The Syslog Queue Action was added as part of the Passive Syslog Listener Service. All messages send to this action are stored preformatted in disk based queuefiles. Therefor you can configure the Syslog Header and message format in this action as well.
Forward Syslog Properties
SyslogQueue Name
The internal Name of the SyslogQueue, must be unique. The Configuration
Client will verify the Name is unique while you save the configuration.
Split files if this size is reached
The size in bytes when queue files are split, by default this is set to
10MB (10485760). However you may configured a larger size to have less
files, but you should not go below 100KB. This could result in to many
queuefiles.
Diskqueue directory
The default directory where the queue files are saved into.
Syslog Header Options
Syslog Header Options
With this settings you can assign how your syslog messages will be processed.
For processing syslog you can choose out of four different options. You can use RFC3164 or RFC5424 (recommended) which is the current syslog standard, you are able to customize the syslog header or you do not process your syslog and forwards it as it is.
Custom Header Format
In this field you can specify the contents of your syslog header. This option is only available when you choose "Use Custom Syslog Header" in the Syslog Processing menu. The contents can be either a fixed message part which you can write into the field yourself or you use properties as dynamic content. By default the Header field is filled with the content of the RFC 5424 header.
Please note that the header content of the Header field can be configured. Event properties are described in the property replacer section.
Syslog Message Options
Syslog Message Options
This setting is most important for Asian languages. A good rule is to leave it at "System Default" unless you definitely know you need a separate encoding. "System Default" works perfect in the far majority of cases, even on Asian (e.g. Japanese) Windows versions.
Message Format
You can use several different message formats for forwarding messages via syslog.
Use Custom Format
The custom format lets you decide how the content of a syslog message looks like. You can use properties to insert content dynamically or have fixed messages that appear in every message. Event properties are described in the property replacer section.
If this option is checked, the forwarded Syslog message is a complete XML-formatted information record. It includes additional information like timestamps or originating system in an easy to parse format.
The XML formatted message is especially useful if the receiving system is capable of parsing XML data. However, it might also be useful to a human reader as it includes additional information that cannot be transferred otherwise.
Use CEE enhanced Syslog Format
If enabled, the new CEE enhanced Syslog format will be used (work in progress). All useful properties will be included in a JSON Stream. The message itself can be included as well, see the “Include message property in CEE Format” option. Here is a sample how the format looks like for a security Eventlog message:
@cee: {"source": "machine.local", "nteventlogtype": "Security", "sourceproc": "Microsoft-Windows-Security-Auditing", "id": "4648", "categoryid": "12544", "category": "12544", "keywordid": "0x8020000000000000", "user": "N\\A", "SubjectUserSid": "S-1-5-11-222222222-333333333-4444444444-5555", "SubjectUserName": "User", "SubjectDomainName": "DOMAIN", "SubjectLogonId": "0x5efdd", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "TargetUserName": "Administrator", "TargetDomainName": " DOMAIN ", "TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}", "TargetServerName": "servername", "TargetInfo": " servername ", "ProcessId": "0x76c", "ProcessName": "C:\\Windows\\System32\\spoolsv.exe", "IpAddress": "-", "IpPort": "-", "catname": "Logon", "keyword": "Audit Success", "level": "Information", }
Additionaly to this format you can set Include message property in CEE Format
If enabled, the message itself will be included in the JSON Stream as property. Disable this option if you do not want the message itself in the CEE Format.
Please note that the message content of the Message field can be configured. Event properties are described in the property replacer section.