Syslog basics: Formats and fields of Syslog
4 min read
Syslogs are generated by Linux/Unix and other network devices such as switches, routers, and firewalls. Syslogs contain valuable information that helps in securing networks and troubleshoot operational issues. Therefore it is essential to collect and analyze Syslogs.
This article explains the structure and format of syslogs and provides information about syslog storage.
The syslog standard contains three different layers:
Every Syslog packet contains three parts and is limited to 1024 bytes (1kb) by default. This format makes it easier to parse and analyze the collected logs.
The PRI section of Syslog represents the Facility and Severity of the message. As mentioned in the RFC 3164 standard, Facility and Severity are mapped against pre-determined numerical values. Facility denotes a component or application that can generate logs.
| Numerical Code | Facility |
|---|---|
| 0 | kernel messages |
| 1 | user-level messages |
| 2 | mail system arrangement |
| 3 | system daemons |
| 4 | security/authorization messages |
| 5 | messages generated internally by syslogd |
| 6 | line printer subsystem |
| 7 | network news subsystem |
| 8 | UUCP subsystem |
| 9 | clock daemon |
| 10 | security/authorization messages |
| 11 | FTP daemon |
| 12 | NTP subsystem |
| 13 | log audit |
| 14 | log alert |
| 15 | clock daemon |
| 16 | local use 0 |
| 17 | local use 1 |
| 18 | local use 2 |
| 19 | local use 3 |
| 20 | local use 4 |
| 21 | local use 5 |
| 22 | local use 6 |
| 23 | local use 7 |
| Numerical Code | Severity |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notice |
| 6 | Informational |
| 7 | Debug |
Priority value = Facility Value * 8 + Severity Value. The value calculated using this formula will be present in the PRI section of the Syslog packet within angular brackets <>.
The header portion contains timestamp and IP address or hostname of the network device.The timestamp denotes the date and time of the message generated by the particular device. The time across all network devices should be in sync to avoid confusions while viewing timestamps.
The message portion contains the TAG and CONTENT. TAG refers to the application or program which generates the message/log. CONTENT refers to the message generated.
All syslogs are stored in var/log/syslog or var/log/messages. They can be stored in different locations based on the type of events. For instance, security events are stored in either var/log/auth.log or var/log/secure, kernel events can be accessed from var/log/kern.log and MySQL events can be accessed from var/log/mysql.
Syslogs helps security administrators to analyze critical events such as authorization failures and unusual configuration changes. As syslogs contain information such as who did what actions from where and when, it becomes essential to enable logging, centrally collect the syslogs, and analyze them in-depth to enhance network security.
EventLog Analyzer, an effective log management solution can collect, filter, parse and analyze syslogs and generate comprehensive reports to make syslog auditing and monitoring easy for any network. You can set up alerts for any deviance or malicious activity in syslogs to notify IT security admins in real-time via email/SMS to stop an impending attack.Click here to see how EventLog Analyzer does it.
Interested in a
log management
solution?
Manage logs, comply with IT regulations, and mitigate security threats.
Our support technicians will get back to you at the earliest.
Zoho Corporation Pvt. Ltd. All rights reserved.