Syslog

Events & Alarms

Writing Events and Alarms to the Linux Syslog is an optional feature of the applications running within the n2svcd framework. This feature is disabled by default, but can be enabled by adding the <syslog> element to the n2svcd.xml configuration file directly within the <n2svcd> element:

<?xml version="1.0" encoding="utf-8"?>
<n2svcd>
  <syslog enabled="1"/>

Other settings allow you to adjust the syslog identifier, and optionally include the process ID in the Syslog record. Refer to the n2svcd Configuration section for details.

When enabled, the Syslog output has the following format:

Apr 21 16:36:04 candyfloss n2svcd[274411]: [NTC|SV-SG-10042] {SIGTRAN|SigtranApp::Route|1}: Route on PC range '4114' to '4114' -> Connection 'Loopback'.
Apr 20 17:43:55 candyfloss n2svcd[139856]: [NTC|SV-LU-10305] {Logic} LuaLoader: Discarding unused LUA contexts after 300 seconds.

This format is intended to be human-read. It is not intended for automated parsing. For automated processing, we strongly recommend using the SNMP Traps which have a fixed interpretation and a non-ambiguous decoding structure.

Specifically, the syntax, order and/or the presence of specific fields in the Syslog body may be modified by site-specific settings, and/or adjusted in new software versions.

The fields in the output are:

  1. [syslog] The Date & Time,
  2. [syslog] The hostname,
  3. The syslog ident (with optional PID),
  4. The severity indicator,
  5. The alarm or event ID,
  6. The controlling application name,
  7. The source object class,
  8. The affected object label (optional),
  9. The message.

Date & Time

The date and time, added by the Syslog system. It is the time at which the event/alarm was written to the Syslog, which should be essentially identical to the time at which the alarm was generated.

It is in local time format MMM DD HH:MM:SS to the second.

Hostname

The short hostname, added by the Syslog system.

Syslog Ident

This is the Syslog Ident which defaults to n2svcd but may be configured to another value using the ident attribute of the <syslog> configuration element in n2svcd.xml.

By default this is appended with the generating process PID in [] square brackets, however this can be disabled using the pid attribute of the <syslog> configuration element in n2svcd.xml.

Severity Indicator

The severity indicator is a three-character string:

It is wrapped in [] square brackets along with the event/alarm ID, from which it is separated by a | vertical pipe.

Event / Alarm ID

The Event/Alarm ID is in format XX-YY-NNNNN where XX an YY are two-character alphanumerics which together indicate the originating module, and NNNNN is a unique five-digit number (with possible leading zeros) that uniquely identifies the nature of the event or alarm.

It is wrapped in [] square brackets along with the severity indicator, from which it is separated by a | vertical pipe.

The XX-YY-NNNNN event/alarm ID can be used in the on-line searchable Alarm Guide to find the associated event/alarm description, parameter description, and recommended action information.

Controlling Application Name

This is the name of the n2svcd Application which originated the message. This name is wrapped in {} curly braces together with the source object class and affected object label.

Where the originator is the n2svcd binary itself, the name n2svcd is substituted.

Source Object Class

This is the class name of the software object which originated the message. This class is wrapped in {} curly braces together with the controlling application name and affected object label.

In most cases this class name will be partially truncated for compactness by removing top-level path components.

When the originating object is not known, or where the originator is the n2svcd binary itself, the class name N2 is substituted.

The class heirarchy is separated by :: double colon characters.

The class is separated from the preceeding controlling application name by a | vertical pipe.

Affected Object Label

This is the name or other label of the software object which is affected by the message.
This class is wrapped in {} curly braces together with the controlling application name and source object class.

This label may be configured, or it may be automatically-assigned.

In most cases the affected object is also the source object. But this is not necessarily the case.

When the affected object is not known, or has no obvious label, this label is omitted.

When present, the label is separated from the preceeding source object class by a | vertical pipe.

Message

The message string follows. For multi-line strings, the Syslog uses the special character sequence #012 to denote the embedded newlines within the message.

Apr 20 17:43:55 candyfloss n2svcd[139864]: [NTC|DE-MO-10001] {IN Tester|TesterApp} This is a hypothetical multi-...#012...-line event message.

Debugging Traces

Debugging traces are never written to Syslog.