Syslog Messages
Syslog is a widely used standard for message logging. Network administrators may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as routers, switches and firewalls use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository.
Syslog messages usually include information to help identify basic information about where, when, and why the log was sent: IP Address, Timestamp, and the actual log Message.
Syslog uses a concept called “Facility” to identify the source of a message on any given machine.
| Facility Code | Keyword | Description |
| 0 | kern | kernel messages |
| 1 | user | user-level messages |
| 2 | mail system | |
| 3 | daemon | system daemons |
| 4 | auth | security/authorization messages |
| 5 | syslog | messages generated internally by syslogd |
| 6 | lpr | line printer subsystem |
| 7 | news | network news subsystem |
| 8 | uucp | UUCP subsystem |
| 9 | clock daemon | |
| 10 | authpriv | security/authorization messages |
| 11 | ftp | FTP daemon |
| 12 | NTP subsystem | |
| 13 | log audit | |
| 14 | log alert | |
| 15 | cron | scheduling daemon |
| 16 | local0 | local use 0 (local0) |
| 17 | local1 | local use 1 (local1) |
| 18 | local2 | local use 2 (local2) |
| 19 | local3 | local use 3 (local3) |
| 20 | local4 | local use 4 (local4) |
| 21 | local5 | local use 5 (local5) |
| 22 | local6 | local use 6 (local6) |
| 23 | local7 | local use 7 (local7) |
Also, Syslog messages have a severity level field. The severity level indicates the importance of the message.
| Value | Severity | Keyword | Description | Examples |
| 0 | Emergency | emerg | This level should not be used by applications. | |
| 1 | Alert | alert | Should be corrected immediately | Loss of the primary ISP connection. |
| 2 | Critical | crit | A failure in the system’s primary application. | |
| 3 | Error | err | An application has exceeded its file storage limit and attempts to write are failing. | |
| 4 | Warning | warning | May indicate that an error will occur if action is not taken. | A non-root file system has only 2GB remaining. |
| 5 | Notice | notice | Events that are unusual, but not error conditions. | |
| 6 | Informational | info | Normal operational messages that require no action. | An application has started, paused or ended successfully. |
| 7 | Debugging | debug | Information useful to developers for debugging the application. |
Notes: Syslog packet size is limited to 1024 bytes and carries the following information Facility, Severity, Hostname/IP Address, Timestamp and Message.
