Why Companies Like Cisco Use Different Syslog Formats

linuxloggingrsyslogsyslogunix

According to my understanding the popular syslog formats are:

  • RFC 3124 (BSD syslog):

    Format: < priority >timestamp hostname application: message

    Example: <133>Feb 25 14:09:07 webserver syslogd: restart

  • RFC 5424 (IETF syslog):

    Format: < priority >VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

    Example: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su – ID47 – BOM'su root' failed for lonvick on /dev/pts/8

But Lets see other company's log formats:

  • Cisco:

    Example: *Jan 18 03:02:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

  • Fortinet (Here you can see syslog in key-value pair. Is this even syslog?)

    Example: <190>date=2015-03-30 time=14:42:11 logid=0508020503 type=utm subtype=emailfilter eventtype=smtp level=information vd="root" sessionid=83879670 srcip=12.130.136.122 srcport=48137 dstip=x.x.x.x dstport=25 proto=6 service=SMTP profile="EF_Example" action=log-only from="[email protected]" to="[email protected]" sender="[email protected]" recipient="[email protected]" sentbyte=15369 rcvdbyte=46 direction=outgoing msg="general email log" subject="Novos Treinamentos para Certificação Trend Micro" size="15360" attachment=no

  1. Does that mean syslog format can be modified according to their needs. Then how can SIEM softwares can parse these logs if different companies follow different syslog formats?.
  2. What's the point of having a RFC then if different companies follow different logging practice?
  3. My Last question, Are these even syslog formats?

Best Answer

As a very short answer: because an RFC does not change the existing code base written in 15-25 years.

All kinds of Syslog formats have been developed and used since the early 1980s (AFAIK the concept originated in sendmail, and the first syslog daemon was part of 4.3 BSD in 1986). With the Unix Wars and the end of BSD everyone was free to build what they needed and there was little incentive to standardize anything. A mimimal standard would have been "everything the BSD syslogd can process", and even then many implementations consciously deviated from that, for example to add key=value or TCP support.

RFC 3164 is an informational RFC from 2001. It is not normative (in the sense of "this is Syslog and anything else is not"), but rather it takes the approach "look what's out there and describe a small common ground".

RFC 5424 as a proposed standard has that normative approach. But it is from 2009, and even at that time it is "just another optional standard", becaus it was (and still is) virtually impossible to change all the existing and useful code out there.