Link to home
Start Free TrialLog in
Avatar of ee_lcpaa
ee_lcpaa

asked on

SYSLOG message format

Hi all,

I am using SolarWinds Event Log Forwarder to send windows log to a KiWi syslog server.
Below is one message extrcated from the kiwi syslog archive.

2016-12-07 18:47:23      User.Warning      main_dbserver      Dec 07 18:47:23 main_dbserver.xxx.com.hk MSWinEventLog      4      Application      31214      Wed Dec 07 18:47:23 2016      1000      VMware Tools      S-1-5-18      N/A      Warning      main_dbserver.xxx.com com.hk      0      [ warning] [vmsvc:autoUpgrade] vmx returned Autoupgrade is not supported for guest.initiateUpgradeAtShutdown.

The above message contains three timetamps.
May I know why there are three timestamps. Currently, I guess that the 1st timestamp is the message saved in SYSLOG server.
The 2nd timestamp (no idea). The 3rd timestamp should be Windows event log timestamp.

In addition, what is 31214? It seesm to be that this is an internal ID, not useful.

Please advise. Thanks a lot.
Avatar of giltjr
giltjr
Flag of United States of America image

My guess is one is from Kiwi, one is from the application forwarding the message to the syslog server, and one is from the application that generated the error message.

The 31214  is most likely the process id of the task that generated the error.
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Any additional info on this question?

Dan