Mathematical Processing of Syslog Messages from Routers and Switches

The development of computer networks is very fast. Masaryk university in Brno owns and operates rather large metropolitan computer network. This network is based on fiber optics cable infrastructure owned by the university. Networking devices used in our university´s backbone network can send their log messages to a Unix-style syslog server. A syslog server accepts messages, and stores them to a file. The number of syslog messages generated by still increasing number of networking devices is growing very rapidly. To read all the messages generated every day by active networking devices is out of human capabilities. When we want to really process thousands of messages generated every day it is necessary to use some special software tools which help us to skip over messages containing mostly no information. Till now we are using software tool developed by a student of our university as a part of her master thesis. This tool is based on parsing of the syslog messages of known structure. This approach allows aggregation of messages reporting the same event and summarizing of repeating messages. This approach we can call semantic analysis of syslog messages. Nowadays we have probably reached limits of this system. The main limitation of this semantic based syslog analysis is the necessity of description of each event type i.e. knowledge of all messages describing this type of event. The system can´t adapt to new condition like new routing or data transport protocols usage (e.g. IPv6). In this paper we describe mathematical methods we are trying to use for syslog messages processing. The goal was to find out some mathematical description of syslogging behavior which would allow us to check if the network behavior is usual or if it needs some special attention. The mathematical model of syslog should be adaptive and reflect possible structural changes in network equipment maintenance procedures, introduction of new protocols and smooth changes in network behavior. Mathem- - atical processing of syslog messages seems to be perspective method for the future development of data networks.