Syslog Message Format

The syslog message is sent from the device to a syslog server as an ASCII (American Standard Code for Information Interchange) message. Syslog uses UDP as its underlying transport layer mechanism. By default, UDP port 514 is assigned to syslog, but this can be changed (see Enabling Syslog).

Syslog includes two types of log messages:

SIP Call Session Logs: Logs relating to call sessions (e.g., call established). These logs are identified by a session ID ("SID"), described in detail in the table below. For example:
10:44:11.299 10.15.77.55 local0.notice [S=511941] [SID=50dcb2:31:12079] (N 483455) ReleaseAddress. IPv4IF=1 IPv6IF=-1 Port=7500 [Time:10-09@09:42:56.938]
Board Logs: Logs relating to the operation of the device (infrastructure) that are non-call (SIP) session related (e.g., device restart or Web login). These logs are identified by a board ID ("BID"), described in detail in the table below. For example:
20:05:36.055  10.15.7.96  local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

The format of the syslog message is described in the following table:

Syslog Message Format Description

Message Item

Description

Receive Timestamp

The syslog message includes a timestamp that the syslog server adds to indicate when it received the message.

Example (in bold):

20:05:36.055  10.15.7.96 local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

IP Address

The syslog message includes the IP address of the device, which generated the message.

Example (in bold):

20:05:36.055  10.15.7.96 local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

Severity Type

The syslog message includes the severity level with which it was generated (in the format <FacilityCode.Severity>).

Example (in bold):

20:05:36.055  10.15.7.96 local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

The severity level can be one of the following:

Error: Indicates that a problem has been identified that requires immediate handling.
Warning: Indicates an error that might occur if measures are not taken to prevent it.
Notice: Indicates that an unusual event has occurred.
Info: Indicates an operational message.
Debug: Messages used for debugging.

Note:

The Info and Debug severity messages are required only for advanced debugging. By default, the device doesn't send them.
Syslog messages displayed in the Web interface (see Viewing Syslog Messages) are color coded according to severity level.

Sequence Number
(S=)

By default, the device sequentially numbers generated syslog messages (in the format [S=<number>]). A skip in the number sequence of messages indicates packet loss (i.e., a network issue).

The following example shows two missing syslog messages, S=18 and S=19:

20:05:36.055  10.15.7.96 local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]
20:05:36.055  10.15.7.96 local0.notice [S=17] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]
20:05:36.055  10.15.7.96 local0.notice [S=20] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1111]

Note: You can exclude the sequence number from syslog messages, by configuring the 'CDR Syslog Sequence Number' parameter to Disable (see Configuring Syslog).

Session ID (SID)

The SID is a unique SIP call session and device identifier. The device identifier facilitates debugging by clearly identifying the specific device that sent the log message, which is especially useful in deployments consisting of multiple devices. In addition, the benefit of unique numbering is that it enables you to filter information (such as SIP, syslog, and media) according to device or session ID.

The syntax of the session and device identifiers is as follows:

[SID=<last 6 characters (3 lower bytes) of MAC address>:<number of times device has restarted>:<unique SID counter indicating the call session, which increments consecutively for each new session and resets to 1 after a device restart>]

Example (in bold):

10:44:11.299 10.15.77.55 local0.notice [S=511941] [SID=50dcb2:31:12079] (N 483455) ReleaseAddress. IPv4IF=1 IPv6IF=-1 Port=7500 [Time:10-09@09:42:56.938]

Where:

50dcb2 is the device's MAC address.
31 is the number of times that the device has restarted.
12079 is a unique SID session number (in other words, this is call session 12,079 since the last device restart).
Gateway application: A call session is considered as a Tel-to-IP leg or an IP-to-Tel leg, where each leg is assigned a unique session number.
SBC application: A session includes both the outgoing and incoming legs, where both legs share the same session number.
Forked legs and alternative legs share the same session number.

Startup Messages

Some syslog messages that are generated during a device restart (startup) include "[SUp]".

Example (in bold):

03/19 12:43:43.539  10.4.4.65  local0.debug   [S=93] [SUp][BID=667402:93]  CreateTpappSymbolTable(): symbol tables at 0x7f0a3006f038 [Time:19-03@21:44:35.084] [17]

Board ID (BID)

Some syslog messages include a BID value. The BID is a unique non-SIP session related (e.g., device restart) and device identifier. The BID value is similar to the SID (above), except that it doesn't contain the session ID. The device identifier facilitates debugging by clearly identifying the specific device that sent the log message, which is especially useful in deployments consisting of multiple devices. In addition, the benefit of unique numbering is that it enables you to filter information according to device.

The syntax of the BID is as follows:

[BID=<last 6 characters (3 lower bytes) of MAC address >:<number of times device has restarted>]

Example (in bold):

20:05:36.055  10.15.7.96  local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

Where:

50dcb2 is the device's MAC address.
31 is the number of times that the device has restarted.

Message Body

The syslog message includes a message body which describes the message.

For example, the body (in bold) of the following syslog message indicates that the user logged out of the Web interface:

20:05:36.055  10.15.7.96  local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

Transmit Timestamp

Some syslog messages include a timestamp that indicates when the device sent the syslog message. This timestamp is typically only included in syslog messages that are related to the device's software application.

Example (in bold):

20:05:36.055  10.15.7.96  local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

Sequence Number per Process

The syslog message includes a sequence number per application process. This number appears at the end of the syslog message. A skip in the number indicates an internal (not network issue) loss of message(s) by the device's application process (i.e., didn't send the message, for whatever reason). This number is typically used by AudioCodes for debugging.

Example (in bold):

20:05:36.055  10.15.7.96  local0.notice [S=16] [BID=50dcb2:31] Activity Log: Successful user login at 10.15.7.96:80. User: Admin. Session: Web (10.13.2.19) [Time:12-03@17:00:58.781] [1108]

Note: The sequence number only appears in syslog messages that relate to the device's application process.