Get-Syslog Cmdlet
Parameters Output Objects Config Settings
The Get-Syslog component is used to receive network system log packets.
Syntax
Get-Syslog [parameters]
Remarks
The Syslog cmdlet implements a lightweight BSD syslog server as specified in RFC 3164. The cmdlet is used to receive BSD system network logging packets.
To use Syslog cmdlet you must specify a LocalPort value. Optionally, you can also set the Time property for the amount of seconds that the cmdlet should listen for incoming syslog messages. Setting LocalIP will bind to the specified local interface, this comes in handy when more than one network interfaces are available in the local host. For each packet, the cmdlet will parse the headers and message and return a IncomingSyslog event.
The cmdlets support pipeline input for some of their parameters. Prebuilding an object and piping it to the cmdlet is very useful, but should be used with caution to prevent security conflicts. Steps have been taken to decrease the risk of a possibly accidental pipe to the cmdlet, for instance, the Credential parameter cannot be piped to the cmdlet and must be specified manually.
#receive syslog packets for 20 seconds
get-syslog -time 20
Parameter List
The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.
| LogFile | The location of a file to which debug information is written. |
| Config | Specifies one or more configuration settings. |
| LocalIP | The IP address of the local interface to use. |
| LocalPort | The local port that the component should use. |
| LogFile | The location of a file to which debug information is written. |
| Time | Specifies the time that the Syslog daemon should wait for incoming UDP datagrams. |
Output Objects
The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.
| IncomingSyslog | Created whenever a system log packet is received. |
Config Settings
The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.
| AcceptData | Whether the component can accept/receive data. |
| AppName | Sets the App-Name field in RFC 5424. |
| DelayHostResolution | Whether the hostname is resolved when RemoteHost is set. |
| MsgId | Sets the MsgId field in RFC 5424. |
| ProcId | Sets the ProcId field in RFC 5424. |
| ReceivedAppName | Returns the value of the App-Name field in RFC 5424. |
| ReceivedMsgId | Returns the value of the MsgId field in RFC 5424. |
| ReceivedProcId | Returns the value of the ProcId field in RFC 5424. |
| ReceivedSDElementCount | Returns the number of Structured-data elements in RFC 5424. |
| ReceivedSDElementId | Returns the Sd-Id value of the Sd-element with the specified SDElementIndex in RFC 5424. |
| ReceivedSDElementIndex | Returns the index of the Structured-Data element in RFC 5424. |
| ReceivedSDParamCount | Returns the number of the Sd-param values for the specified SDElementIndex in RFC 5424. |
| ReceivedSDParamName | Returns the name of the SD-Param field in RFC 5424. |
| ReceivedSDParamValue | Returns the value of the SD-Param field in RFC 5424. |
| SDElementCount | Sets the number of Structured-data elements in RFC 5424. |
| SDElementId | Sets the Sd-Id value of the Sd-element with the specified SDElementIndex in RFC 5424. |
| SDElementIndex | Sets the index of the Structured-Data element in RFC 5424. |
| SDParamCount | Sets the number of the Sd-param values for the specified SDElementIndex in RFC 5424. |
| SDParamName | Sets the name of the SD-Param field in RFC 5424. |
| SDParamValue | Sets the value of the SD-Param field in RFC 5424. |
| TCPMessageDelimiter | The message delimiter to use (if any) when sending and receiving over TCP. |
| UseHostname | Determines if the local host name or IP address is used in the Syslog header. |
| UseLocalTime | Indicates whether to use local time or GMT time for packet timestamps. |
| Version | Determines which Syslog version to use. |
| CaptureIPPacketInfo | Used to capture the packet information. |
| DelayHostResolution | Whether the hostname is resolved when RemoteHost is set. |
| DestinationAddress | Used to get the destination address from the packet information. |
| DontFragment | Used to set the Don't Fragment flag of outgoing packets. |
| LocalHost | The name of the local host through which connections are initiated or accepted. |
| LocalPort | The port in the local host where the component binds. |
| MaxPacketSize | The maximum length of the packets that can be received. |
| QOSDSCPValue | Used to specify an arbitrary QOS/DSCP setting (optional). |
| QOSTrafficType | Used to specify QOS/DSCP settings (optional). |
| ShareLocalPort | If set to True, allows more than one instance of the component to be active on the same local port. |
| UseConnection | Determines whether to use a connected socket. |
| UseIPv6 | Whether or not to use IPv6. |
| AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
| FirewallData | Used to send extra data to the firewall. |
| InBufferSize | The size in bytes of the incoming queue of the socket. |
| OutBufferSize | The size in bytes of the outgoing queue of the socket. |
| BuildInfo | Information about the product's build. |
| CodePage | The system code page used for Unicode to Multibyte translations. |
| LicenseInfo | Information about the current license. |
| MaskSensitive | Whether sensitive data is masked in log messages. |
| UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |
LogFile Parameter (Get-Syslog Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Syslog -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.Default Value
null
Config Property (Get-Syslog Cmdlet)
Specifies one or more configuration settings.
Syntax
Get-Syslog -Config string[]
Remarks
The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"
Default Value
null
LocalIP Property (Get-Syslog Cmdlet)
The IP address of the local interface to use.
Syntax
Get-Syslog -LocalIP string
Remarks
This parameter is useful when the cmdlet is running on a machine that has more than one network interface (each with its own IP address and network access privileges).
Default Value
""
Parameter Alias
LocalAddress
LocalPort Property (Get-Syslog Cmdlet)
The local port that the component should use.
Syntax
Get-Syslog -LocalPort int
Remarks
If set to 0, the cmdlet will pick the first available port.
Default Value
514
LogFile Property (Get-Syslog Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Syslog -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.
Default Value
""
Time Property (Get-Syslog Cmdlet)
Specifies the time that the Syslog daemon should wait for incoming UDP datagrams.
Syntax
Get-Syslog -Time int
Remarks
The duration (in seconds) for which you wish the cmdlet to receive Syslog datagrams. If this property is set to 0 (default) the cmdlet will listen indefinitely.
Default Value
0
Parameter Alias
Active
IncomingSyslog Output Object (Get-Syslog Cmdlet)
Created whenever a system log packet is received.
Syntax
Object IncomingSyslog {string Server;
string Facility;
string Severity;
string Message;
int SeverityCode;
string Timestamp;
bool Conforms;
string Packet;
string SourceAddress;
int SourcePort;
}
Remarks
System log packets are composed of three main sections, each of which can be broken down into two smaller pieces.
The first section is the PRI, which contains the originating FacilityCode and SeverityCode of the Message. FacilityCode is a value from 0 to 23, with each value being a different part of the system. Facility is a string representation of FacilityCode based on the following convention:
| 0 | Kernel messages |
| 1 | User-level messages |
| 2 | Mail system |
| 3 | System daemons |
| 4 | Security/authorization messages |
| 5 | Messages generated internally by syslogd |
| 6 | Line printer subsystem |
| 7 | Network news subsystem |
| 8 | UUCP subsystem |
| 9 | Clock daemon |
| 10 | Security/authorization messages |
| 11 | FTP daemon |
| 12 | NTP subsystem |
| 13 | Log audit |
| 14 | Log alert |
| 15 | Clock daemon |
| 16 | Local use |
| 17 | Local use |
| 18 | Local use |
| 19 | Local use |
| 20 | Local use |
| 21 | Local use |
| 22 | Local use |
| 23 | Local use |
| 0 | Emergency - the system is unusable. |
| 1 | Alert - action must be taken immediately. |
| 2 | Critical - critical conditions exist. |
| 3 | Error - error conditions exist. |
| 4 | Warning - warning conditions exist. |
| 5 | Notice - normal but significant condition. |
| 6 | Informational - informative message. |
| 7 | Debug - debug-level messages. |
The second section contains the Timestamp and Hostname. Timestamp is a string that should conform to the standard structure "MMM DD, HH:MM:SS". The cmdlet will search for the Timestamp and verify that it conforms. If it conforms, the cmdlet will set Hostname, otherwise, everything after the PRI will be placed in Message.
If Conforms is TRUE, then the original syslog packet conforms to the syslog RFC and Timestamp, Hostname, and Message will all have valid values. Otherwise, you should parse the contents of Packet to verify the fields manually.
SourceAddress and SourcePort are the address and port from which Packet was sent. This can be an intermediate syslog server that is simply forwarding packets from the original host.
Config Settings (Get-Syslog Cmdlet)
The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.Syslog Config Settings
The default is true.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
The default value is false for the default library and true for the Async library. The default value is false.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
This setting is applicable when receiving messages.
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
The example below demonstrates how to obtain the structured data information from a received message:
int ReceivedSDElementCount = Int32.Parse(syslog.Config("ReceivedSDElementCount"));
for(int i=0; i < ReceivedSDElementCount; i++)
{
syslog.Config("ReceivedSDElementIndex="+ i.ToString());
int ReceivedSDParamCount = Int32.Parse(syslog.Config("ReceivedSDParamCount"));
for(int j=0; j < ReceivedSDParamCount; j++)
{
Console.WriteLine("Param Name: " + syslog.Config("ReceivedSDParamName[" + j.ToString() + "]"));
Console.WriteLine("Param Value: " + syslog.Config("ReceivedSDParamValue[" + j.ToString() + "]"));
}
}
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
Note: This setting is only applicable when Version is set to 1 (RFC 5424)
The example below demonstrates how to set the Struct-Data configs:
syslog.Config("SDElementCount=2");
syslog.Config("SDElementIndex=0");
syslog.Config("SDElementID=examplePriority@32473");
syslog.Config("SDParamCount=1");
syslog.Config("SDParamName[0]=class");
syslog.Config("SDParamValue[0]=high");
syslog.Config("SDElementIndex=1");
syslog.Config("SDElementID=exampleSDID@32473");
syslog.Config("SDParamCount=2");
syslog.Config("SDParamName[0]=iut");
syslog.Config("SDParamValue[0]=3");
syslog.Config("SDParamName[1]=eventSource");
syslog.Config("SDParamValue[1]=Application");
| 0 (None - Default) | Octet Counting is used, there is no delimiter character |
| 1 (Cr) | The carriage return character is used as a message delimiter |
| 2 (Lf) | The line feed character is used as a message delimiter |
| 3 (CrLf) | The two character carriage return line feed sequence is used as a message delimiter |
| 4 (Null) | A single null byte is used as a message delimiter |
This setting is only applicable when sending a message and UseTCP is set to True.
| 0 (RFC 3164 - Default) | Uses RFC 3164 |
| 1 (RFC 5424) | Uses RFC 5424 |
Note: This setting should be set before setting any of the AppName, MsgId, ProcId
UDP Config Settings
The default value for this setting is False.
Note: This setting is only available in Windows.
The default value is false for the default library and true for the Async library. The default value is false.
Note: This setting is only available in Windows.
In multi-homed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the cmdlet initiate connections (or accept in the case of server cmdlets) only through that interface.
If the cmdlet is connected, the LocalHost setting shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multi-homed hosts (machines with more than one IP interface).
Setting this to 0 (default) enables the system to choose a port at random. The chosen port will be shown by LocalPort after the connection is established.
LocalPort cannot be changed once a connection is made. Any attempt to set this when a connection is active will generate an error.
This; setting is useful when trying to connect to services that require a trusted port in the client side. An example is the remote shell (rsh) service in UNIX systems.
Note: This setting uses the qWAVE API is only available on Windows 7, Windows Server 2008 R2, and later.
Note: This setting uses the qWAVE API which is only available on Windows Vista and Windows Server 2008 or above.
Note: QOSTrafficType must be set before setting Active to true.
The default value for this setting is False.
The default value for this setting is False.
Socket Config Settings
Note: This option is not valid for UDP ports.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the cmdlet is activated the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the cmdlet is activated the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.
Base Config Settings
The following is a list of valid code page identifiers:
| Identifier | Name |
| 037 | IBM EBCDIC - U.S./Canada |
| 437 | OEM - United States |
| 500 | IBM EBCDIC - International |
| 708 | Arabic - ASMO 708 |
| 709 | Arabic - ASMO 449+, BCON V4 |
| 710 | Arabic - Transparent Arabic |
| 720 | Arabic - Transparent ASMO |
| 737 | OEM - Greek (formerly 437G) |
| 775 | OEM - Baltic |
| 850 | OEM - Multilingual Latin I |
| 852 | OEM - Latin II |
| 855 | OEM - Cyrillic (primarily Russian) |
| 857 | OEM - Turkish |
| 858 | OEM - Multilingual Latin I + Euro symbol |
| 860 | OEM - Portuguese |
| 861 | OEM - Icelandic |
| 862 | OEM - Hebrew |
| 863 | OEM - Canadian-French |
| 864 | OEM - Arabic |
| 865 | OEM - Nordic |
| 866 | OEM - Russian |
| 869 | OEM - Modern Greek |
| 870 | IBM EBCDIC - Multilingual/ROECE (Latin-2) |
| 874 | ANSI/OEM - Thai (same as 28605, ISO 8859-15) |
| 875 | IBM EBCDIC - Modern Greek |
| 932 | ANSI/OEM - Japanese, Shift-JIS |
| 936 | ANSI/OEM - Simplified Chinese (PRC, Singapore) |
| 949 | ANSI/OEM - Korean (Unified Hangul Code) |
| 950 | ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC) |
| 1026 | IBM EBCDIC - Turkish (Latin-5) |
| 1047 | IBM EBCDIC - Latin 1/Open System |
| 1140 | IBM EBCDIC - U.S./Canada (037 + Euro symbol) |
| 1141 | IBM EBCDIC - Germany (20273 + Euro symbol) |
| 1142 | IBM EBCDIC - Denmark/Norway (20277 + Euro symbol) |
| 1143 | IBM EBCDIC - Finland/Sweden (20278 + Euro symbol) |
| 1144 | IBM EBCDIC - Italy (20280 + Euro symbol) |
| 1145 | IBM EBCDIC - Latin America/Spain (20284 + Euro symbol) |
| 1146 | IBM EBCDIC - United Kingdom (20285 + Euro symbol) |
| 1147 | IBM EBCDIC - France (20297 + Euro symbol) |
| 1148 | IBM EBCDIC - International (500 + Euro symbol) |
| 1149 | IBM EBCDIC - Icelandic (20871 + Euro symbol) |
| 1200 | Unicode UCS-2 Little-Endian (BMP of ISO 10646) |
| 1201 | Unicode UCS-2 Big-Endian |
| 1250 | ANSI - Central European |
| 1251 | ANSI - Cyrillic |
| 1252 | ANSI - Latin I |
| 1253 | ANSI - Greek |
| 1254 | ANSI - Turkish |
| 1255 | ANSI - Hebrew |
| 1256 | ANSI - Arabic |
| 1257 | ANSI - Baltic |
| 1258 | ANSI/OEM - Vietnamese |
| 1361 | Korean (Johab) |
| 10000 | MAC - Roman |
| 10001 | MAC - Japanese |
| 10002 | MAC - Traditional Chinese (Big5) |
| 10003 | MAC - Korean |
| 10004 | MAC - Arabic |
| 10005 | MAC - Hebrew |
| 10006 | MAC - Greek I |
| 10007 | MAC - Cyrillic |
| 10008 | MAC - Simplified Chinese (GB 2312) |
| 10010 | MAC - Romania |
| 10017 | MAC - Ukraine |
| 10021 | MAC - Thai |
| 10029 | MAC - Latin II |
| 10079 | MAC - Icelandic |
| 10081 | MAC - Turkish |
| 10082 | MAC - Croatia |
| 12000 | Unicode UCS-4 Little-Endian |
| 12001 | Unicode UCS-4 Big-Endian |
| 20000 | CNS - Taiwan |
| 20001 | TCA - Taiwan |
| 20002 | Eten - Taiwan |
| 20003 | IBM5550 - Taiwan |
| 20004 | TeleText - Taiwan |
| 20005 | Wang - Taiwan |
| 20105 | IA5 IRV International Alphabet No. 5 (7-bit) |
| 20106 | IA5 German (7-bit) |
| 20107 | IA5 Swedish (7-bit) |
| 20108 | IA5 Norwegian (7-bit) |
| 20127 | US-ASCII (7-bit) |
| 20261 | T.61 |
| 20269 | ISO 6937 Non-Spacing Accent |
| 20273 | IBM EBCDIC - Germany |
| 20277 | IBM EBCDIC - Denmark/Norway |
| 20278 | IBM EBCDIC - Finland/Sweden |
| 20280 | IBM EBCDIC - Italy |
| 20284 | IBM EBCDIC - Latin America/Spain |
| 20285 | IBM EBCDIC - United Kingdom |
| 20290 | IBM EBCDIC - Japanese Katakana Extended |
| 20297 | IBM EBCDIC - France |
| 20420 | IBM EBCDIC - Arabic |
| 20423 | IBM EBCDIC - Greek |
| 20424 | IBM EBCDIC - Hebrew |
| 20833 | IBM EBCDIC - Korean Extended |
| 20838 | IBM EBCDIC - Thai |
| 20866 | Russian - KOI8-R |
| 20871 | IBM EBCDIC - Icelandic |
| 20880 | IBM EBCDIC - Cyrillic (Russian) |
| 20905 | IBM EBCDIC - Turkish |
| 20924 | IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol) |
| 20932 | JIS X 0208-1990 & 0121-1990 |
| 20936 | Simplified Chinese (GB2312) |
| 21025 | IBM EBCDIC - Cyrillic (Serbian, Bulgarian) |
| 21027 | Extended Alpha Lowercase |
| 21866 | Ukrainian (KOI8-U) |
| 28591 | ISO 8859-1 Latin I |
| 28592 | ISO 8859-2 Central Europe |
| 28593 | ISO 8859-3 Latin 3 |
| 28594 | ISO 8859-4 Baltic |
| 28595 | ISO 8859-5 Cyrillic |
| 28596 | ISO 8859-6 Arabic |
| 28597 | ISO 8859-7 Greek |
| 28598 | ISO 8859-8 Hebrew |
| 28599 | ISO 8859-9 Latin 5 |
| 28605 | ISO 8859-15 Latin 9 |
| 29001 | Europa 3 |
| 38598 | ISO 8859-8 Hebrew |
| 50220 | ISO 2022 Japanese with no halfwidth Katakana |
| 50221 | ISO 2022 Japanese with halfwidth Katakana |
| 50222 | ISO 2022 Japanese JIS X 0201-1989 |
| 50225 | ISO 2022 Korean |
| 50227 | ISO 2022 Simplified Chinese |
| 50229 | ISO 2022 Traditional Chinese |
| 50930 | Japanese (Katakana) Extended |
| 50931 | US/Canada and Japanese |
| 50933 | Korean Extended and Korean |
| 50935 | Simplified Chinese Extended and Simplified Chinese |
| 50936 | Simplified Chinese |
| 50937 | US/Canada and Traditional Chinese |
| 50939 | Japanese (Latin) Extended and Japanese |
| 51932 | EUC - Japanese |
| 51936 | EUC - Simplified Chinese |
| 51949 | EUC - Korean |
| 51950 | EUC - Traditional Chinese |
| 52936 | HZ-GB2312 Simplified Chinese |
| 54936 | Windows XP: GB18030 Simplified Chinese (4 Byte) |
| 57002 | ISCII Devanagari |
| 57003 | ISCII Bengali |
| 57004 | ISCII Tamil |
| 57005 | ISCII Telugu |
| 57006 | ISCII Assamese |
| 57007 | ISCII Oriya |
| 57008 | ISCII Kannada |
| 57009 | ISCII Malayalam |
| 57010 | ISCII Gujarati |
| 57011 | ISCII Punjabi |
| 65000 | Unicode UTF-7 |
| 65001 | Unicode UTF-8 |
| Identifier | Name |
| 1 | ASCII |
| 2 | NEXTSTEP |
| 3 | JapaneseEUC |
| 4 | UTF8 |
| 5 | ISOLatin1 |
| 6 | Symbol |
| 7 | NonLossyASCII |
| 8 | ShiftJIS |
| 9 | ISOLatin2 |
| 10 | Unicode |
| 11 | WindowsCP1251 |
| 12 | WindowsCP1252 |
| 13 | WindowsCP1253 |
| 14 | WindowsCP1254 |
| 15 | WindowsCP1250 |
| 21 | ISO2022JP |
| 30 | MacOSRoman |
| 10 | UTF16String |
| 0x90000100 | UTF16BigEndian |
| 0x94000100 | UTF16LittleEndian |
| 0x8c000100 | UTF32String |
| 0x98000100 | UTF32BigEndian |
| 0x9c000100 | UTF32LittleEndian |
| 65536 | Proprietary |
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
Setting this configuration setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries.
On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.
If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.
Note: This setting is static. The value set is applicable to all cmdlets used in the application.
When this value is set, the product's system dynamic link library (DLL) is no longer required as a reference, as all unmanaged code is stored in that file.