Syslog Collection
A LogRhythm System Monitor Lite Agent can be used to collect Syslog traffic. For more information, see System Monitor Functionality by License: Lite vs. Pro/Collector.
General Network Requirements for Syslog Collection
The UDP/TCP port 514 (or TCP 6514 for secure syslog) must be open from the remote system to the System Monitor Agent.
In the event the Agent cannot bind to the syslog port due to a port conflict with the native syslog server, you will see the following message in the scsm.log:
Failed to bind to syslog TCP socket (10.1.1.164:514) - the address and/or port may already be in use.Use TCP Delimiters in Syslog Collection
LogRhythm uses the standard newline character - '\n' - to parse TCP syslog messages. If you need to support the '\r\n', '\r', or '\0' delimiters, you must enable SyslogUseEnhancedTCPDelimiters in the Agent Advanced Properties. For more information, see the Agent Advanced Properties table.
TCP syslog delimiter descriptions:
'\n' LF, Newline/Linefeed, 10 in decimal, usage = standard, syslogng, Cisco PIX Firewall
'\r' CR, Carriage return, 13 in decimal
‘\r\n’ CRLF, CR+LF, 13 10 in decimal
'\0' NULL, 00 in decimal, usage = Juniper Netscreen Firewall
Relay Regex and Timestamp Parsing
The Windows and .NET Core Linux System Monitor Agent supports parsing of host identifiers and timestamps from Syslog messages to identify unique sources and timestamps within the logs (normal message date).
Relay Regex is applied to the raw pre-processed syslog messages as they are received on the wire. These formats can vary from device to device and may be significantly altered if the messages are being passed through a relay. If your relay regex is not matching, it is recommended to use a packet capture tool, such as Wireshark, to verify the exact message formatting.
Example Pre-Processed Raw Message:
<13> 2025-09-30T13:31:24+10:00 HOSTNAME...Upon receipt of each syslog message, the System Monitor Agent attempts to apply each relay regex in order from top to bottom as configured to parse out the hostidentifier and timestamp. If all parsers fail, the agent defaults to "Received Time" and "Received Source IP.”
Example Post-Processed Message:
09 30 2025 03:31:24 10.10.10.10 <USER:NOTE> 2025-09-30T13:31:24+10:00 HOSTNAME...The following values are present in the message:
Field/Contents | Value | Description |
|---|---|---|
Timestamp in UTC | 09 30 2025 03:31:24 | Converted from the timestamp in the log message and added by the System Monitor Agent. |
Source IP | 10.10.10.10 | The source IP address that sent the log message and was added by the System Monitor Agent. |
Priority | <USER:NOTE> | The conversion of the priority in the raw message <13> into a human-readable format, replaced by the System Monitor Agent. |
Remaining original message | 2025-09-30T13:31:24+10:00 HOSTNAME… | Remainder of the original message, not parsed. |
If no timestamp can be parsed from the message, the Syslog receive time (the time when the log was received on the Agent’s Syslog interface) is used as the normal message date.
The Windows System Monitor supports full timestamp parsing through the use of Syslog Relay Regular Expressions, including the following fields:
Field | Recommended Regex | Supported Values | Description |
|---|---|---|---|
<priority> | <(?<priority>\d{1,3})> | [0-9] - values up to 191 | Used to output human readable Facility:Severity values, based on RFC5424. |
<hostidentifier> | (?<hostidentifier>[A-Za-z0-9-.]+) | [A-Za-z0-9-.] | Used to determine the hostname or IP address of the device sending logs. |
<message> | (?<message>.*) | All non-escape characters | Extracts a log message nested within a relayed log. Use .* to capture until end. |
<year> | (?<year>\d{2,4}) | [0-9] 2 or 4 digits | Supports a 2- or 4-digit year. For 2-digit years, the current century is supported (20xx). |
<month> | (?<month>[a-zA-Z]{3}) | 3-digit Months (Jan/Feb/Mar) | Supports either a 3-digit alphabetical month abbreviation or a 1- or 2-digit numerical month. |
<day> | (?<day>\d{1,2}) | 1,2-digit Day (01/02/03) | Supports a 1- or 2-digit numerical day only. If 1 digit, a leading 0 is assumed. |
<hour> | (?<hour>\d{1,2}) | 1,2-digit Hour (01/02/03) | Supports a 1- or 2-digit numerical hour. This field assumes a 24-hr clock, unless AM/PM is specified in the <ampm> field. If 1 digit, a leading 0 is assumed. |
<minute> | (?<minute>\d{1,2} | 1,2-digit Minute (01/02/03) | Supports a 1- or 2-digit numerical minute only. If 1 digit, a leading 0 is assumed |
<seconds> | (?<seconds>\d{1,2}) | 1,2-digit Seconds (01/02/03) | Supports a 1 or 2-digit numerical seconds only, if 1 digit a leading 0 is assumed. |
<ms> | (?<ms>\d{1,6}) | 1,6-digit Milliseconds (1-999999) | Supports up to a 6-digit millisecond numerical value. |
<ampm> | (?<ampm>[ap]m) | am or pm | Supports either an exact match against "am" or "pm". Upper case or lower case values are supported. If "pm" is parsed, the timestamp is assumed to be using a 12-hr clock and +12hrs is added to <hour>. |
<utcoffset> | (?<utcoffset>[+-]?\d{2}:\d{2}|[+-]?\d{1,4}|[A-Za-z]{1,4}) | +HH:MM, -HH:MM, HH:MM |
UTC Offset support in Agent versions prior to 7.23 is limited to +HHMM, -HHMM, HHMM only. Unsigned numeric time zones are assumed positive, so 0800 would be UTC +8. Alphabetical Time zone Name support is limited due to overlapping time zone names in some regions (i.e., CST is Central Standard Time and China Standard Time). See the table below for more information. |
Example Relay Regex Configurations for Timestamp Parsing
Standard Syslog RFC timestamp with positive time zone offset:
<13> 2025-09-30T13:31:24+10:00 HOSTNAME...^<(?<priority>\d{1,3})>\s*(?<message>(?<year>\d{2,4})-(?<month>\d{2})-(?<day>\d{1,2})T(?<hour>\d{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})(?<utcoffset>[+-]?\d{2}:\d{2})\s+(?<hostidentifier>\S+)\s*.*)The month is in abbreviated form, and UTC is the time zone. Therefore, the timestamp will be treated as +0 and recorded as UTC:
<13> Jan 03 2025 02:18:02 UTC HOSTNAME...^<(?<priority>\d{1,3})>\s*(?<message>(?<month>[A-Za-z]{3})\s(?<day>\d{1,2})\s(?<year>\d{4}) (?<hour>\d{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})\s(?<utcoffset>[A-Za-z]{1,4})\s+(?<hostidentifier>\S+)\s*.*)Without a time zone, <utcoffset> is now optional. Alternatively, you can remove it from the regex. In this case, \S+ is used for <utcoffset> since the value should never contain a space and will always have a space after:
<13> Jan 03 2025 02:18:02 HOSTNAME...^<(?<priority>\d{1,3})>\s*(?<message>(?<month>[A-Za-z]{3})\s(?<day>\d{1,2})\s(?<year>\d{4}) (?<hour>\d{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})(\s(?<utcoffset>\S+))?\s+(?<hostidentifier>\S+)\s*.*)Determining the Time Zone of Log Sources
LogRhythm agents use a priority logic to determine which timezone offsets should be applied to Syslog Messages:
If the Time Zone and Timestamp are parsed from the Syslog Message, the Time Zone in the Log Message is trusted and used.
If the Timestamp is parsed from the Syslog Message but no Time Zone, it is assumed the log source is in the same Time Zone as the Agent.
If neither the Timestamp nor the Time Zone are parsed from the Syslog Message, it is assumed the log time is the agent time, and the same Time Zone as the Agent is used.
Supported Alphanumeric Time Zone Abbreviations
Abbreviation | Offset Used | Full Time Zone Name |
|---|---|---|
SST | -11 | Samoa Standard Time |
HST | -10 | Hawaii Standard Time |
AKST | -9 | Alaska Standard Time |
PST | -8 | Pacific Standard Time |
PDT | -7 | Pacific Daylight Time |
MST | -7 | Mountain Standard Time |
MDT | -6 | Mountain Daylight Time |
CST | -6 | Central Standard Time |
CDT | -5 | Central Daylight Time |
EST | -5 | Eastern Standard Time |
ECT | -5 | Ecuador Time |
AST | -4 | Atlantic Standard Time |
EDT | -4 | Eastern Daylight Time |
ART | -3 | Argentina Time |
ADT | -3 | Atlantic Daylight Time |
WT | 0 | Western Sahara Time |
BST | 1 | British Summer Time |
CET | 1 | Central European Time |
WAT | 1 | West Africa Time |
WST | 1 | Western Sahara Summer Time |
CEST | 2 | Central European Summer Time |
CAT | 2 | Central Africa Time |
EET | 2 | Eastern European Time |
SAST | 2 | South Africa Standard Time |
WAST | 2 | West Africa Summer Time |
EEST | 3 | Eastern European Summer Time |
EAT | 3 | East Africa Time |
MSK | 3 | Moscow Standard Time |
TRT | 3 | Turkey Standard Time |
IRST | 3.5 | Iran Standard Time |
GST | 4 | Gulf Standard Time |
IRDT | 4.5 | Iran Daylight Time |
PKT | 5 | Pakistan Standard Time |
IST | 5.5 | India Standard Time |
NPT | 5.75 | Nepal Time |
CCT | 6.5 | Cocos Islands Time |
WIB | 7 | Western Indonesian Time |
ICT | 7 | Indochina Time |
WITA | 8 | Central Indonesian Time |
SGT | 8 | Singapore Time |
HKT | 8 | Hong Kong Time |
MYT | 8 | Malaysia Time |
PHT | 8 | Philippine Time |
AWST | 8 | Australian Western Standard Time |
WIT | 9 | Eastern Indonesian Time |
JST | 9 | Japan Standard Time |
KST | 9 | Korea Standard Time |
ACST | 9.5 | Australian Central Standard Time |
CHST | 10 | Chamorro Standard Time (Guam) |
AEST | 10 | Australian Eastern Standard Time |
ACDT | 10.5 | Australian Central Daylight Time |
AEDT | 11 | Australian Eastern Daylight Time |
NZST | 12 | New Zealand Standard Time |
NZDT | 13 | New Zealand Daylight Time |