Inputs - TCP

 Top  Previous  Next

 

Syslog logging has been traditionally sent to port 514 using UDP.

 

UDP is a connectionless protocol, hence unreliability is inherent. There is no acknowledgement, error detection, sequencing or retransmission of missed packets when sending syslog messages over the UDP protocol.

 

Devices like the Cisco PIX implement the syslog protocol over a TCP transport. TCP is connection oriented. It relies on the destination host being there. The connection is built when the sending device is initialized, or prior to sending the first syslog message. It's slower to use TCP because of the initial time for the three-way handshake, and all packets get acknowledged by the server once they are received, and essentially before the next one can be sent. The TCP protocol offers reliability plus error correction; this is used to ensure messages are sent to the syslog server reliably.

 

See also, PIX Firewall Support and configuring the Cisco PIX

 

Bind to Address:

By default, the TCP socket will listen for messages on all connected interfaces. If you want to limit the binding to a single specific interface, you can specify the IP address in the Bind to address field. Otherwise, leave this field blank. (If the Bind to address field is left blank, it will listen on all interfaces. This is the best option in most cases.)

For example, if you have two non routed interfaces on the computer, 192.168.1.1 and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will ignore any syslog messages sent to the other interface.

 

The Cisco PIX uses port 1468. Its default behavior is that if it cannot connect to the syslog server, it blocks all network traffic through it.

 

For more information on the Cisco Pix Firewall, please refer to: www.cisco.com/univercd/cc/td/doc/product/iaabu/pix

 

Data Encoding:

If you are receiving messages from systems that use different data encoding formats, you can specify the decoding method to apply to the incoming data. The default is to use the System code page.

 

The drop down list allows you to select some commonly used encoding formats. To select a different encoding, choose "Other-->" and then enter the code page number into the field on the right.

 

The various code pages available on most Windows systems can be found at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/act/htm/actml_ref_scpg.asp

 

Here are some common code page numbers that can be used:

 

Name

Code Page Number

Description

System

1

System Code Page

ANSI

0

ANSI

UTF-8

65001

Unicode Transformation Format 8

Shift-JIS

932

Japanese

EUC-JP

51932

Japanese Extended Unix Code

BIG5

950

Traditional Chinese

Chinese

936

Simplified Chinese

 

Please note: If the number you specify is not a valid Code Page on your system, the incoming data will not be decoded correctly and will be dropped.

 

If in doubt, use UTF-8 encoding (65001) as it will handle all Unicode characters.

 

For more information on Unicode and UTF-8, please see:

http://en.wikipedia.org/wiki/UTF-8

 

Message Delimiters:

Because Syslog messages that are sent via TCP are not necessarily contained in a single TCP packet, Kiwi Syslog Server has a buffering facility which accumulates sequential TCP packets in an internally.  Because of this, Kiwi Syslog Server needs to know how to identify separate Syslog messages in a single TCP stream.  It does this through the use of message delimiters (or separators).  Each delimiter signifying the character (or sequence of characters) that will be used to split the stream into individual Syslog messages.

 

The kind of delimiter to use depends very much on the client or device which is sending Syslog over TCP.

 

Possible delimiters are:

 

CRLF (ASCII 13, ASCII 10)

CR (ASCII 13)

LF (ASCII 10)

Null (ASCII 00)