How are the syslog entries structured?
-
I'm looking at RFC 5424 and I can't figure out how PFSense sends data, and exactly what data is in there.
Here are the RFC examples
@Example:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
@Example:
<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts.
@Example:
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry…
@Example:
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
But unfortunately, the logs I'm seeing come out of PFSense don't look "structured" or "unstructured"
<134>Feb 20 20:05:26 pf: 189.195.242.123.20253 > 68.147.208.74.44270: UDP, length 103
<134>Feb 20 20:05:26 pf: 00:00:00.028916 rule 1/0(match): block in on re0: (tos 0x0, ttl 115, id 63161, offset 0, flags [none], proto UDP (17), length 129)Can anyone tell me how I might go about parsing this information?
One of my biggest concerns is that the submitted timestamp information doesn't conform the RFC spec, among other bits of the syslog message format that doesn't seem to line up.
Now I will fully admit that I might be acquiring the syslog data incorrectly since the two examples I posted above is the ONLY information I'm seeing come out of my logs.
FYI: this is how I'm acquiring the syslog info.
var remoteIpEndPoint = new IPEndPoint(IPAddress.Any, 0); var udpListener = new UdpClient(514); var bytesReceived = udpListener.Receive(ref remoteIpEndPoint); var dataReceived = Encoding.ASCII.GetString(bytesReceived); var hostIP = remoteIpEndPoint.Address; var parsedSyslog = new SyslogUtility().ParseRawSyslog(dataReceived, hostIP); var dbSysLogService = new DBSyslogService(); dbSysLogService.Create(parsedSyslog);