What are Syslog formats?

Better Stack Team
Updated on August 25, 2023

Syslog is a standard protocol for logging and sending messages between network devices, including servers, routers, switches, and other networking equipment. Syslog messages typically contain information about various events, status updates, and errors. The syslog protocol is defined in RFC 5424, and it allows for different message formats.

The syslog message format consists of several fields, including the facility, severity level, timestamp, hostname, application name, process ID, and the actual message. The message format can vary depending on the syslog implementation and the version being used. Here are some common syslog message formats:

1. Legacy Syslog Format

 
<PRI>MMM DD hh:mm:ss HOSTNAME TAG: MESSAGE
  • <PRI>: The priority field, combining the facility and severity level.
  • MMM: The three-letter abbreviation for the month.
  • DD: The day of the month.
  • hh:mm:ss: The time in hours, minutes, and seconds.
  • HOSTNAME: The hostname or IP address of the device generating the message.
  • TAG: An arbitrary identifier for the application or process generating the message.
  • MESSAGE: The actual log message.

2. RFC 3164 Syslog Format

This is a slightly updated version of the legacy format, as defined in RFC 3164.

 
<PRI>MMM DD hh:mm:ss HOSTNAME TAG: MESSAGE

3. RFC 5424 Syslog Format

This is the modern format defined in RFC 5424, providing more structured and standardized data for syslog messages.

 
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MESSAGE
  • <PRI>: The priority field, combining the facility and severity level.
  • VERSION: The version of the syslog protocol (e.g., 1 for RFC 3164, 1 or 2 for RFC 5424).
  • TIMESTAMP: The timestamp of the event in the format YYYY-MM-DDThh:mm:ss.sssZ.
  • HOSTNAME: The hostname or IP address of the device generating the message.
  • APP-NAME: The name of the application or process generating the message.
  • PROCID: The process ID associated with the application or process.
  • MSGID: The ID to identify the type of message (e.g., "ID12345" for specific events).
  • [STRUCTURED-DATA]: Optional structured data containing additional information in key-value pairs.
  • MESSAGE: The actual log message.

It's worth noting that while the above formats are common, some systems may implement variations or custom formats based on their specific needs. When configuring logging in your applications, it's essential to consider the syslog format supported by your logging library or syslog server.

To learn more about logging, visit Better Stack Community.

Got an article suggestion? Let us know
Explore more
Logging Syslog
Reading syslog output on a Mac
Questions
Where does Linux store my syslog?
Questions
How to start logging cron job output to syslog on Ubuntu 20.04?
In this quick tutorial, we will take a look at how to redirect output from cron jobs to the main system log.
Questions
How to view syslog in Ubuntu?
Questions
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

We are hiring.

Software is our way of making the world a tiny bit better. We build tools for the makers of tomorrow.

Join the Better Stack team

Help us in making the internet more reliable.

Better Stack logo
Become a contributor

Help us with developer education and get paid.

Better Stack community logo
NEW
Explore all positions →