MessageSight syslog forwarding to external systems

Body

Using MessageSight you might want to use the syslog forwarding feature in order to centralize your logs and create alerts/incidents based on them. Before using this feature you need to know how syslog packets are sent and what format is being used. The syslog packets are sent to a process on the appliance that is forwarding the messages externally.

This process is using syslog-ng format as described in RFC 6587. You can check the format on below link:

Transmission of Syslog Messages over TCP

https://tools.ietf.org/html/rfc6587

One important note on RFC 6587 is that the process adds the message length info in front of the sent packet  (the extra packet is added by the appliance itself).

For e.g.:

"190 <77>1 xxx-xx-xxT06: 38:31+00:00 xxxxxx - - - - xxxx-xx-xxT06:38:30.556+00:00 CWLNA6004 info Admin imaserver 4335: Processing administrative action \"status\" from the user: UserID=\"admin\"."

Taking this into account if your external system does not take into consideration the message length( 190 in the e.g) you might face some processing issues and if the case you have to use a syslog parser that can handle syslog-ng format.