The PRI part of the syslog message (known as Priority value) represents the facility and severity of the message. Facility represents the part of the system sending the message, while severity marks its importance. The Priority value is calculated by first multiplying the facility number by 8 and then adding the numerical value of the severity. The possible facility and severity values are presented below.
Facility codes may slightly vary between different platforms.
The following table lists the facility values.
|5||messages generated internally by syslogd|
|6||line printer subsystem|
|7||network news subsystem|
|16-23||locally used facilities (local0-local7)|
The following table lists the severity values.
|0||Emergency: system is unusable|
|1||Alert: action must be taken immediately|
|2||Critical: critical conditions|
|3||Error: error conditions|
|4||Warning: warning conditions|
|5||Notice: normal but significant condition|
|6||Informational: informational messages|
|7||Debug: debug-level messages|
The HEADER part contains a timestamp and the hostname (without the domain name) or the IP address of the device. The timestamp field is the local time in the Mmm dd hh:mm:ss format, where:
Mmm is the English abbreviation of the month: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.
dd is the day of the month in two digits. If the day of the month is less than 10, the first digit is replaced with a space. (For example Aug 7.)
hh:mm:ss is the local time. The hour (hh) is represented in a 24-hour format. Valid entries are between 00 and 23, inclusive. The minute (mm) and second (ss) entries are between 00 and 59 inclusive.
The MSG part contains the name of the program or process that generated the message, and the text of the message itself. The MSG part is usually in the following format:
program[pid]: message text
This section describes the format of a syslog message, according to the IETF-syslog protocol (see RFC 5424-5428). A syslog message consists of the following parts:
The following is a sample syslog message (source: https://tools.ietf.org/html/rfc5424):
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
The message corresponds to the following format:
<priority>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG
Facility is 4, severity is 2, so PRI is 34.
The VERSION is 1.
The message was created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the next second.
The message originated from a host that identifies itself as "mymachine.example.com".
The APP-NAME is "su" and the PROCID is unknown.
The MSGID is "ID47".
The MSG is "'su root' failed for lonvick...", encoded in UTF-8.
In this example, the The encoding is defined by the BOM:
The byte order mark (BOM) is a Unicode character used to signal the byte-order of the message text.
There is no STRUCTURED-DATA present in the message, this is indicated by "-" in the STRUCTURED-DATA field.
The HEADER part of the message must be in plain ASCII format, the parameter values of the STRUCTURED-DATA part must be in UTF-8, while the MSG part should be in UTF-8. The different parts of the message are explained in the following sections.