3/20/2015
`
`syslog
`
`From Wikipedia, the free encyclopedia
`
`syslog- Wikipedia, the free encyclopedia
`
`In computing, syslog is a widely used standard for message logging. It permits separation of the software
`that generates messages, the system that stores them, and the software that reports and analyzes them.
`
`Computer system designers can use syslog for system management and security auditing as well as general
`informational, analysis, and debugging messages. A wide variety of devices (such as printers and routers)
`and message receivers across multiple platforms use the syslog standard. Because ofthis, system designers
`can use syslog to integrate log data from different types of systems in a central repository.
`
`In the syslog standard, each messages is labeled with a faci lity code and assigned a severity label. The
`facility code indicates which of the following software types generated the message: auth, aut hpriv, daemon,
`cron, ftp, lpr, kern, mail, news, syslog, user, uucp, or locala ... local7. The severity designations, from
`most to least severe, are: Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
`
`Implementations of syslog exist for many operating systems. Specific configuration may permit directing
`messages to various devices (e.g., console), files (e.g., /var/log/), or remote syslog servers. Most
`implementations provide a command line utility, often called logger, that can send messages to the log.
`Some implementations permit filtering and display of syslog messages.
`
`In 2009, the Internet Engineering Task Force (IETF) standardized syslog in RFC 5424.
`
`Contents
`
`• 1 History
`• 2 Outlook
`• 3 Facility levels
`• 4 Severity levels
`• 5 Format of a Syslog packet
`• 5.1 Priority
`• 5.1.1 Calculating Priority Value
`• 5.1.1.1 Calculating Facility and Severity Values from a Priority Value
`• 5.2 Header
`• 5.3 Message
`• 6 Limitations
`• 7 Protocol
`• 8 Internet standards
`• 9 See also
`• 1 0 References
`• 1 I External I inks
`
`http://en.wiki pedia.org/wiki/Syslog
`
`1/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 1
`
`

`
`3/20/2015
`
`syslog- Wikipedia, the free encyclopedia
`
`____ j
`
`History
`
`Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project, and was initially used
`solely for Sendmail. It proved so valuable that other applications began using it as well. Syslog has since
`become the standard logging solution on Unix and Unix-like systems; there have also been a variety of
`syslog implementations on other operating systems and is commonly found in network devices such as
`routers.
`
`Syslog functioned as a de facto standard, without any authoritative published specification, and many
`implementations existed, some of which were incompatible. The Internet Engineering Task Force
`documented the status quo in RFC 3164. It was made obsolete by subsequent additions in RFC 5424_[1]
`
`At different points in time, various companies have attempted patent claims on syslog. [21[3] This had little
`effect on the use and standardization of the protocol.
`
`Outlook
`
`Various groups are working on draft standards detailing the use of syslog for more than just network and
`security event logging, such as its proposed application within the health care environment.
`
`Regulations, such as SOX, PCI DSS, HIP AA, and many others are requiring organizations to implement
`comprehensive security measures, which often include collecting and analyzing logs from many different
`sources. Syslog has proven to be an effective format to consolidate logs, as there are many open source and
`proprietary tools for reporting and analysis. Converters exist from Windows Event Log as well as other log
`formats to syslog.
`
`An emerging area of managed security services is the collection and analysis of syslog records for
`organizations. Companies calling themselves Managed Security Service Providers attempt to apply
`analytics techniques (and sometimes artificial intelligence algorithms) to detect patterns and alert customers
`to problems.
`
`Facility levels
`
`A facility level is used to specify what type of program is logging the message. This lets the configuration
`file specify that messages from different facilities will be handled differently. [41 The list of facilities
`available:[5] (defined by RFC 3164 (http://tools.ietf.org/htmllrfc3164 ))
`
`http://en.wikipedia.org!Wiki/Syslog
`
`2/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 2
`
`

`
`3/20/2015
`
`- -
`
`r Fa~ility Numb-er
`0
`1
`2
`3
`4
`s
`6
`7
`8
`r--
`9
`10
`11
`12
`13
`14
`1S
`16
`17
`18
`19
`20
`21
`22
`23
`
`-
`
`--- -
`Keyword
`kern
`I user
`1 mail
`daemon
`auth
`syslog
`lpr
`news
`uucp
`
`authpriv
`ftp
`-
`-
`-
`cron
`localO
`locall
`local2
`local3
`local4
`localS
`local6
`1ocal7
`
`syslog- Wikipedia, the free encyclopedia
`
`--
`
`- - -
`- - - -
`
`Facility Description
`--- .
`kernel messages
`user-level messages
`mail system
`system daemons
`security/authorization messages
`messages generated internally by syslogd
`line printer subsystem
`network news subsystem
`UUCP subsystem
`clock daemon
`security/authorization messages
`FTP daemon
`NTP subsystem
`log audit
`log alert
`clock daemon
`local use 0 (localO)
`local use 1 (locall)
`local use 2 (local2)
`local use 3 (local3)
`-
`local use 4 (local4)
`local use S (localS)
`local use 6 (local6)
`local use 7 (local7)
`
`The mapping between Facility Number and Keyword is not uniform over different operating systems and
`different syslog implementations. [6]
`For cron either 9 or 15 or both may be used.
`The confusion is even greater regarding auth/authpriv. 4 and 10 are most common but 13 and 14 may also
`be used.
`
`Severity levels
`
`RFC 5424 (http://tools.ietf.org/htmllrfc5424) defines eight severity levels:
`
`http://en.wikipedia.org/wiki/Syslog
`
`318
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 3
`
`

`
`syslog- Wikipedia, the free encyclopedia
`
`3/20/2015
`
`--
`Code
`-
`
`0
`
`1
`
`2
`
`3
`
`Severity
`
`Keywo~d I Descriptio~
`
`Emergency
`
`-
`
`em erg
`(panic)
`
`System is
`unusable.
`
`Alert
`
`alert
`
`Critical
`
`crit
`
`Error
`
`err (error)
`
`Action must
`betaken
`immediately.
`
`Critical
`conditions.
`
`Error
`conditions.
`
`I
`
`General Description
`A "panic" condition usually affecting multiple
`apps/servers/sites. At this level it would usually notify
`all tech staff on call.
`---
`Should be corrected immediately, therefore notify
`staff who can fix the problem. An example would be
`the loss of a primary ISP connection.
`Should be corrected immediately, but indicates fai lure
`in a secondary system, an example is a loss of a
`backup ISP connection.
`Non-urgent failures, these should be relayed to
`developers or adrnins; each item must be resolved
`within a given time.
`Warning messages, not an error, but indication that an
`error will occur if action is not taken, e.g. file system
`85% full - each item must be resolved within a given
`time.
`Events that are unusual but not error conditions -
`might be summarized in an email to developers or
`adrnins to spot potential problems - no immediate
`action required.
`Normal operational messages- may be harvested for
`reporting, measuring throughput, etc. - no action
`required.
`Info useful to developers for debugging the
`application, not useful during operations .
`
`4
`
`Warning
`
`warning Warning
`(warn)
`conditions.
`
`5
`
`Notice
`
`notice
`
`6
`
`! Informational
`
`info
`
`7
`,_
`
`Debug
`
`debug
`
`Normal but
`significant
`condition.
`
`Informational
`messages.
`
`Debug-level
`. messages.
`
`A common mnemonic used to remember the syslog levels from bottom to top is: "Do I Notice When
`Evenings Corne Around Early".
`
`Format of a Syslog packet
`
`The full format of a Syslog message seen on the wire has three distinct parts:
`------------- --------- -------- ------- ---------- -- ----------------------- --------------- ---- ------------------ ---- --
`~PRI> HEADER MSG
`
`1
`I
`
`I
`
`The total length of the packet cannot exceed 1,024 bytes, and there is no minimum length.
`
`Priority
`
`The PRJ part is a number that is enclosed in angle brackets. This represents both the Facility and Severity
`of the message. This number is an eight bit number. The first 3 least significant bits represent the Severity
`of the message (with 3 bits you can represent 8 different Severities) and the other 5 bits represent the
`Facility of the message. You can use the Facility and the Severity values to apply cetiain filters on the
`events in the Syslog Daemon.
`
`http://en.wi kipecti a.org/wiki/Syslog
`
`4/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 4
`
`

`
`3/20/2015
`Calculating Priority Value
`
`syslog- Wikipedia, the free encyclopedia
`
`The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical
`value of the Severity. For example, a kernel message (Facility=O) with a Severity ofEmergency
`(Severity=O) would have a Priority value of 0. Also, a "local use 4" message (Facility=20) with a Severity
`of Notice (Severity=5) would have a Priority value of 165. In the PRI part of a Syslog message, these
`values would be placed between the angle brackets as <0> and <165> respectively.
`
`Calculating Facility and Severity Values from a Priority Value
`
`This is a calculation derived from the previous one. To get the Facility number implied in a given Priority
`value, divide the Priority number by 8. The whole number part is the Facility. To get the Severity, multiply
`the Facility by 8 and subtract that number from the Priority.
`
`For example:
`
`Priority= 191
`
`191/8 = 23.875
`
`Facility = 23
`Severity = 191 - (23 * 8 ) = 7
`Work backword to check the formula: 23 * 8 = 184 + 7 = 191
`
`Another Method:
`
`To get the Facility number from a given priority value, divide priority by 8. The whole number is the
`Facility. Then to get Severity, take Priority mod 8.
`
`For example:
`
`Priority = 191
`
`191 I 8 = 23.875
`
`Facility = 23
`
`Severity = 191 mod 8 = 7
`
`Header
`
`The HEADER part contains the following:
`
`• Timestamp -- the date and time at which the message was generated. This is picked up from the
`sending system's system time which might differ from the receiving system's system time
`• Hostname or IP address of the device.
`
`http://en.wikipedia.org/wiki/Syslog
`
`518
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 5
`
`

`
`3/20/2015
`Message
`
`syslog- Wikipedia, the free encyclopedia
`
`The MSG part will fill the remainder of the Syslog packet. This will usually contain some additional
`information of the process that generated the message, and then the text of the message. The MSG part has
`two fields:
`
`• TAG field
`• CONTENT field
`
`The value in the TAG field will be the name of the program or process that generated the message. The
`CONTENT contains the details of the message.
`
`Limitations
`
`The UDP-based Syslog protocol is unreliable. Unlike TCP-based transmission of messages, UDP does not
`guarantee you the delivery of the messages. They may either be dropped through network congestion, or
`they may be maliciously intercepted and discarded. The Syslog protocol does not ensure ordered delivery of
`packets.
`
`Since each process, application and operating system was written independently, there is little uniformity to
`the content of syslog messages. For this reason, no assumption is made upon the formatting or contents of
`the messages. The protocol is simply designed to transport these messages.
`
`The receiver of a Syslog packet may not be able to authenticate that the message was indeed sent from the
`reported sender. A misconfigured machine may send syslog messages to a Syslog daemon representing
`itself as another machine. The administrative staff may become confused because the status of the supposed
`sender of the messages may not be accurately reflected in the received messages. Another problem
`associated with authentication is that an attacker may start sending fake messages indicating a problem on
`some machine. This may get the attention of the system administrators who will spend their time
`investigating the alleged problem. During this time, the attacker may be able to compromise a different
`machine, or a different process on the same machine. An attacker may record a set of messages that indicate
`normal activity of a machine. At a later time, that attacker may remove that machine from the network and
`replay the syslog messages to the daemon.
`
`Protocol
`
`Syslog is a client/server protocol:P1 a logging application transmits a text message to the syslog receiver.
`The receiver is commonly called syslogd, syslog daemon or syslog server. Syslog messages may be sent via
`the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).[8] The data is sent in
`cleartext; although not part of the syslog protocol itself, an SSL wrapper may be used to provide for a layer
`of encryption through SSL/TLS. Syslog uses the port number 514.
`
`The original specification in RFC 3164 did not specify many protocol aspects, such as the maximum
`message size and the character encoding for the message text. RFC 5424 added many details. Among
`others, implementations must support a minimum message size of at least 480 octets, and should support
`2048 octets; messages should be encoded as UTF-8.
`
`http://en.wikipedia.org/wiki/Syslog
`
`6/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 6
`
`

`
`3/20/2015
`
`syslog- Wikipedia, the free encyclopedia
`
`Internet standards
`
`The Syslog protocol is defined by Request for Comments (RFC) documents published by the Internet
`Engineering Task Force (Internet standards). The following is a list ofRFCs that define the Syslog
`protocol: [9]
`
`• RFC 3164 The BSD syslog Protocol (obsoleted by RFC 5424)
`• RFC 3195 Reliable Delivery for syslog
`• RFC 5424 The Syslog Protocol
`• RFC 5425 TLS Transport Mapping for Syslog
`• RFC 5426 Transmission of Syslog Messages over UDP
`• RFC 5427 Textual Conventions for Syslog Management
`• RFC 5848 Signed Syslog Messages
`• RFC 6012 Datagram Transport Layer Security (DTLS) Transport Mapping/or Syslog
`• RFC 6587 Transmission of Syslog Messages over TCP
`
`See also
`
`• Audit trail
`• Console server .
`• Data logging
`• Netconf
`• Server log
`• Simple Network Management Protocol (SNMP)
`• Security Event Manager
`• Log management and intelligence
`• Web log analysis software
`• Web counter
`• Common Log Format
`• Rsyslog
`• Syslog-ng
`• Pantheios
`• LogParser
`
`References
`
`1. Gerhards R. "RFC 5424" (http://tools.ietf.org/html/rfc5424). The Syslog Protocol.
`
`http://en.wikipedia.org/wiki/Syslog
`
`7/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 7
`
`

`
`3/20/2015
`
`syslog - Wikipedia, the free encyclopedia
`
`2. "LXer: Patent jeopardizes IETF syslog standard" (http://lxer.com/module/newswire/view/64026/index.html) .
`3. "IETF IPR disclosure on HUAWEI' s patent claims" (http://datatracker.ietf.org/public/ipr_detail_s how.cgi?
`ipr_ id=724).
`4. "Syslog Facility" (http://linux.die.net/man/3/syslog). Retrieved 22 November 201 2.
`5. "Syslog Facilities" (http://www.kiwisyslog.com/help/syslog/protocol_facilities.htm). Retrieved 15 February 2012.
`6. "The Ins and Outs of System Logging Using Syslog"
`(http://www. sans .org/reading_roorn/whitepapers/logging/ins-outs-system-logging-sys log_1168).
`7. RFC 3164, The BSD syslog Protocol
`8. RFC 3195, Reliable Delivery for syslog
`9. "Security Issues in Network Event Logging (syslog)" (http://datatracker.ietf.org/wg/syslog/). IETF.
`
`External links
`
`• IETF syslog working group (http://www.ietf.org/html.charters/syslog-charter.html)
`• SANS Paper (http://www .sans.org/reading -room/whitepapers/logging/ins-outs-system-logging(cid:173)
`syslog-1168) The Ins and Outs of System Logging Using Syslog
`• NIST SP 800-92 Guide to Computer Security Log Management (PDF)
`(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf)
`• NetLogger (https://sites.google.com/allbl.gov/netlogger/) methodology and tools for debugging and
`analysis of complex distributed applications
`
`Retrieved from "http://en.wikipedia.org/w/index.php?title=Syslog&oldid=651858363"
`Categories: Internet protocols I Internet Standards I System administration I Network management
`I Log file formats
`
`• This page was last modified on 18 March 2015, at 00:27.
`• Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
`apply. By using this site, you agree to the Terms ofUse and Privacy Policy. Wikipedia® is a
`registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
`
`http://en.wikipedia.org/wiki/Syslog
`
`8/8
`
`BLUE COAT SYSTEMS - Exhibit 1050 Page 8