Syslog Messages

Syslog Messages

Syslog is a widely used standard for message logging. Network administrators may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as routers, switches and firewalls use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository.

Syslog messages usually include information to help identify basic information about where, when, and why the log was sent: IP Address, Timestamp, and the actual log Message.

Syslog uses a concept called “Facility” to identify the source of a message on any given machine.

Facility CodeKeywordDescription
0kernkernel messages
1useruser-level messages
2mailmail system
3daemonsystem daemons
4authsecurity/authorization messages
5syslogmessages generated internally by syslogd
6lprline printer subsystem
7newsnetwork news subsystem
8uucpUUCP subsystem
9clock daemon
10authprivsecurity/authorization messages
11ftpFTP daemon
12NTP subsystem
13log audit
14 log alert
15 cronscheduling daemon
16local0local use 0 (local0)
17local1local use 1 (local1)
18local2local use 2 (local2)
19local3local use 3 (local3)
20local4local use 4 (local4)
21local5local use 5 (local5)
22local6local use 6 (local6)
23local7local use 7 (local7)


Also, Syslog messages have a severity level field. The severity level indicates the importance of the message.

 ValueSeverityKeyword DescriptionExamples
 0EmergencyemergThis level should not be used by applications. 
 1AlertalertShould be corrected immediatelyLoss of the primary ISP connection.
 2CriticalcritA failure in the system’s primary application. 
 3ErrorerrAn application has exceeded its file storage limit and attempts to write are failing. 
 4WarningwarningMay indicate that an error will occur if action is not taken.A non-root file system has only 2GB remaining.
 5NoticenoticeEvents that are unusual, but not error conditions. 
 6InformationalinfoNormal operational messages that require no action.An application has started, paused or ended successfully.
 7DebuggingdebugInformation useful to developers for debugging the application. 


Syslog packet size is limited to 1024 bytes and carries the following information Facility, Severity, Hostname/IP Address, Timestamp and Message.