Syslog formats and fields
Last updated on:In this page
What is Syslog?
Syslogs are generated by Linux/Unix and other network devices such as switches, routers, and firewalls. Syslogs contain valuable information that helps in securing networks and troubleshoot operational issues. Therefore it is essential to collect and analyze Syslogs. This article explains the structure and format of syslogs and provides information about syslog storage.
Read our Syslog basics explained article to know more on the functioning of syslog.
What does a syslog contain?
The syslog standard contains three different layers:
- Syslog content - contains the log information.
- Syslog application - the applications that helps generate, interpret and store the logs in syslog servers.
- Syslog transport - transmits logs to different destinations like terminal line, console line, logging buffer and syslog Server.
What does a Syslog packet contain?
Every Syslog packet contains three parts and is limited to 1024 bytes (1kb) by default. This format makes it easier to parse and analyze the collected logs.
- PRI
- HEADER
- MSG
PRI - Priority value.
The PRI section of Syslog represents the Facility and Severity of the message. As mentioned in the RFC 3164 standard, Facility and Severity are mapped against pre-determined numerical values. Facility denotes a component or application that can generate logs.
| Numerical Code | Facility |
|---|---|
| 0 | kernel messages |
| 1 | user-level messages |
| 2 | mail system arrangement |
| 3 | system daemons |
| 4 | security/authorization messages |
| 5 | messages generated internally by syslogd |
| 6 | line printer subsystem |
| 7 | network news subsystem |
| 8 | UUCP subsystem |
| 9 | clock daemon |
| 10 | security/authorization messages |
| 11 | FTP daemon |
| 12 | NTP subsystem |
| 13 | log audit |
| 14 | log alert |
| 15 | clock daemon |
| 16 | local use 0 |
| 17 | local use 1 |
| 18 | local use 2 |
| 19 | local use 3 |
| 20 | local use 4 |
| 21 | local use 5 |
| 22 | local use 6 |
| 23 | local use 7 |
The severity codes:
| Numerical Code | Severity |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notice |
| 6 | Informational |
| 7 | Debug |
Priority value = Facility Value * 8 + Severity Value.
The value calculated using this formula will be present in the PRI section of the Syslog packet within angular brackets <>.
HEADER- header portion.
The header portion contains timestamp and IP address or hostname of the network device.The timestamp denotes the date and time of the message generated by the particular device. The time across all network devices should be in sync to avoid confusions while viewing timestamps.
MSG- message portion.
The message portion contains the TAG and CONTENT. TAG refers to the application or program which generates the message/log. CONTENT refers to the message generated.
Learn more about syslog
Where are your syslogs stored?
All syslogs are stored in var/log/syslog or var/log/messages. They can be stored in different locations based on the type of events. For instance, security events are stored in either var/log/auth.log or var/log/secure, kernel events can be accessed from var/log/kern.log and MySQL events can be accessed from var/log/mysql.
How to monitor syslogs efficiently?
Syslogs helps security administrators to analyze critical events such as authorization failures and unusual configuration changes. As syslogs contain information such as who did what actions from where and when, it becomes essential to enable logging, centrally collect the syslogs, and analyze them in-depth to enhance network security.
EventLog Analyzer, an effective log management solution can collect, filter, parse and analyze syslogs and generate comprehensive reports to make syslog auditing and monitoring easy for any network. You can set up alerts for any deviance or malicious activity in syslogs to notify IT security admins in real-time via email/SMS to stop an impending attack. Click here to see how EventLog Analyzer does it.
