SGMS: Various Syslog file formats during Summarization
This article helps us to understand the various file formats that the Syslog are converted in the process of the Summarization.
During the process of installation of GMS/Analyzer, a folder called GMSVP is created on the installed drive. In that GMSVP folder there will be a sub folder created for the incoming Syslog files.
Once the GMS/Analyzer IP is configured on the SonicWall unit, the syslog traffic will start to flow on port UDP 514. These files will initially get stored on the hard drive at the path location specified. If the Analyzer on the C drive, then the syslog will initially be stored on C:/GMSVP/syslog
The message will get stored as a .log file.
This file size gets increased and when it reaches a limit of 10000 lines or is opened for more than three minutes, the this file is converted to .SRC and it is set ready for processing. The format of the file as follows:
Once the summarizer process is started, the Reports Summarizer groups the .SRC files and changes the format of the file to .UNP. Still this file remains in the Syslog sub folder. The format of the file will be as follows:
In the process of the summarization, the file format PRG is generated. The .PRG files are created when the summarizer is grouping the data and preparing it for generating the reports. After processing the data, the report data or the summary data is uploaded to the Reports Database. Here the data which is only necessary for the reporting is uploaded.
The formats of the .PRG file is as follows AgentID_YYYYMMDD_HHMMSS_to_YYYYMMDD_HHMMSS.PRG (this file extension exists for a very brief time frame and may not be seen)
If data is uploaded to the Reports Database successfully, the .PRG files are converted to .PRD.
These are the processed files which are zipped and are moved to the sub folder called archivedSyslogs. The path location of this folder will be [Installed Dir]:/GMSVP/Syslog/ArchivedSyslogs. At the configured syslogArchiveInterval (config exists in the sgmsConfig.xml), the .PRD files are zipped and remain for more permanent storage in the \archivedSyslog folder.
If there were problems uploading the raw syslog data to the Reports Database, the .PRG files are converted to .PRE. These files are quarantined in the \badSyslogs folder.