SOME HISTORY
The protocol is originally defined in RFC 3164 “The BSD syslog Protocol” written by Eric Allman August 2001. RFC 3164 is now superceded by RFC 5424,
Rainer Gerhards – RFC 5424
written by Rainer Gerhards twitter|@rgerhards, March 20009.
SYSLOG ARCHITECTURE
Definitions: A machine that generates a message is called a device.
A machine that can receive the message and forward it to another machine is called a relay.
A machine that receives a message and does not relay it is called a collector. A collector is what we know as the syslog server.
Any device or relay is knows as sender when it sends a message.
Any relay or collector is known as receiver when it receives the message.
Valid Architectures:
+------+ +---------+
|Device|---->----|Collector|
+------+ +---------+
+------+ +-----+ +---------+
|Device|---->----|Relay|---->----|Collector|
+------+ +-----+ +---------+
+------+ +-----+ +-----+ +---------+
|Device|-->--|Relay|-->--..-->--|Relay|-->--|Collector|
+------+ +-----+ +-----+ +---------+
+------+ +-----+ +---------+
|Device|---->----|Relay|---->----|Collector|
| |-\ +-----+ +---------+
+------+ \
\ +-----+ +---------+
\-->--|Relay|---->----|Collector|
+-----+ +---------+
+------+ +---------+
|Device|---->----|Collector|
| |-\ +---------+
+------+ \
\ +-----+ +---------+
\-->--|Relay|---->----|Collector|
+-----+ +---------+
+------+ +-----+ +---------+
|Device|---->----|Relay|---->-------|Collector|
| |-\ +-----+ /--| |
+------+ \ / +---------+
\ +-----+ /
\-->--|Relay|-->--/
+-----+
Syslog Message Parts:
+------+---------+------------+
| PRI | HEADER | MESSAGE |
+------+---------+------------+
*The total length of the packet MUST be 1024 bytes or less.
* The PRI MUST have 3-5 characters <XXY > XX is the Facility, Y is the Severity.
Syslog uses UDP 514; The packets are 1024 bytes and carry the following information:
Facility – A code between 0 and 24 describing
Severity– = “<” PRIVAL “>”
Hostname = The order of preference for the contents of the HOSTNAME field is as follows:
1. FQDN 2. Static IP address 3. hostname 4. Dynamic IP address 5. the NILVALUE
Timestamp = See RFC3339, T and Z must be uppercase, T is required. Leaps seconds must NOT be used.
Example 1
1985-04-12T23:20:50.52Z
This represents 20 minutes and 50.52 seconds after the 23rd hour of
12 April 1985 in UTC.
Example 2
1985-04-12T19:20:50.52-04:00
This represents the same time as in example 1, but expressed in US
Eastern Standard Time (observing daylight savings time).
Message
Free-form message, UNICODE, encoded using UTF-8
Facility
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages (note 1)
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon (note 2)
10 security/authorization messages (note 1)
11 FTP daemon
12 NTP subsystem
13 log audit (note 1)
14 log alert (note 1)
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
Severity Levels - Use this to remember these: " Do I Notice When Evenings Come Around Early "
Numerical Severity
Code
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
And that’s all I got to say about that…
In first paragraph:
“RFC 3164 is now superceded by RFC 5224”
should probably read:
“RFC 3164 is now superceded by RFC 5424”
Oh definitely, thanks for pointing it out.
The description of the PRI field needs to be corrected. According to RFC 5424, the PRI is indeed a combination of the facility and severity, but it is actually encoded as 8 * the numeric value of the facility code + the numeric value of the severity, not XXY.
Thanks Chris! Second correction post in one day! xD
When I was writing this, that was meant to represent the breakdown of PRI, with the facility and severity defined as numeric values further down in the post. I will update and clarify, thanks for pointing this out!