Syslog Messages

Syslog Messages

Syslog is a widely used standard for message logging. Network administrators may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as routers, switches and firewalls use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository.

Syslog messages usually include information to help identify basic information about where, when, and why the log was sent: IP Address, Timestamp, and the actual log Message.

Syslog uses a concept called “Facility” to identify the source of a message on any given machine.

Facility Code Keyword Description
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 cron scheduling daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

 

Also, Syslog messages have a severity level field. The severity level indicates the importance of the message.

 Value Severity Keyword  Description Examples
 0 Emergency emerg This level should not be used by applications.  
 1 Alert alert Should be corrected immediately Loss of the primary ISP connection.
 2 Critical crit A failure in the system’s primary application.  
 3 Error err An application has exceeded its file storage limit and attempts to write are failing.  
 4 Warning warning May indicate that an error will occur if action is not taken. A non-root file system has only 2GB remaining.
 5 Notice notice Events that are unusual, but not error conditions.  
 6 Informational info Normal operational messages that require no action. An application has started, paused or ended successfully.
 7 Debugging debug Information useful to developers for debugging the application.  

 

Notes:
Syslog packet size is limited to 1024 bytes and carries the following information Facility, Severity, Hostname/IP Address, Timestamp and Message.