Support Get Quote

Syslog basics: Formats and fields of Syslog

4 min read

What is Syslog?

Syslogs are generated by Linux/Unix and other network devices such as switches, routers, and firewalls. Syslogs contain valuable information that helps in securing networks and troubleshoot operational issues. Therefore it is essential to collect and analyze Syslogs.

This article explains the structure and format of syslogs and provides information about syslog storage.

What does a syslog contain?

The syslog standard contains three different layers:

  1. Syslog content - contains the log information.
  2. Syslog application - the applications that helps generate, interpret and store the logs in syslog servers.
  3. Syslog transport - transmits logs to different destinations like terminal line, console line, logging buffer and syslog Server.

What does a Syslog packet contain?

Every Syslog packet contains three parts and is limited to 1024 bytes (1kb) by default. This format makes it easier to parse and analyze the collected logs.

  1. PRI
  3. MSG

PRI - Priority value.

The PRI section of Syslog represents the Facility and Severity of the message. As mentioned in the RFC 3164 standard, Facility and Severity are mapped against pre-determined numerical values. Facility denotes a component or application that can generate logs.

Numerical Code Facility
0 kernel messages
1 user-level messages
2 mail system arrangement
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0
17 local use 1
18 local use 2
19 local use 3
20 local use 4
21 local use 5
22 local use 6
23 local use 7

The severity codes:

Numerical Code Severity
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
Priority value = Facility Value * 8 + Severity Value.

The value calculated using this formula will be present in the PRI section of the Syslog packet within angular brackets <>.

HEADER- header portion.

The header portion contains timestamp and IP address or hostname of the network device.The timestamp denotes the date and time of the message generated by the particular device. The time across all network devices should be in sync to avoid confusions while viewing timestamps.

MSG- message portion.

The message portion contains the TAG and CONTENT. TAG refers to the application or program which generates the message/log. CONTENT refers to the message generated.

Where are your syslogs stored?

All syslogs are stored in var/log/syslog or var/log/messages. They can be stored in different locations based on the type of events. For instance, security events are stored in either var/log/auth.log or var/log/secure, kernel events can be accessed from var/log/kern.log and MySQL events can be accessed from var/log/mysql.

How to monitor syslogs efficiently?

Syslogs helps security administrators to analyze critical events such as authorization failures and unusual configuration changes. As syslogs contain information such as who did what actions from where and when, it becomes essential to enable logging, centrally collect the syslogs, and analyze them in-depth to enhance network security.

EventLog Analyzer, an effective log management solution can collect, filter, parse and analyze syslogs and generate comprehensive reports to make syslog auditing and monitoring easy for any network. You can set up alerts for any deviance or malicious activity in syslogs to notify IT security admins in real-time via email/SMS to stop an impending attack.Click here to see how EventLog Analyzer does it.

You may also like


Interested in a
log management

Try EventLog Analyzer

Manage logs, comply with IT regulations, and mitigate security threats.

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing