What is the format of an EventReporter Syslog Message?
Created 2001-02-15 by Rainer
Gerhards.
In order to parse the records generated by EventReporter, you need to know
which fields it does contain. Here is a typical syslog message generated by
EventReporter:
(Click here
for a Perl example)
EvntSLog: [ERR] Thu Feb 15 14:00:58 2001:
FMSRV/Wins (4102) - "The
connection was aborted by the remote WINS. Remote WINS may not be configured to
replicate with the server."
Identifier This identifier string can be used to select EventReporter generated messages
for e.g. parsing purposes. Please note that it is terminated by a colon followed
by a space.
Severity
Code
This code is based on the NT Event Severity. It is always 3 characters
enclosed by square brackets. Possible values are:
|
NT Severity |
Code |
Mapped to Syslog Priority |
| Audit Success |
[AUS] |
LOG_NOTICE |
| Audit Failure |
[AUF] |
LOG_WARNING |
| Information |
[INF] |
LOG_NOTICE |
| Warning |
[WRN] |
LOG_WARNING |
| Error |
[ERR] |
LOG_ERR |
| none |
[NON] |
LOG_NOTICE |
Please note that this code is more descriptive than the syslog priority, as
we do not have matching priorities for all NT events. The "[NON]" code
should never appear - it would point to an error in the event logging API. We
have never seen this case and do not expect it, but we have included this
identifier just in case...
Date
The date the event was written to the event log of the NT machine (in
standard RFC format).
Server
The NT server name of the machine that event log entry is from.
NT Event Source
The NT event source (as seen in NT Event Viewer).
EventID
The NT event ID (as seen in NT Event Viewer).
Actual Message
This is the actual message text expanded from the Windows NT / 2000 event
log. It is delimited by quotes (").
|
