Rfc3164 example. It's a calculated value: Facility * 8 + Severity. com (change this to the hostname or IP that resolves in the installed environment) on port 514 using the predefined format of RSYSLOG_SyslogProtocol23Format. This document describes the observed behavior of the syslog protocol. Jan 31, 2024 · Example: <13>Oct 22 12:34:56 myhostname myapp[1234]: This is a sample syslog message. To continue this example, if a relay does receive a syslog message with the first four characters of "<00>", then it will consult its configuration. An example of an unidentifiable PRI would be "00>", without the double quotes. The first example is not proper RFC3164 syslog, because the priority value is stripped from the header. TIMESTAMP. rfc3164. < 35 >Oct 12 22: 14: 15 client_machine su: 'su root' failed for joe on /dev/pts/ 2. dotnet syslog visual-studio-code dot-net rfc-5424 rfc-3164 csharp-code syslog-server. Syslog data conforming to RFC3164 or complying with RFC standards mentioned above can be processed with an app-parser allowing the use of the default port rather than requiring custom ports the following example take from a currently supported source uses the value of “program” to identify the source as this program value is unique. In order to have the fields from the apache log show up as RFC5424 structured data, apache would need to format the log that way. Note: • The 'T' must be a literal T character. myapp[1234] is the tag, indicating the application and process ID. It has a single required parameter that specifies the destination host address where messages should be sent. Aug 12, 2019 · Configure Vector for receiving events via syslog sink with UDP on port 10514. Also, a "local use 4" message (Facility=20) with a Nov 9, 2021 · IETF Syslog Message Format (RFC 3164) The following is a sample syslog message. The syslog () driver sends messages to a remote host using the IETF syslog format. client. There is also a dead by birth RFC for plain, unencrypted TCP transport with a note: receiver. hostname = socket. [] If you are using regular expressions, the property replacer will return the part of the property text that matches the regular expression. The default is RFC3164 for the UDP sink, and RFC5424 for the TCP sink. HEADER - contains a timestamp and the hostname (without the domain name) or the IP address of the device. Jan 4, 2024 · The network() source driver can receive syslog messages conforming to RFC3164 from the network using the TCP, TLS, and UDP networking protocols. RFC5424 is more capable format, and should be used when possible - for example, it supports full timestamps that include the local time offset. Net Syslog client. The tag will be one of the tags described below. HEADER. interoperability purposes, syslog protocol implementers are required. Aug 15, 2019 · It is of interest to review RFC 3164. Classic Syslog: RFC 3164. By default, the fields that you specify here will be grouped under a fields sub-dictionary in the output document. public Rfc3164(Facility facility Actions are sequentially numbered from 1 to n. For example, Mar 07 02:07:42. Please note that this will require the rfc5424 formatting. Abstract. Syslog message formats. These extractors are for the various kinds of log messages generated by Juniper SRX devices running JunOS. gethostname() Graylog-Juniper-RFC-3164-GrokPattern. The definition of the transmission formats for RFC 3164 and RFC 5424 is in Augmented Backus-Naur Form (ABNF). Syslog is widely used for message logging in UNIX-like operating systems. msgid - Optional RFC 5424 message-id. It is strongly recommended to set this ID in your configuration. It may be that these are the first 4 characters of the message. This document describes the transport for syslog messages over UDP/. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7". Syslog log levels. These examples will send all syslog selectors to the example host yourgraylog. See full list on sematext. A BSD-syslog message consists of the following parts: PRI - represents the Facility and Severity of the message. A human or sufficiently adaptable automated parser would be able to determine the date and time information as well as a fully qualified domain name (FQDN) [4] and IP address. Supported values are rfc3164, rfc5424 and auto. You can use a single character or the hex value for that character. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. the message as program *Logger* with PID *1* as facility *SYSTEM* with severity. It was formalized into RFC 3164, and as RFC 5424 in 2009. Decode RFC 3164 and RFC 5424 syslog messages. In ESXi 8. Log when messages are dropped (should be rate limited) Explicitly note in the syslog source docs that 3164 is not supported and provide alternative solutions. For example, you might add fields that you can use for filtering log data. Syslog. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Author: Rainer Gerhards. The Syslog that conforms to RFC 5424 has an enhanced Syslog header that helps to identify the type of Syslog, filter the Syslog message, identify the Syslog generation time with year and milliseconds with respect to the time zone, and other enhancements. RFC5424 format. Many , IoT systems, desktops, and servers support the protocol and its standard plaintext format makes messages easy for machines and humans to read. syslog is capable of sending STRUCTURED-DATA. Method 1: (Windows, Docker) installing Seq. This section describes the format of a syslog message, according to the legacy-syslog or BSD-syslog protocol. Describe a specific use case for the enhancement or feature: Supporting Syslog clients that suffer from this slight misunderstanding of the required date format of RFC 3164. UDP is a simple datagram oriented protocol, which provides “best effort service” to transfer messages between hosts. cs Project: graffen/NLog. writeAllMarkMessages on /off This setting tells if mark messages are always written (“on”, the default) or only if the action was not recently executed (“off”). The timestamp must be in the format: yyyy-MM-ddTHH:mm:ss. DOI: https://doi. RFC 3164 Transmission Message Format. For CentOS, Fedora, or another Red Hat Linux derivative, you can install rsyslog with yum or dnf. Since the Syslog protocol was originally written on BSD Unix, the Facilities reflect the names of Unix processes and Daemons. Hey, while working with some syslog files I struggle pasing timestamps with Promtail with RFC3164 (example: “Jul 8 08:16:12”). If your product appears in the data connectors gallery, you can consult the Microsoft Sentinel data connectors reference for assistance, where the configuration instructions should include the settings in the list below. field is the . auto is useful when this parser receives both rfc3164 and rfc5424 message. dmz. In this example: 13 is the priority value (facility 1, severity 5). Code. This document describes the changes, including the new Feb 5, 2023 · For example: cs3Label=shostfqdn cs3=client1. ESXi 8. - emertechie/SyslogNet We would like to show you a description here but the site won’t allow us. Enable the message_decoder option by setting configuration values in your liagent. We can use Fluentd’s regex parser to parse the custom format syslog messages. Syslog facilities. The parser can also be customized to allow the parsing of specific formats, if they occur. Syslog directly in Seq. Syslog is a standardized message logging protocol supported by numerous operating systems, applications, and hardware devices for transmitting data. If ls /etc/syslog doesn’t return anything, you need to install a syslog daemon. Lonvick Informational [Page 13]RFC 3164 The BSD syslog Protocol August 2001 4. "syslog" という用語は、その 通信プロトコル を指すだけでなく、syslog メッセージを送信するシステム(アプリケーションやライブラリ)syslog メッセージ Even if the overwhelming majority of syslog users still uses the old RFC3164 syslog protocol, there are some people who use RFC5424. d/ directory, it is recommended to add thenew configuration into the config directory to simplify updates to the mainconfig file. Collecting, parsing, and forwarding syslog logs. The following is a sample syslog message: <133>Feb 25 14:09:07 webserver syslogd: restart. com Feb 29, 2024 · Introduction. “date-year” vs. $ sudo yum install rsyslog. ¶. Feb 17, 2023 · The above log sample doesn’t have ident and msgid fields. As the main intention of this library was for me to use it in a network service that parses incoming syslog messages, quite some work has been invested to make go-parsesyslog fast and memory efficient. From the command line you can let Fluent Bit listen for Forward messages with the following options: $ fluent-bit -R /path/to/parsers. Supports both RFC 3164 and RFC 5424 Syslog standards as well as UDP and encrypted TCP transports. Like any other log type, you can send syslog formatted logs to a central log server for further analysis, troubleshooting, auditing, or storage purposes. It does not demand a specific behaviour but rather documents what has been seen. Proper RFC3164 format would look like this: RFC3164 (the old format) RFC3164 originated from combining multiple implementations (Year 2001) and have slightly different variations. Oct 3, 2020 · Example 4 <0>1990 Oct 22 10:52:01 TZ-6 scapegoat. UDP (single @): . If you need help building grok patterns, try out the Grok Debugger. It describes how syslog messages have been seen in traditional implementations. • The 'Z' can be a literal Z or it can be a timezone value in the following format: -04:00 Examples of RFC 5424 header: than English. For example, a kernel message (Facility=0) with a Severity of Emergency (Severity=0) would have a Priority value of 0. This standardization affects the metadata associated with each log file line or syslog transmission, for example time stamp, programmatic source identifier, message severity, and operation identifier. 1. This protocol has been used for the transmission of event notification messages across networks for many years. unidentifiable PRI, then it MUST insert a PRI with a Priority value. RFC 3164 The BSD syslog Protocol August 2001 4. ini file to be similar to the following example: [filelog|data_logs] directory=D:\Logs. is used. Jan 17, 2024 · Add a unique ID to the plugin configuration. For example truncated representations of years with only two digits are not allowed -- RFC 3339 requires 4-digit years Apr 25, 2019 · Destination configuration. RFC3164 format. Update rsyslog. A thing to note when it comes to parsing custom format syslog messages is that it expects the incoming logs to have priority field by default, if your log doesn’t have a priority field, you can disable it by setting with_priority to false in the Fluentd Structured Data. RFC 3164 と RFC 5424 ではフォーマットの構造が異なりますが、MSG(メッセージ)以外の部分( RFC 3164 で File formats: Status: INFORMATIONAL Obsoleted by: RFC 5424 Author: C. net. 2. com The cs3 field identifies the fully qualified domain name of the source computer name. Jul 9, 2021 · Grafana Loki. The RFC 3164 data format string is: MMM dd HH:mm:ss. Here is an actual sample of that use case from the rsylsog testbench: Star 1. Specifies the protocol format. Lonvick Stream: IETF Source: syslog (). It is possible to specify some parametes after the “R”. If only timestamp is different, configure time_format in <parse> may help. The priority tag must be 1 - 3 digits and must be enclosed in angle brackets. of 13 as well as a TIMESTAMP as described in Section 4. The syslog plugin listens for syslog messages transmitted over a Unix Domain socket, UDP , TCP, or TLS; with or without the octet counting framing. This RFC only describes the protocol but not the actual transport. For more complex parsing, there are a plethora of parsing tools you can use for free. We are trying to allocate as less as possible and make use of buffered I/O where possible. But the message format should like. Also, a "local use 4" message (Facility=20) with a Jan 17, 2022 · Updated on 01/17/2022. . An example of an unidentifiable PRI would be "<00>", without the double quotes. Use the DelimiterCharacter in the LEEF 2. To specify more options, call log with more arguments. syslog est un très ancien protocole, qui, comme souvent sur l'Internet, n'avait pas été . Note If you plan to create automation or scripts for Defender for Identity SIEM logs, we recommend using the externalId field to identify the alert type instead of using the alert name for this purpose. Parameter. If your syslog uses rfc5424, use rfc5424 instead. *\) \ [. 3 No PRI or Unidentifiable PRI. 3 days ago · This topic describes how to use the Grok function in the Domain Specific Language (DSL) of Simple Log Service to parse Syslog messages in different formats. syslog. The Classic Syslog protocol includes the facility and level values encoded as a single integer priority, the timestamp, a hostname, a tag, and the message body. key=value<tab>key=value<tab>key=value<tab>key=value<tab>. Supports both RFC 3164 and RFC 5424 Syslog standards. You can rate examples to help us improve the quality of examples. Configure the exporting rsyslog server. Aug 16, 2016 · RFC 3164 is a IETF document. action. This documentation is part of the rsyslog project. confand the files in the /etc/rsyslog. 3"); First, check your message format follows RFC3164/RFC5424 or not. *–end%”. Oct 22 12:34:56 is the timestamp. syslog (シスログ)は、 ログメッセージ を IPネットワーク 上で転送するための標準規格である。. Mettant à jour l'ancienne description, voici la nouvelle spécification du protocole syslog, protocole de transmission d'informations sur les événements observés par un système. log ("Hello syslog server") ```. 0. The . RFC 3164 The BSD syslog Protocol August 2001 The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity. 2. ICDx. RFC 5424 The Syslog Protocol March 2009 Example 5 - An Invalid TIMESTAMP 2003-08-24T05:14:15. Several different formats are supported, among May 1, 2023 · All common options and the message_decoder option are available for the syslog parser. If it is configured to forward syslog messages with a Logstash configuration examples. By default, only the timestamp and appname fields are extracted. 3 No PRI or Unidentifiable PRI If the relay receives a syslog message without a PRI, or with an unidentifiable PRI, then it MUST insert a PRI with a Priority value of 13 as well as a TIMESTAMP as described in Section 4. STRUCTURED-DATA can be sent using the syslog:msg/5 function. Jul 16, 2020 · RFC 3164. RFC 5424. To continue this example, if a relay does receive a syslog message with the first four characters of "00>", then it will consult its configuration. server that is sending the data per RFC 3164. 003Z mymachine. Pull requests. nsyslog-parser is flexible enough to try and parse every single message to extract as many Apr 25, 2020 · Below sample python code is sending messages to syslog server and, remote UNIX expects the log in RFC3164, i am trying ways to set priority value as prefix for each syslog message, which is calculated by multiplying the Facility number by 8 and then adding the numerical value of the Severity. Syslog is a staple of modern IT operations and network management. Dec 4, 2018 · BSD-syslog format (RFC 3164) The total message cannot be longer than 1024 bytes. The hostname will be the canonical name of the appliance as defined by the System Identity configuration. Default is rfc3164. (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE. Add warning in docs that 3164 is not supported. For example: Syslog (xm_syslog) This module provides support for the legacy BSD Syslog protocol as defined in RFC 3164 and the current IETF standard defined by RFCs 5424-5426. type string Mandatory parameter for every action. In “plain tcp syslog”, the industry standard, LF is used as a frame delimiter (which also means that no multi-line message can properly be transmitted, a “design” flaw in plain tcp Classic Syslog: RFC 3164. Issues. Some existing implementations of real-world syslog use different formats. The unique identification number applied to each session. example. Cite this RFC: TXT | XML | BibTeX. Could someone please provide me the necessary string for the Nov 16, 2021 · SYSLOG-MSG is defined in the syslog protocol [RFC5424] and may also be considered to be the payload in [RFC3164] Example for RFC 5424: <165>1 2003-10-11T22:14:15. If other parts are different, the syslog parser cannot parse your The network() driver sends messages to a remote host (for example a syslog-ng server or relay) on the local intranet or internet using the RFC3164 syslog protocol (for details about the protocol, see BSD-syslog or legacy-syslog messages). The Syslog specific to RFC 5424 can be enabled using the logging enable rfc5424 command. The syslog protocol layered architecture provides. 0, VMware standardized the formats of log files and syslog transmissions. The total message cannot be longer than 1024 bytes. for support of any number of transport mappings. By default, Syslog is generated in accordance with RFC 3164. RFC5424 相比 RFC3164 主要是数据格式的不同,RFC3164相对来说格式较为简单,能适应大部分使用场景,但是已废弃,RFC5424已作为Syslog的业界规范;下面就来分别讲讲两个协议;. The SMC Log Server can be configured to forward part or all of a received log to the syslog. For example, if a complex template is built for file output, one usually needs to finish it by a newline, which can be introduced by a constant statement. timestamp - Optional Javascript Date() object to back-date the message. Adding a named ID in this case will help in monitoring The RFC 3164 data format string is: MMM dd HH:mm:ss. $ sudo apt install THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT. Syslog の形式を規定する文書には、 RFC 3164 ( BSD Syslog Format) と RFC 5424 (Syslog Format) があり、 RFC 5424 が IETF による標準化規格となっています。. For example, <13>. 0 formats syslog messages in compliance with either RFC 3164 or RFC 5424. <35> is a priority number. The next two RFCs after RFC5424 describe UDP and TLS transport. Overview. Rsyslog can be configured to forward logging messages to Telegraf by configuringremote logging. g. We would like to show you a description here but the site won’t allow us. Most notably RFC 3339 specifies a complete representation of date and time (only fractional seconds are optional). $ go test -run=X -bench=. 0. 4 Examples, the log format should be like the following: <34>Oct 11 22:14:15 mymachine su: 'su root' failed for user1 on /dev/pts/8 Where <34> is the priority of the log message, followed by the timestamp in the format of Supports fluent interface, see AdvancedLogging example; Allows to ignore sending specified severity levels with logMask function, see AdvancedLogging example; Independent on underlying network hardware. TCP destination that sends messages to 10. The ABNF for this is shown here: TCP-DATA = *SYSLOG-FRAME SYSLOG-FRAME = SYSLOG-MSG TRAILER ; non-transparent-framing ; method TRAILER = LF / APP-DEFINED APP-DEFINED = 1*2OCTET For example, date format options in string templates start with “date-” whereas those in property statements do not (e. Syslog is a standard protocol that network devices, operating systems, and applications use to log various system events and messages. Example usage: analysing NGINX logs with Seq. Oct 5, 2018 · According to the RFC 3164, section 5. *EMERGENCY*, call log the following way: The text is used literally. If no ID is specified, Logstash will generate one. Although thought as a parser for stantard syslog messages, there are too many systems/devices out there that sends erroneous, propietary or simply malformed messages. Syslog messages can be recorded in local files or sent to Syslog servers over the Internet. *Sev:. The RFC also has some small, subtle differences. judas July 9, 2021, 3:53pm 1. A source system will log the message locally, then immediately send it to a pre-configured syslog server. How to ingest syslog messages into Seq. syslog parser detects message format by using message prefix. RFC 3164 is not a standard but rather a descriptive (“informational” in IETF terms) document. Feb 6, 2009 · Pretty much, yes - RFC 3339 is listed as a profile of ISO 8601. The protocol is enabled on most network equipment such pmrfc3164: Parse RFC3161-formatted messages. The LEEF format contains a number of predefined event attributes, which allow QRadar to categorize and display the event. rfc3164/rfc5424/auto. conf -i syslog -p path=/tmp/in_syslog -o stdout. Describes the Syslog message format for Firewall logs with an example. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 syslog_pri filters. Mar 5, 2021 · rfc3164_current_time() is a wrapper for gettimeofday() and localtime() that bundles a list of abbreviated English month names as a portable alternative to glibc's locale dance. Contribute to byteverse/syslog development by creating an account on GitHub. Using the values from the following tables, the priority of a system daemon (syslog code = 3) with a warning (severity code = 4) is calculated as follows: rfc3164 - set to false to use RFC 5424 syslog header format; default is true for the older RFC 3164 format. syslog ("10. ```. Targets. File: Rfc3164. Debugging and detecting system issues are the two most common use cases for syslog. just “year”). Mar 17, 2017 · As program name *SyslogClient* the PID of the called python interpreter. Install dependencies. 3 sched[0]: That's All Folks! This example has a lot of extraneous information throughout. An example for a property replacer sequence with a regular expression is: “%msg:R:. 14. Most system are setup with a configuration split between /etc/rsyslog. It is part of the default parser chain. For Ubuntu, Mint, or another Debian derivative, use apt. In the above example, there’s a syslog-ng daemon running. The technical reason behind this is that inside string templates, the option must include what it applies to whereas with the explicit format that is part of the parameter name. myhostname is the hostname. Accepts RFC 3164 (BSD), RFC 5424 and CEF Common Event Format formats. \ (. It is primarily used to collect various device logs from several different machines in a central location for monitoring and review. :msg,contains,"error" @server. Forwarding is via UDP. Then the administrator may want to have all kernel generated messages sent to a different syslog receiver while, at the same time, having the critically severe messages from the Jul 13, 2020 · In this example, you can choose whether to parse by line (if read_line is True) or by file (if read_line is False). The template is called “dbtemplate” in this case. Some systems say RFC3164/RFC5424 but it sends non-RFC3164/RFC5424 message, e. Method 2: (Docker) running a separate seq-input-syslog "sidecar" container. : The syslog Protocol. To provide the maximum amount of information in every Syslog in a structured format, you can enable Syslog logging specific to RFC 5424. For example to log a. These examples illustrate how you can configure Logstash to filter events, process Apache logs and syslog messages, and use conditionals to control what events are processed by a filter or output. org Locate and follow your device vendor's configuration instructions for sending logs in CEF format to a SIEM or log server. Aug 1, 2001 · Rajiullah M, Lundin R, Brunstrom A and Lindskog S (2019). contoso. This rule forwards all messages that contain the word “error” in the msg part to the server “errorServer”. RFC 5424: The syslog Protocol. The transport is handled by the respective input and output modules (such as im_udp ), this For example, in UDP the “frame”-equivalent is a packet that is being sent (this also means that no two messages can travel within a single UDP packet). RFC 3164 is a IETF document. include=*. Standard Syslog using message parsing¶. This results in TIME-SECFRAC being longer than the allowed 6 digits, which invalidates it. This parser module is for parsing messages according to the traditional/legacy syslog standard RFC 3164. Please note the colon in fron. org 10. The priority value is calculated using the following formula: Priority = Facility * 8 + Level. Syslog daemons. Input. 3. txt. Aug 12, 2019 · For example, a message in the style of [RFC3164] containing one or more LF characters may be misinterpreted as multiple messages by the receiving syslog application. 000000003-07:00 This example is nearly the same as Example 4, but it is specifying TIME-SECFRAC in nanoseconds. Performance analysis and improvement of PR-SCTP for small messages, Computer Networks: The International Journal of Computer and Telecommunications Networking, 57:18, (3967-3986), Online publication date: 1-Dec-2013. What is syslog? Syslog protocol. The hostname will be the canonical name of the appliance as defined by the System Identity Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event messages to a specific server, called a syslog server. I have already writen the captured string into a label, to make sure there isn’t an issue with my regex. MSG. Syslog Parser. The Syslog that conforms to RFC 5424 has an enhanced Syslog header that helps to identify the type of ABSTRACT. For example, an event severity of 1 – Informational is mapped to Syslog severity 6, and the PRI is formatted as <14>. Jul 19, 2020 · Syslog headerの規格. 0 header to specify an alternate delimiter to the attributes. This function allows passing a list of structured data elements that will be formatted and sent to the remote receiver. If the relay receives a syslog message without a PRI, or with an. While this protocol was originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, its value Example. The matching algorithm is the same, with the only difference in the data that is compared with regex (line or whole text). However, for. This is achieved by exporting functions and procedures usable from the NXLog language. The host name of the . A syslog message consists of the following parts: PRI. . RFC 3164. The Facility value is a way of determining which process of the machine created the message. A Visual Studio 2019 solution written in C# to demonstrate sending messages to a Syslog Server using the open source SyslogNet client library for . Jul 9, 2018 · Syslog常被用来日志等数据的传输协议,数据格式遵循规范主要有RFC3164,RFC5424;. How to Configure rsyslog to Redirect Messages to a Centralized Remote Server using TLS. It is primarily intended for text-based output, so that some constant text can be included. invalid priority, different timestamp, lack/add fields. The tag will be one of the tags described in SYSLOG Message Format . For example, an administrator may want all messages that are generated by the mail facility to be forwarded to one particular event message collector. IPv4 or UDP/IPv6. 3, port 514: destination d_tcp {. Given the strong similarity in RFC 3164's date format to the dates used in the "local" " /dev/log format", it makes a lot of sense to reuse the date-formatting function. NET. com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry Dec 11, 2023 · Syslog Input Plugin. SSSZ. Aug 24, 2003 · Generating the Syslog specific to RFC 5424. The name of the module that should be used. It also supports structured data, and these sinks will write Serilog properties to the STRUCTURED-DATA field. By default the service will create and listen for Syslog messages on the unix socket /tmp/in_syslog. Syslog messages should be formatted according to RFC 5424 (syslog protocol) or RFC 3164 (BSD syslog protocol). This is a sample syslog message. It begins with the following sentences: Since the beginning, life has relied upon the transmission of messages. These logs are generated using the "default-log-log" (RFC 3164 compliant) format. Some existing implementations of real-world The article provides details on the log fields included in the log entries SMC forwards using the Common Event Format (CEF) as well as details how to include CEF v0 (RFC 3164) or CEF v1 (RFC 5424) header. The network hardware library has to implement methods of UDP astract class only. is the log message. wv sd jw sy jh dg dh ma hf xy