Understanding the Syslog Message Format: A Comprehensive Overview

01/06/2025 •

Syslog messages follow a standardized format, but there are variations depending on the implementation, configuration, and device or application sending the logs. In this detailed explanation, we’ll explore the common elements of Syslog messages, variations in login formats, and how different systems or applications might format their logs for Syslog.

Syslog Message Format

Syslog Message Format Overview

A typical Syslog message consists of several fields, each carrying specific information about the event being logged. The basic format looks like this:

<PRI>HEADER MESSAGE

PRI (Priority): Indicates the facility and severity of the message.
HEADER: Includes timestamp and hostname (sometimes the IP address) of the sender.
MESSAGE: Contains the actual log message generated by the application or system.

Syslog Message Format

Components of a Syslog Message

Let’s break down the major components of a Syslog message:

a. Priority (PRI)

The priority field (<PRI>) is a combination of two values:

Facility: Indicates the part of the system that generated the message (e.g., kernel, mail system).
Severity: Represents the severity of the event (e.g., warning, error).

The facility and severity are encoded into a single number. This number is calculated as:

PRI = (facility * 8) + severity

For example, if the facility is 1 (kernel) and the severity is 3 (error), the PRI value would be:

PRI = (1 * 8) + 3 = 11

b. Header

The HEADER typically consists of:

Timestamp: When the event occurred (usually in MMM DD HH:MM:SS format, e.g., Sep 5 10:22:33).
Hostname: The name or IP address of the device that generated the log message.

c. Message Content

The MESSAGE portion of a Syslog entry contains the actual log message generated by the system or application. The content of this field can vary significantly depending on the device or application.

Syslog Message Format

Different devices, systems, and applications might structure their Syslog messages differently. Below are some common formats based on various implementations and sources.

a. Linux Syslog (rsyslog, syslog-ng)

In a Linux system using rsyslog or syslog-ng, a typical login entry might look like this:

<134>Sep  5 10:22:33 myserver sshd[12345]: Accepted publickey for user from 192.168.1.50 port 55214 ssh2

Breaking it down:

<134>: The priority value (facility=16, severity=6). This represents “local0.info.”
Sep 5 10:22:33: Timestamp indicating when the log was created.
myserver: The hostname of the server generating the message.
sshd[12345]: The name of the application (sshd) and its process ID (12345).
Accepted publickey for user from 192.168.1.50 port 55214 ssh2: The actual log message indicating that a user logged in via SSH using a public key.

b. Cisco IOS Syslog

Cisco network devices generate Syslog messages in a slightly different format. Here is an example from a Cisco router:

<189>Sep  5 10:22:33 myrouter 4145: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.50(55214) -> 10.1.1.1(80), 1 packet

Breaking it down:

<189>: The priority value (facility=23, severity=5), indicating “local7.notice.”
Sep 5 10:22:33: Timestamp of the event.
myrouter: The hostname of the device generating the message.
4145: Sequence number of the log message.
%SEC-6-IPACCESSLOGP: The Syslog facility and severity as a string. “SEC” represents the security subsystem, and “6” is the severity (Informational).
list 101 denied tcp 192.168.1.50(55214) -> 10.1.1.1(80), 1 packet: The message body, indicating that an access control list (ACL) denied traffic from a specific IP address to port 80 on another device.

Syslog Message Format

c. Windows Event Log to Syslog

In Windows systems, logs can be converted to Syslog format using tools like nxlog or Snare. The format might look like this:

<86>Sep  5 10:22:33 winserver Security: [ID 12345 AUTH] Audit Success: Logon by user Sanchit at 192.168.1.50

Breaking it down:

<86>: The priority value (facility=10, severity=6), representing “auth.info.”
Sep 5 10:22:33: The timestamp.
winserver: The hostname of the Windows server generating the log.
Security: [ID 12345 AUTH]: The source of the log, “Security” indicating the Windows Security log and a unique identifier (12345) for the event.
Audit Success: Logon by user Sanchit at 192.168.1.50: The log message, indicating a successful login by the user “Sanchit.”

d. Firewall (e.g., FortiGate) Syslog

Firewalls often generate detailed Syslog entries with additional security-specific information. Here’s an example from a FortiGate firewall:

<134>Sep  5 10:22:33 firewall01 date=2023-09-05 time=10:22:33 devname=FGT-001 devid=FGT-001 logid=0100020000 type=event subtype=system level=notice srcip=192.168.1.50 user="admin" action=login status=success

Breaking it down:

<134>: The priority value (facility=16, severity=6).
Sep 5 10:22:33: The timestamp.
firewall01: Hostname of the firewall.
date=2023-09-05 time=10:22:33: Explicit date and time fields.
devname=FGT-001 devid=FGT-001: Device name and unique identifier for the firewall.
logid=0100020000: A unique log identifier.
type=event subtype=system level=notice: Specifies the log type and level of severity.
srcip=192.168.1.50 user=”admin” action=login status=success: Indicates a successful login attempt by the user “admin” from the IP address 192.168.1.50.

e. Application Logs to Syslog

Applications like web servers (e.g., Apache, Nginx) or databases (e.g., MySQL) can also log to Syslog. Here’s an example from Apache:

<134>Sep  5 10:22:33 webserver apache: [client 192.168.1.50] user Sanchit logged in via HTTPS

<134>: The priority value (facility=16, severity=6).
Sep 5 10:22:33: The timestamp.
webserver: Hostname of the web server.
apache: The name of the application generating the log.
[client 192.168.1.50]: The client IP address initiating the request.
user Sanchit logged in via HTTPS: The log message indicating the user “Sanchit” successfully logged in using HTTPS.

Syslog Message Format

Variations in Syslog Format

The format of Syslog messages can vary depending on several factors:

Protocol Used: Syslog over UDP or TCP doesn’t affect the message format itself, but using Syslog over TLS ensures the data is encrypted.
Vendor Customization: Different hardware vendors (Cisco, Fortinet, Juniper) might add their own fields, such as unique identifiers or device-specific details.
Log Parsing Tools: Applications like Logstash or Splunk can be configured to modify or enhance Syslog messages for better parsing and analytics.

Syslog Message Format

Advantages of Structured Syslog (RFC 5424)

The original Syslog protocol (as defined in RFC 3164) lacks certain features like structured data or better timestamps. RFC 5424 introduced several enhancements, including:

Structured Data: Allows applications to include key-value pairs in the log message, making logs easier to parse and analyze. For example:

<134>1 2023-09-05T10:22:33.123Z myserver apache 1234 ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] User login successful

This format adds:

Version number (1).
ISO 8601 timestamp for higher precision.
Structured data in square brackets ([exampleSDID@32473 iut=”3″ eventSource=”Application” eventID=”1011″]), allowing custom data fields.

Syslog Message Format

Conclusion

Syslog is a flexible and widely adopted logging protocol, with different formats and fields depending on the system, device, or application sending the logs. From basic Linux system logs to advanced firewall and network device logs, Syslog provides a unified method for collecting and analyzing events across an infrastructure.

While the basic Syslog Message Format defined by RFC 3164 is still prevalent, many systems are moving towards the more structured format introduced in RFC 5424 to accommodate modern requirements like better timestamp precision and structured data for improved parsing and analysis.

Understanding the different Syslog login formats and their components is essential for network and system administrators to effectively monitor, troubleshoot, and secure their environments.

Syslog Message Format

Useful Links

https://datatracker.ietf.org/doc/html/rfc5424

https://sanchitgurukul.com/tutorials-cat

Tutorial

How To