-
Title
Syslog message formats -
Description
The purpose of this document is to describe briefly the standard syslog message formats. -
Resolution
Syslog formats
Currently there are two standard syslog message formats:
- BSD-syslog or legacy-syslog messages
- IETF-syslog messages
BSD-syslog format (RFC 3164)
The total message cannot be longer than 1024 bytes.
A BSD-syslog message consists of the following parts:
PRI - represents the Facility and Severity of the message. It's a calculated value: Facility * 8 + Severity
HEADER - contains a timestamp and the hostname (without the domain name) or the IP address of the device.
MSG - contains the name of the program or process that generated the message, and the text of the message itself
Example BSD-syslog message:
Feb 25 14:09:07 webserver syslogd: restart
PRI HEADER (timestamp host) MSG (application: message)
IETF-syslog format (RFC 5424)
An IETF-syslog message consists of the following three parts:
HEADER STRUCTURED-DATA MSG
HEADER:
PRI - represents the Facility and Severity of the message. It's a calculated value: Facility * 8 + Severity
VERSION - Version number of the syslog protocol standard. Currently this can only be 1.
ISOTIMESTAMP - The time when the message was generated in the ISO 8601 format (yyyy-mm-ddThh:mm:ss+-ZONE)
HOSTNAME - The machine that originally sent the message.
APPLICATION - The device or application that generated the message
PID - The process name or process ID of the application that sent the message.
MESSAGEID - The ID number of the message.
STRUCTURED-DATA:
The STRUCTURED-DATA message part may contain meta- information about the syslog message, or application-specific information such as traffic counters or IP addresses. STRUCTURED-DATA consists of data blocks enclosed in brackets ([]). Every block includes the ID of the block, and one or more name=value pairs.
Example SDATA
[exampleSDID@0 iut="3" eventSource="Application" eventID="1011"][examplePriority@0 class="high"]
MSG:
The MSG part contains the text of the message itself. The character set used in MSG SHOULD be UNICODE, encoded using UTF-8. If a syslog application encodes MSG in UTF-8, the string MUST start with the Unicode byte order mask (BOM).
Example IETF-syslog message:
1 2003-10-11T22:14:15.003Z mymachine myapplication 1234 ID47 [example@0 class="high"] BOMmyapplication is started
PRI VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID [STRUCTURED-DATA] MSG
Notes: APPLICATION, PID, MESSAGEID and STRUCTURED-DATA can be NULL, that is represented by the dash character "-". The MSG part can be entirely empty (eg. only SDATA is sent).
1 2003-10-11T22:14:15.003Z mymachine myapplication - - - BOMmyapplication is started
-
Additional Information