A number of variables are passed to and from the script. Depending on the read/write permissions you set for the action, the variables can be modified and returned for use in the syslog program.
The variables and functions are passed via a globally accessible object named "Fields". To access a variable or function, simply prefix the word "Fields." to the variable or function name.
Common fields
Fields.VarFacility
Details: The Facility value of the message.
Type: Integer (0-32767)
Range: 0 to 23. Click here for a list of facilities.
Fields.VarLevel
Details: The level value of the message.
Type: Integer (0-32767)
Range: 0 to 7. Click here for a list of levels
Fields.VarInputSource
Details: The input source of the message.
Type: Integer (0-32767)
Range: 0 to 2. 0=UDP, 1=TCP, 2=SNMP, 3 = KeepAlive, 4 = NT Event Log, 5 = Log file, 6 = Comm port
(4, 5 and 6 are not yet in use)
Fields.VarPeerAddress
Details:
The IP address of the sending device in nnn.nnn.nnn.nnn format. If the message has been forwarded from another syslog collector, this value will contain the original senders address.
Case A.
Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The field value would be 192.168.1.1.
Case B.
Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3)
The field value would be 192.168.1.1.
Type: String
Format: nnn.nnn.nnn.nnn Values are not zero padded.
Example: 192.168.1.67
Fields.VarPeerName
Details:
The host name of the sending device. This field will only contain resolved host name if the DNS lookup options are enabled and the lookup was successful. Otherwise it will contain the same value as VarPeerAddress in the format nnn.nnn.nnn.nnn. The name identifies the host portion of the fully qualified domain name (FQDN), it does not contain the domain suffix.
Type: String
Format: myhost
Fields.VarPeerDomain
Details:
The domain name portion of the resolved FQDN. This is just the domain suffix, it does not contain the host name. This field will only contain a value if the DNS lookup options are enabled and the lookup was successful. Otherwise it will contain an empty string ("").
Type: String
Format: mydomain.com
Fields.VarCleanMessageText
Details:
The message text after it has been modified (header removed, DNS lookups, original address removed, Cisco date removed etc).
Type: String
Example:
%SEC-6-IPACCESSLOGP: list 101 denied udp 10.0.0.3 (firewall) (137) -> 216.7.14.105 (webserver.company.com) (137), 1 packet
Other fields
Fields.VarDate
Details: The date the message was received
Type: String (10 bytes)
Format: YYYY-MM-DD
Example: 2005-03-17
Fields.VarTime
Details: The time the message was received
Type: String (8 bytes)
Format: HH:MM:SS
Example: 23:10:04
Fields.VarMilliSeconds
Details: The time the message was received in milliseconds past the second.
Type: String (3 byte)
Range: 000 to 999
Format: nnn (three bytes, zero padded)
Fields.VarSocketPeerAddress
Details: The IP address of the device, or the closest collector that sent the message.
Case A.
Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The field value would be 192.168.1.2.
Case B.
Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3)
The field value would be 192.168.1.3.
Type: String
Format: nnn.nnn.nnn.nnn. Values are not zero padded.
Example: 192.168.1.67
Fields.VarPeerAddressHex
Details:
The IP address of the device that sent the message converted to an 8 digit hex value.
The hex address is used for the IP Mask and IP Range filters. If you are making changes to the VarPeerIPAddress and want to use the IP Mask or Range filters, you will also need to make changes to the VarPeerAddressHex field too.
Type: String (8 bytes)
Range: 00000000 to FFFFFFFF
Example: C0A80102 (192.168.1.2 converted to 2 byte zero padded hex)
Fields.VarPeerPort
Details: The UDP/TCP port that the message was sent from.
Type: Integer (0-65535)
Range: 0 to 65535
Typically: A value greater than 1023
Fields.VarLocalAddress
Details: The IP address that the message was sent to on this machine.
Type: String
Examples: 127.0.0.1, 192.168.1.2
Fields.VarLocalPort
Details: The local machine UDP/TCP port that received the message
Type: Integer (0-65535)
Range: 0 to 65535
Typically: 514 for UDP, 1468 for TCP, 162 for SNMP
Fields.VarPriority
Details: The message priority value.
Type: Integer (0-32767)
Range: 0 to 191
Fields.VarRawMessageText
Details:
The message as it was received before modification (includes <pri> tag, original address etc).
This field is read only. Changing the field within the script will not modify the equivalent program variable.
Custom fields
These fields are dynamic and are cleared with each new message. These fields can be used to hold the results of your script so they can be used in Log to file or Log to Database actions. The fields can also be passed to actions as parameters using the %VarCustom01 Insert message content or counter option or via the AutoSplit syntax. A good use for these fields would be breaking a message up into separate fields via the script and then logging them to file or database in the separate fields.
There are 16 custom fields available. Values from 1 to 9 are zero padded (VarCustom01 not VarCustom1).
Fields.VarCustom01 to Fields.VarCustom16
Inter-script fields
These fields are static and do not change with each message. These fields can be used to pass values from one script to another or hold values for modification by the same script at a later time. The values can also be passed to actions as parameters using the %VarGlobal01 Insert message content or counter option or via the AutoSplit syntax.
There are 16 global fields available. Values from 1 to 9 are zero padded (VarGlobal01 not VarGlobal1).
Fields.VarGlobal01 to Fields.VarGlobal16
Custom Script fields
These fields are static and do not change with each message. These fields can be used to hold your own custom statistics and counters. The values can also be passed to actions as parameters using the %VarStats01 Insert message content or counter option.
The current field values can be viewed from the Statistics view window under the Counters tab. The custom stats are also included in the daily statistics e-mail.
The names and initial values of the Statistics fields can be set from the Scripting option
There are 16 custom statistics fields available. Values from 1 to 9 are zero padded (VarStats01 not VarStats1).
Fields.VarStats01 to Fields.VarStats16
Control and timing fields
Fields.ActionQuit
Details:
This field can be set to determine what occurs after the script has been run. A value of 0 means the program continues on to the next action in the rule. A value of 1 to 99 means skip the next n actions within this rule (1=skip the next 1 action, 3=skip the next 3 actions). A value of 100 means jump to the next rule. A value of 1000 means skip all rules and stop processing this message. A value of 0 is assumed if no value is set.
Type: Integer (0-32767)
Range: 0 to 1000
Enum: 0=No skip, 1-99=skip next n actions, 100=skip to next rule, 1000=stop processing message.
Fields.SecondsSinceMidnight
Details: The number of seconds elapsed since Midnight
Type: Long (0-2 billion)
Range: 0 to 86400
Fields.SecondsSinceStartup
Details: The number of seconds elapsed since the program was started.
Type: Long (0-2 billion)