What is the format of an EventReporter Syslog Message?

In order to parse the records generated by EventReporter, you need to know which fields it does contain. Here is a typical syslog message generated by EventReporter:
(Click here for a Perl example)

EvntSLog: [ERR] Thu Feb 15 14:00:58 2001: FMSRV/Wins (4102) - "The connection was aborted by the remote WINS. Remote WINS may not be configured to replicate with the server."

Identifier

This identifier string can be used to select EventReporter generated messages for e.g. parsing purposes. Please note that it is terminated by a colon followed by a space.

Severity Code

This code is based on the NT Event Severity. It is always 3 characters enclosed by square brackets. Possible values are:

NT Severity

CodeMapped to Syslog Priority
Audit Success[AUS]LOG_NOTICE
Audit Failure[AUF]LOG_WARNING
Information[INF]LOG_NOTICE
Warning[WRN]LOG_WARNING
Error[ERR]LOG_ERR
none[NON]LOG_NOTICE

Please note that this code is more descriptive than the syslog priority, as we do not have matching priorities for all NT events. The “[NON]” code should never appear – it would point to an error in the event logging API. We have never seen this case and do not expect it, but we have included this identifier just in case…

Date

The date the event was written to the event log of the NT machine (in standard RFC format).

Server

The NT server name of the machine that event log entry is from.

NT Event Source

The NT event source (as seen in NT Event Viewer).

EventID

The NT event ID (as seen in NT Event Viewer).

Actual Message

This is the actual message text expanded from the Windows NT / 2000 event log. It is delimited by quotes (“).

What is the format of an EventReporter Syslog Message?
Scroll to top