Syslog Format description

Syslog Format description
The device must be configured with rules to display or transmit event information. No matter how the administrator configures the processing of event information, the process of sending the information to the syslog recipient is generally composed of the following parts: Determine which help information is to be sent and the level to be sent, define remote recipients.
The format of the transmitted syslog information consists of three easily identifiable parts: PRI, header, and MSG. The length of a data packet is less than 1024 bytes. The PRI part must contain 3, 4, and 5 characters, starting with ", followed by a number, and ending with">. The number in square brackets is called priority, which consists of two values: facility and severity. The facilities and severities in the information are encoded by decimal values. Some background monitoring programs and processes in the operating system are assigned a facility value, processes and daemons that do not allocate a facility value will use the facilities Value of "local use" or the facilities Value of "user level. The following table indicates the specified facilities value and the corresponding numerical code.

Numerical code facility

0 kernel messages
1 user-level messages
2 Mail System
3 system daemons
4 Security/authorization messages
5 messages generated internally by syslogd
6 line printer Subsystem
7 network news Subsystem
8 uucp Subsystem
9 Clock daemon
10 Security/authorization messages
11 FTP daemon
12 NTP Subsystem
13 log audit
14 Log alert
15 Clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)

Each information priority also has a parameter that represents the decimal severity registration. The following table describes them and their corresponding values.
Numerical code severity
0 emergency
1 alert
2 critical
3 error
4 warning
5 notice
6 informational
7. Debug

Priority (priority) = facility * 8 + severity value. For example, a core information (facility = 0) and an emergency severity will generate a priority of 0. Similarly, a "local use 4" message (facility = 20) and a notice severity (severity = 5) will generate a 165 priority.
The header is composed of two fields, timestamp and hostname. The ">" at the end of PRI will immediately follow a timestamp, any timestamp or hostname field must be followed by a space character. Hostname contains the host name.
The IP address is displayed. If a host has multiple IP addresses, it usually uses the IP address that transmits information. Timestamp is the local time. The format is "Mmm dd hh: mm: SS", which indicates the day, hour, and second of the month. The hostname domain can only contain the host name, IPv4 address, or IPv6 address of the Information owner.
The MSG part is the remaining part of the syslog data packet. This usually contains additional information about the information generation process and the text of the information. The MSG part has two fields: the tag field and the content field. The value of the tag field is the name of the program or process that generates information. The content contains the details of this information. Traditionally, the format of this domain is relatively free and provides specific time information. A tag is a string of no more than 32 characters. Any non-alphanumeric character will terminate the tag field and be assumed to be the start of the content field. In most cases, the first character of the content field ending with a tag is represented by a left braces ([], semicolon (:), or space.