
Syslog Messages
Syslog is a widely used standard for message logging. Network administrators may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as routers, switches and firewalls use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository.
Syslog messages usually include information to help identify basic information about where, when, and why the log was sent: IP Address, Timestamp, and the actual log Message.
Syslog uses a concept called “Facility” to identify the source of a message on any given machine.
Facility Code | Keyword | Description |
0 | kern | kernel messages |
1 | user | user-level messages |
2 | mail system | |
3 | daemon | system daemons |
4 | auth | security/authorization messages |
5 | syslog | messages generated internally by syslogd |
6 | lpr | line printer subsystem |
7 | news | network news subsystem |
8 | uucp | UUCP subsystem |
9 | clock daemon | |
10 | authpriv | security/authorization messages |
11 | ftp | FTP daemon |
12 | NTP subsystem | |
13 | log audit | |
14 | log alert | |
15 | cron | scheduling daemon |
16 | local0 | local use 0 (local0) |
17 | local1 | local use 1 (local1) |
18 | local2 | local use 2 (local2) |
19 | local3 | local use 3 (local3) |
20 | local4 | local use 4 (local4) |
21 | local5 | local use 5 (local5) |
22 | local6 | local use 6 (local6) |
23 | local7 | local use 7 (local7) |
Also, Syslog messages have a severity level field. The severity level indicates the importance of the message.
Value | Severity | Keyword | Description | Examples |
0 | Emergency | emerg | This level should not be used by applications. | |
1 | Alert | alert | Should be corrected immediately | Loss of the primary ISP connection. |
2 | Critical | crit | A failure in the system’s primary application. | |
3 | Error | err | An application has exceeded its file storage limit and attempts to write are failing. | |
4 | Warning | warning | May indicate that an error will occur if action is not taken. | A non-root file system has only 2GB remaining. |
5 | Notice | notice | Events that are unusual, but not error conditions. | |
6 | Informational | info | Normal operational messages that require no action. | An application has started, paused or ended successfully. |
7 | Debugging | debug | Information useful to developers for debugging the application. |
Notes: Syslog packet size is limited to 1024 bytes and carries the following information Facility, Severity, Hostname/IP Address, Timestamp and Message.