invalid syslog messages are messages in non-EMBLEM format, usually from non-cisco devices or cisco security devices were this format for syslog messages must explicitly be configured.
Having LMS on windows, dmgtd also writes his messages to the syslog.log which are not in EMBLEM format and are counted as invalid (in fact these are more log messages than syslog messages..). These are usually a lot of messages and that's why LMS on windows generally has a higher number of invalid messages as on solaris
EMBLEM format defines a specific header for the syslog messages.
Some people says, that syslog messages from a device not supported or a device not managed in LMS is also counted as invalid but I am not quite sure and I don'think so..
Syslog Performance:
Syslog
- Can validate and filter 200 syslogs per second
- Can forward and store 50 syslogs per second
- Can take one action per second
- Can validate and filter 1000 syslogs per second burst for an hour
from:
http://www.cisco.com/en/US/partner/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c07-533663.html