zCenter generates service health, security, and activity logs in RFC5424 Syslog format, and can be configured to export these logs to an external device such as a syslog collector or a SIEM.
1. About RFC5424
RFC5424 describes a layered architecture for syslog with standardized log levels and formats. Please refer to https://datatracker.ietf.org/doc/html/rfc5424 for specific details of the RFC5424 implementation.
2. How to Enable RFC5424 Syslog Event Forwarding
zCenter offers RFC5424 compliant syslog event forwarding capability. This function is disabled by default.
Follow the steps below to enable the RFC5424 log forwarding function to a desired host outside zCenter:
a. Login to zCenter with service admin privilege.
b. Go to Advanced Management > Service Management > Remote Logging
c. Update Status to Enable if it is not.
d. Enter and choose required information:
Host: Dedicated syslog server reachable from zCenter
Protocol: Choose TCP (default) or UDP
Port: Specific port of the destination server open for syslog forwarding
Facility: Choose "16: local use 0" (default) among 17-23 and "1: user-level messages"
3. RFC5424 Compliant Message Format
Zentera follows RFC 5424 protocol which has been detailed in https://datatracker.ietf.org/doc/html/rfc5424
and the message format has been described in section 6 of the above link. Each message in the log basically has the following format:
HEADER SP STRUCTURED-DATA [SP MSG]
where
SP == SPACE (%d32)
HEADER == PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID
STRUCTURED-DATA == "[" SD-ID *(SP PARAM-NAME "=" %d34 PARAM-VALUE %d34) "]"
Some examples of supported message event will be shown in the next session.
4. Events Being Logged and Examples
zCenter release 8.1.2 supports the following events in the RFC5424 message format:
Zentera # | Event | Severity | MSGID | PARAM-NAME & PARAM-VALUE |
APLN01 | Service start | 5 (Notice) | SERVICE-START | zcVersion="7.3.2(022122a)" logVersion="1.0" |
| Example <134>1 2022-09-20T12:25:13.247-07:00 go zCenter 23923 SERVICE-START [ZC-8.1.2(091922a)@54834 logVersion="1.0" zcVersion="8.1.2 (091922a)"] zCenter is starting | |||
APLN02 | Service stop | 5 (Notice) | SERVICE-STOP |
|
USR01 | User login success | 6 (Informational) | USER-LOGINSUCC | account=“u1@zentera.net" customer=“IT dept" ip=“1.2.3.4" userAgent="Mozilla/5.0 (Windows NT 10.0 …" |
| Example <134>1 2022-09-26T09:12:28.453-07:00 go zCenter 23923 USER-LOGINSUCC [ZC-8.1.2(091922a)@54834 account="alex" customer="Zentera Cloud" ip="73.71.21.62" userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"] Login success. | |||
USR02 | User login failure | 5 (Notice) | USER-LOGINFAIL | customer=“IT dept" ip=“1.2.3.4" userAgent="Mozilla/5.0 (Windows NT 10.0 …" error="incorrect credentials" |
| Example <134>1 2022-10-04T15:36:54.326-07:00 go zCenter 23923 USER-LOGINFAIL [ZC-8.1.2(091922a)@54834 account="ale" customer="Zentera Cloud" error="Invalid username." ip="72.110.89.46" userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"] Login failed. | |||
USR03 | User logout | 6 (Informational) | USER-LOGOUT | customer=“IT dept" |
| Example <134>1 2022-10-12T12:52:20.763-07:00 go zCenter 23923 USER-LOGOUT [ZC-8.1.2(091922a)@54834 account="alex" customer="Zentera Cloud"] logout. | |||
SSN01 | Remote desktop session start | 6 (Informational) | RDS-START | type=“vnc" server=“myhost1" epid="40b59d48aa1e4af8a53b8250e8ceb64b" customer=“IT dept" dispNum=“2" osLogin=“root" zns=“zCenter" sid="af31f2f5920f49b2a2dcbef65be03376" |
| Example <134>1 2022-10-12T12:49:35.241-07:00 go zCenter 23923 RDS-START [ZC-8.1.2(091922a)@54834 customer="Zentera Cloud" dispNum="N/A" epid="f281f32719334762bb7ee8de192838b3" osLogin="N/A" sid="af76434c1c4c4e0d998854892c6f8c67" type="SSH" user="alex" zns="zCenter"] Session start | |||
SSN02 | Remote desktop session end | 6 (Informational) | RDS-END | sid="af31f2f5920f49b2a2dcbef65be03376" status=“closed by app" |
| Example <134>1 2022-10-12T12:51:45.354-07:00 go zCenter 23923 RDS-END [ZC-8.1.2(091922a)@54834 sid="af76434c1c4c4e0d998854892c6f8c67" status="Closed by app"] Session end | |||
SSN03 | Remote desktop session failure | 5 (Notice) | RDS-FAIL | type=“vnc" server=“myhost1" epid="40b59d48aa1e4af8a53b8250e8ceb64b" customer=“IT dept" dispNum=“2" osLogin=“root" zns=“zCenter" error=“incorrect OS login" |
Comments
0 comments
Please sign in to leave a comment.