Technology Fundamentals – RFC 5424 The Syslog Protocol

SOME HISTORY

The protocol is originally defined in RFC 3164 “The BSD syslog Protocol” written by Eric Allman August 2001.  RFC 3164 is now superceded by RFC 5424,

Rainer Gerhards – RFC 5424

written by Rainer Gerhards twitter|@rgerhards, March 20009.

SYSLOG ARCHITECTURE

Definitions:  A machine that generates a message is called a device.
A machine that can receive the message and forward it to another machine is called a relay.
A machine that receives a message and does not relay it is called a collector.  A collector is what we know as the syslog server.
Any device or relay is knows as sender when it sends a message.
Any relay or collector is known as  receiver when it receives the message.

Valid Architectures:

         +------+         +---------+
         |Device|---->----|Collector|
         +------+         +---------+

         +------+         +-----+         +---------+
         |Device|---->----|Relay|---->----|Collector|
         +------+         +-----+         +---------+

         +------+     +-----+            +-----+     +---------+
         |Device|-->--|Relay|-->--..-->--|Relay|-->--|Collector|
         +------+     +-----+            +-----+     +---------+

         +------+         +-----+         +---------+
         |Device|---->----|Relay|---->----|Collector|
         |      |-\       +-----+         +---------+
         +------+  \
                    \      +-----+         +---------+
                     \-->--|Relay|---->----|Collector|
                           +-----+         +---------+

         +------+         +---------+
         |Device|---->----|Collector|
         |      |-\       +---------+
         +------+  \
                    \      +-----+         +---------+
                     \-->--|Relay|---->----|Collector|
                           +-----+         +---------+

         +------+         +-----+            +---------+
         |Device|---->----|Relay|---->-------|Collector|
         |      |-\       +-----+         /--|         |
         +------+  \                     /   +---------+
                    \      +-----+      /
                     \-->--|Relay|-->--/
                           +-----+

Syslog Message Parts:

         +------+---------+------------+
         |  PRI |  HEADER |  MESSAGE   |
         +------+---------+------------+

*The total length of the packet MUST be 1024 bytes or less.

* The PRI MUST have 3-5 characters <XXY > XX is the Facility, Y is the Severity.

Syslog uses UDP 514; The packets are 1024 bytes and carry the following information:

Facility – A code between 0 and 24 describing
Severity– = “<” PRIVAL “>”
Hostname = The order of preference for the contents of the HOSTNAME field is as follows:

   1.  FQDN

   2.  Static IP address

   3.  hostname

   4.  Dynamic IP address

   5.  the NILVALUE

Timestamp = See RFC3339, T and Z must be uppercase, T is required. Leaps seconds must NOT be used.

  Example 1

        1985-04-12T23:20:50.52Z

   This represents 20 minutes and 50.52 seconds after the 23rd hour of
   12 April 1985 in UTC.

   Example 2

        1985-04-12T19:20:50.52-04:00

   This represents the same time as in example 1, but expressed in US
   Eastern Standard Time (observing daylight savings time).

Message 

Free-form message, UNICODE, encoded using UTF-8

Facility

Numerical             Facility
          Code

           0             kernel messages
           1             user-level messages
           2             mail system
           3             system daemons
           4             security/authorization messages (note 1)
           5             messages generated internally by syslogd
           6             line printer subsystem
           7             network news subsystem
           8             UUCP subsystem
           9             clock daemon (note 2)
          10             security/authorization messages (note 1)
          11             FTP daemon
          12             NTP subsystem
          13             log audit (note 1)
          14             log alert (note 1)
          15             clock daemon (note 2)
          16             local use 0  (local0)
          17             local use 1  (local1)
          18             local use 2  (local2)
          19             local use 3  (local3)
          20             local use 4  (local4)
          21             local use 5  (local5)
          22             local use 6  (local6)
          23             local use 7  (local7)
Severity Levels - Use this to remember these:  " Do I Notice When Evenings Come Around Early "
        Numerical         Severity
          Code

           0       Emergency: system is unusable
           1       Alert: action must be taken immediately
           2       Critical: critical conditions
           3       Error: error conditions
           4       Warning: warning conditions
           5       Notice: normal but significant condition
           6       Informational: informational messages
           7       Debug: debug-level messages

And that’s all I got to say about that…


Advertisements

4 thoughts on “Technology Fundamentals – RFC 5424 The Syslog Protocol

  1. In first paragraph:
    “RFC 3164 is now superceded by RFC 5224”
    should probably read:
    “RFC 3164 is now superceded by RFC 5424”

  2. The description of the PRI field needs to be corrected. According to RFC 5424, the PRI is indeed a combination of the facility and severity, but it is actually encoded as 8 * the numeric value of the facility code + the numeric value of the severity, not XXY.

    • Thanks Chris! Second correction post in one day! xD

      When I was writing this, that was meant to represent the breakdown of PRI, with the facility and severity defined as numeric values further down in the post. I will update and clarify, thanks for pointing this out!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s