Syslog Message Format

All syslog messages follow a specific format. Below is an example of a message as well as an explanation of its parts.

Oct 12 14:58:35 example_host BG: 1234:01:01:site=support.example.com;who=John Smith(jsmith);who_ip=192.168.1.1; event=login;target=web/login;status=success

The example above represents one message on one line. Messages can be broken down into two parts: a header followed by a payload of fields and values.

The header is made up of the date, time, hostname, and the characters BG:, which designate that this message is a BeyondTrust-specific syslog message. The remaining header information is made up of a unique 4-digit site ID, a segment number, and the total number of segments. If your B Series Appliance has only one site installed, all messages will have the same site ID. All three of these data are followed by colons. So from the example above, the entire header is simply:

Oct 12 14:58:35

example_host

BG:

1234:

01:

01:

   
   
   
   
 
   
   
   
   
   
   

Date/Time

Hostname

 

Site ID

Segment Number

Total Segments

Following the header is the payload. The format of the payload is essentially field1=value1;field2=value2;… This format is better suited to provide an order-independent set of data than a comma-separated format would provide, since some of the messages may contain upwards of 70 fields of data.

Finally, note also the escaping of "=", ";", and "\" characters. If any payload values include any of these characters, those characters will be prefixed with a backslash character ("\") to indicate that the next character is part of the value data, not a delimiter. For example, if a username were changed to user;s=name\id in the web interface, then the payload field/value pair in the syslog message would read ...new _ username=user\;s\=name\\id;.


Topics Covered in the Remote Support Syslog Message Format Guide