Chat now with support
Chat with Support

syslog-ng Store Box 5.0.3 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

IETF-syslog messages

This section describes the format of a syslog message, according to the IETF-syslog protocol (see RFC 5424-5428). A syslog message consists of the following parts:

The following is a sample syslog message:1

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

The message corresponds to the following format:

<priority>VERSION ISOTIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG

In this example, the facility has the value of 4, severity is 2, so PRI is 34. The VERSION is 1. The message was created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the next second. The message originated from a host that identifies itself as mymachine.example.com. The APP-NAME is su and the PROCID is unknown as indicated by - in the PROCID field. The MSGID is ID47. The encoding of the message is defined by the BOM. There is no STRUCTURED-DATA present in the message, this is indicated by - in the STRUCTURED-DATA field. The MSG is 'su root' failed for lonvick..., encoded in UTF-8.

The HEADER part of the message must be in plain ASCII format, the parameter values of the STRUCTURED-DATA part must be in UTF-8, and the MSG part should be in UTF-8, too. The different parts of the message are explained in the following sections.

The PRI message part

The PRI part of the syslog message (known as Priority value) represents the facility and severity of the message. Facility represents the part of the system sending the message, while severity marks its importance. The Priority value is calculated by first multiplying the facility number by 8 and then adding the numerical value of the severity. The possible facility and severity values are presented below.

NOTE:

Facility codes may slightly vary between different platforms.

The following table lists the facility values.

Table 3: syslog message facilities
Numerical Code Facility
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16-23 locally used facilities (local0-local7)

The following table lists the severity values.

Table 4: syslog message severities
Numerical Code Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

The HEADER message part

The HEADER part contains the following elements:

  • VERSION: The version number of the syslog protocol standard. Currently this can only be 1.

  • ISOTIMESTAMP: The time when the message was generated in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+-ZONE), for example: 2006-06-13T15:58:00.123+01:00.

  • HOSTNAME: The machine that originally sent the message.

  • APPLICATION: The device or application that generated the message.

  • PID: The process name or process ID of the syslog application that sent the message. It is not necessarily the process ID of the application that generated the message.

  • MESSAGEID: The ID number of the message.

NOTE:

The syslog-ng application supports other timestamp formats as well, like ISO, or the PIX extended format. The timestamp used in the IETF-syslog protocol is derived from RFC 3339, which is based on ISO 8601. For details, see the ts_format() option in The syslog-ng Premium Edition 6 LTS Administrator Guide.

The STRUCTURED-DATA message part

The STRUCTURED-DATA message part may contain meta-information about the syslog message, or application-specific information such as traffic counters or IP addresses. STRUCTURED-DATA consists of data elements enclosed in brackets ([]).

In the following example, you can see two STRUCTURED-DATA elements:

[exampleSDID@0 iut="3" eventSource="Application" eventID="1011"][examplePriority@0 class="high"]

An element consists of an SD-ID (its identifier), and one or more parameters. Each parameter consists of a name and a value (for example, eventID="1011").

On SSB, the parameters (name-value pairs) parsed from these elements can be searched. From the example above, the following name-value pairs are parsed:

.sdata.exampleSDID@0.iut=3
.sdata.exampleSDID@0.eventSource=Application
.sdata.exampleSDID@0.eventID=1011
.sdata.examplePriority@0.class=high

The syslog-ng application automatically parses the STRUCTURED-DATA part of syslog messages, which can be referenced in macros (see The syslog-ng Premium Edition 6 LTS Administrator Guide for details).

Related Documents