Syslog overview - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0

Network and IT Guidance Technical Bulletin

Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active
Language
English

The Metasys Servers and network engines provide the optional capability of sending their configured audit log entries and event notifications to an external, customer-provided industry-standard Syslog server destination, conforming to published Internet document RFC 3164. Syslog implements a client-server application structure where the server communicates to a port for protocol requests from clients. Most commonly, the Transport Layer protocol for network logging is User Datagram Protocol (UDP). The Metasys system Syslog message provides positive indication of each field possible in the Metasys event and audit entries, replacing any blank field with the single character dash (-). Individual fields of each Metasys entry are sent to the Syslog server in the Syslog message field separated by the vertical bar symbol (|).

The Metasys system creates and maintains independent local repositories for events and audits. Existing documentation in the Metasys System Configuration Guide (LIT-12011832) describes their configuration. Events and audit entries are sent to the Syslog server when the entries are recorded in the servers and network engines.

When configuring the servers and network engines , confirm that the Enabled Audit Level is at the recommended setting of 2.

When Metasys Audit messages are delivered to Syslog destinations from the Metasys SMP UI, the fields are sent in the order shown in the Metasys Audit Viewer (Figure 1). The Audit Viewer columns are labeled as follows: When | Item | Class Level | Origin Application | User | Action Type | Description | Previous Value | Post Value | Status. The Metasys audit log shows the client's IPv4 address in the Post Value column for every successful and unsuccessful login attempt.
Figure 1. Metasys Audit Viewer - SMP UI

When Metasys Event messages are delivered to Syslog destinations from the Metasys SMP UI, the fields are sent in the order shown in the Metasys Event Viewer, excluding the icon column (Figure 2). The Event Viewer columns are labeled as follows: Type | Priority | When | Item | Value | Description | Alarm Message Text.

Figure 2. Metasys Event Viewer - SMP UI

When Metasys audit messages are delivered to Syslog destinations from Metasys UI Online, these fields are sent in the following order: Item | User | Description | Post Value | Start Day Of Week | Start Time | End Day Of Week | End Time | Spaces | Equipment.

When Metasys event messages are delivered to Syslog destinations from Metasys UI Online, these fields are sent in the following order: Current Status | Priority | Authorization Category | Acknowledge Required | Previous Status | Start Day Of Week | Start Time | End Day Of Week | End Time | Spaces | Equipment. Some of these fields appear in the following Alarm Monitor example.

Figure 3. Metasys UI Alarm Monitor

For each message received from the Metasys system, the Syslog server displays three time stamps:

  • the time the Syslog server received the message
  • the time the Metasys system sent the message to the Syslog server (sent as part of the RFC 3164 Syslog Protocol Header)
  • the time the audit or event occurred in the Metasys system as recorded in the When field of an Audit or Event entry

The time sent as part of the Syslog protocol header adheres to RFC 3164. The time the Metasys audit action or event occurred is recorded in standard local time and is presented in 12-hour format as part of the message field.