The following variables are available for scripts used with Kiwi Syslog Server. Variables are passed to and from the script. Depending on the read/write permissions you set for the action or scheduled task, the variables can be modified and returned for use in the syslog program.
The variables are passed via a globally accessible object named "Fields." To access a variable, simply prefix the word "Fields." to the variable name.
| Details | The Facility value of the message. |
| Type | Integer (0-32767) |
| Range | 0 to 23. Click here for a list of facilities. |
| Details | The level value of the message. |
| Type | Integer (0-32767) |
| Range | 0 to 7. Click here for a list of levels. |
| Details | The input source of the message. |
| Type | Integer (0-32767) |
| Range | 0 to 4. 0=UDP, 1=TCP, 2=SNMP, 3 = KeepAlive, 4 = TLS/Syslog |
| Details |
The IP address of the sending device in nnn.nnn.nnn.nnn format. If the message has been forwarded from another syslog collector, this value contains the original sender's address. Case A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3). The field value would be 192.168.1.1. Case B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3). The field value would be 192.168.1.1. |
| Type | String |
| Format | nnn.nnn.nnn.nnn (Values are not zero padded.) |
| Example | 192.168.1.67 |
| Details | The host name of the sending device. This field will only contain resolved host name if the DNS lookup options are enabled and the lookup was successful. Otherwise it will contain the same value as VarPeerAddress in the format nnn.nnn.nnn.nnn. The name identifies the host portion of the fully qualified domain name (FQDN), it does not contain the domain suffix. |
| Type | String |
| Format | myhost |
| Details |
The domain name portion of the resolved FQDN. This is just the domain suffix, it does not contain the hostname. This field will only contain a value if the DNS lookup options are enabled and the lookup was successful. Otherwise it will contain an empty string (""). |
| Type | String |
| Format | mydomain.com |
| Details | The message text after it has been modified (for example, header removed, DNS lookups, original address removed, and Cisco date removed). |
| Type | String |
| Example | %SEC-6-IPACCESSLOGP: list 101 denied udp 10.0.0.3 (firewall) (137) -> 216.7.14.105 (webserver.company. com) (137), 1 packet |
| Details | The date the message was received |
| Type | String (10 bytes) |
| Format | YYYY-MM-DD |
| Example | 2005-03-17 |
| Details | The time the message was received |
| Type | String (8 bytes) |
| Format | HH:MM:SS |
| Example | 23:10:04 |
| Details | The time the message was received in milliseconds past the second. |
| Type | String (3 bytes) |
| Range | 000 to 999 |
| Format | nnn (three bytes, zero padded) |
| Details |
The IP address of the device, or the closest collector that sent the message. Case A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3) The field value would be 192.168.1.2. Case B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3) The field value would be 192.168.1.3. |
| Type | String |
| Format | nnn.nnn.nnn.nnn (Values are not zero padded.) |
| Example | 192.168.1.67 |
| Details |
The IP address of the device that sent the message converted to an 8 digit hex value. The hex address is used for the IP Mask and IP Range filters. If you are making changes to the VarPeerIPAddress and want to use the IP Mask or Range filters, you must also make changes to the VarPeerAddressHex field. |
| Type | String (8 bytes) |
| Range | 00000000 to FFFFFFFF |
| Example | C0A80102 (192.168.1.2 converted to 2 byte zero padded hex) |
| Details | The UDP/TCP port that the message was sent from. |
| Type | Integer (0-65535) |
| Range | 0 to 65535 |
| Typically | A value greater than 1023 |
| Details | The IP address that the message was sent to on this machine. |
| Type | String |
| Examples | 127.0.0.1, 192.0.2.0 |
| Details | The local machine UDP/TCP port that received the message |
| Type | Integer (0-65535) |
| Range | 0 to 65535 |
| Typically | 514 for UDP, 1468 for TCP, 162 for SNMP |
| Details | The message priority value. |
| Type | Integer (0-32767) |
| Range | 0 to 191 |
| Details |
The message as it was received before modification (includes <pri> tag, original address, etc.). This field is read only. Changing the field within the script will not modify the equivalent program variable. |
These fields are dynamic and are cleared with each new message. These fields can be used to hold the results of your script so they can be used in Log to file or Log to Database actions. The fields can also be passed to actions as parameters using the %VarCustom01 Insert message content or counter option or via the AutoSplit syntax. A good use for these fields would be breaking a message up into separate fields via the script and then logging them to file or database in the separate fields.
There are 16 custom fields available. Values from 1 to 9 are zero padded (VarCustom01 not VarCustom1).
These fields are static and do not change with each message. These fields can be used to pass values from one script to another or hold values for modification by the same script at a later time. The values can also be passed to actions as parameters using the %VarGlobal01 Insert message content or counter option or via the AutoSplit syntax.
There are 16 global fields available. Values from 1 to 9 are zero padded (VarGlobal01 not VarGlobal1).
These fields are static and do not change with each message. These fields can be used to hold your own custom statistics and counters. The values can also be passed to actions as parameters using the % VarStats01 Insert message content or counter option.
The current field values can be viewed from the Statistics view window under the Counters tab. The custom stats are also included in the daily statistics e-mail.
The names and initial values of the Statistics fields can be set from the Scripting option
There are 16 custom statistics fields available. Values from 1 to 9 are zero padded (VarStats01 not VarStats1).
Fields.VarStats01 to Fields.VarStats16
| Details | This field can be set to determine what occurs after the script has been run. A value of 0 means the program continues on to the next action in the rule. A value of 1 to 99 means skip the next n actions within this rule (1=skip the next 1 action, 3=skip the next 3 actions). A value of 100 means jump to the next rule. A value of 1000 means skip all rules and stop processing this message. A value of 0 is assumed if no value is set. |
| Type | Integer (0-32767) Range: 0 to 1000 |
| Enum | 0=No skip, 1-99=skip next n actions, 100=skip to next rule, 1000=stop processing message |
| Details | The number of seconds elapsed since midnight |
| Type | Long (0-2 billion) |
| Range | 0 to 86400 |
| Details | The number of seconds elapsed since the program was started. |
| Type | Long (0-2 billion) |