3.8.5. About a Management Interface Audit Logging Syslog Handler

A syslog handler specifies the parameters by which audit log entries are sent to a syslog server, specifically the syslog server's hostname and the port on which the syslog server is listening.
Sending audit logging to a syslog server provides more security options than logging to a local file or local syslog server. Multiple syslog handlers can be defined.
Syslog servers vary in their implementation, so not all settings are applicable to all syslog servers. Testing has been conducted using the rsyslog syslog implementation.

Table 3.8. Syslog Handler Attributes

Attribute Description Default Value
app-name The application name to add to the syslog records as defined in section 6.2.5 of RFC-5424. If not specified it will default to the name of the product. undefined
disabled-due-to-failure Takes the value true if this handler was disabled due to logging failures. false
facility The facility to use for syslog logging as defined in section 6.2.1 of RFC-5424, and section 4.1.1 of RFC-3164. USER_LEVEL
failure-count The number of logging failures since the handler was initialized. 0 (zero)
formatter The name of the formatter to use to format the log records. null
host The hostname of the syslog server. localhost
max-failure-count The maximum number of logging failures before disabling this handler. 10
max-length The maximum length of a log message (in bytes), including the header. If undefined, it will default to 1024 bytes if the syslog-format is RFC3164, or 2048 bytes if the syslog-format is RFC5424. undefined
port The port on which the syslog server is listening. 514
protocol The protocol to use for the syslog handler. Must be one and only one of udp, tcp or tls. null
syslog-format Syslog format: RFC-5424 or RFC-3164. RFC5424
truncate Whether or not a message, including the header, is to be truncated if the length in bytes is greater than the maximum length. If set to false messages will be split and sent with the same header values. false