practice?
  3. My Last question, Are these even syslog formats?
Allan
  • 15
  • 1
  • 5
  • `how can SIEM softwares can parse these logs if different companies follow different syslog formats?` Because they are simple. Splunk can parse a lot of data structures. It doesn't need to be in Syslog format. – Greg Askew Mar 28 '22 at 11:25
  • @GregAskew Thanks. You Made it clear :) – Allan Mar 28 '22 at 13:19

1 Answers1

2

As a very short answer: because an RFC does not change the existing code base written in 15-25 years.

All kinds of Syslog formats have been developed and used since the early 1980s (AFAIK the concept originated in sendmail, and the first syslog daemon was part of 4.3 BSD in 1986). With the Unix Wars and the end of BSD everyone was free to build what they needed and there was little incentive to standardize anything. A mimimal standard would have been "everything the BSD syslogd can process", and even then many implementations consciously deviated from that, for example to add key=value or TCP support.

RFC 3164 is an informational RFC from 2001. It is not normative (in the sense of "this is Syslog and anything else is not"), but rather it takes the approach "look what's out there and describe a small common ground".

RFC 5424 as a proposed standard has that normative approach. But it is from 2009, and even at that time it is "just another optional standard", becaus it was (and still is) virtually impossible to change all the existing and useful code out there.

mschuett
  • 3,146
  • 21
  • 21
  • One snarky comment: in 2001 there was also a proposed standard, [RFC 3195](https://datatracker.ietf.org/doc/html/rfc3195). It was designed on top of XML and BEEP. That was so out of touch with real users that AFAIK nobody used it in any production-like setup. – mschuett Mar 28 '22 at 12:20
  • 1
    I think the wrong RFC was referenced. RFC 3164 vs RFC 3124. The former talks about BSD syslog. The latter about network congestion. – JPvRiel Nov 16 '22 at 10:29
  • Thank you for noticing! I fixed it in the post. – mschuett Nov 16 '22 at 18:45