Specifications
120 MDS Orbit MCR-4G Technical Manual MDS 05-6628A01, Rev. A
A valid CEE JSON Event Record used with a “legacy” Syslog transport:
<0>Dec 20 12:42:20 syslog-relay process[35]: @cee:
{"crit":123,"id":"abc","appname":"application","pname":"auth","pid":123,"host":"system.example.c
om","pri":10,"time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"a
ccount","service":"web","status":"success"}
The following example shows a series of events that may be generated by a host requesting an IP for
its eth0 interface from a DHCP server (Syslog header left off for brevity, and formatted for clarity):
DHCP Request sent to the server:
@cee: {
"host":"stout",
"pname":" my_appname ",
"time":"2012-08-22T11:20:10.559227-04:00",
"action":"request",
"domain":"net",
"object":"interface",
"service":"dhcp_client",
"status":"ongoing",
"event":"dhcp_client",
"interface_name":"eth0",
"profile":http://gemds.com/cee_profile/1.0beta1.xsd
}
DHCP Response from server, assigning the IP 192.168.2.3:
@cee: {
"host":"stout",
"pname":"my_appname",
"time":"2012-08-22T11:20:10.559748-04:00",
"action":"request",
"domain":"net",
"object":"interface",
"service":"dhcp_client",
"status":"success",
"ipv4":"192.168.2.3",
"event":"dhcp_client",
"interface_name":"eth0",
"profile":http://gemds.com/cee_profile/1.0beta1.xsd
}
The body of syslog messages of type “alert” is specified using RFC 5425 type key/value pairs. A few
additional fields are also present.
syslog PRIVAL
The “PRIVAL” field of the syslog “HEADER” shall to be set to 113 for alerts and between 104 and 111 for
auditable events.
syslog APP-NAME
The “APP-NAME” field of the “HEADER” specified in the syslog RFC shall be set to “csmgr”.
RFC5424 states: “The APP-NAME field SHOULD identify the device or application that originated the
message.” The semantics of the field have changed from the application that originated the event, to
the application who should receive the event.