Syslog is a standard for message logging. Syslog protocol is used for system management, system auditing, general information analysis, and debugging.
Syslog protocol basically uses three layers :
-
Syslog Content –
Syslog content is the information of the payload in the system packet. -
Syslog Application –
It analyzes and handles the generation, interpretation routing and storage of syslog messages. -
Syslog Transport –
Syslog Transport is responsible for transporting the messages.
Functions in syslog are performed at 5 layers.
-
Originator –
The originator is the local machine that generates the message. -
Collector –
The collector collects the syslog content for analysis. It is basically the syslog server. -
Relay –
A relay basically forwards messages from the originator or other relays to the collector or other relays. -
Transport Sender –
It transports the syslog messages to a transport protocol, most commonly UDP. -
Transport Receiver –
It receives the messages from the specified transport protocol.
Message Components :
In the information header, information that is added before passing to the syslog receiver :
- Originator process ID
- Timestamp of when the event was originated.
- IP address of the originator.
- Information provided by the originator includes facility code and severity level.
Facility Code :
The facility value indicates which process created the syslog message. The Syslog protocol was originally written on DSB Unix, so facility value reflects the name of the Unix processes and daemons.
| CODE | KEYWORD | DESCRIPTION |
|---|---|---|
| 0 | kern | kernel messages |
| 1 | user | user level messages |
| 2 | mail system | 3 | daemon | system daemons |
| 4 | auth | security/authorization messages |
| 5 | syslog | messages generated internally by syslog |
| 6 | lpr | line printer subsystem |
| 7 | news | network news subsystem |
| 8 | uucp | UUCP subsystem |
| 9 | clock daemon | |
| 10 | authpriv | security/authorization messages |
| 11 | ftp | FTP daemon |
| 12 | NTP subsystem | |
| 13 | log audit | |
| 14 | log alert | |
| 15 | cron | clock daemon |
| 16 | local0 | local use 0 (local0) |
| 17 | local1 | local use 1 (local1) |
| 18 | local2 | local use 2 (local2) |
| 19 | local3 | local use 3 (local3) |
| 20 | local4 | local use 4 (local4) |
| 21 | local5 | local use 5 (local5) |
| 22 | local6 | local use 6 (local6) |
| 23 | local7 | local use 7 (local7) |
Syslog Severity Levels :
The facility value indicates which process created the syslog message. The Syslog protocol was originally written on DSB Unix, so facility value reflects the name of the Unix processes and daemons.
| VALUE | SEVERITY | KEYWORD | DESCRIPTION |
|---|---|---|---|
| 0 | Emergency | emerg | System is unusable | 1 | Alert | alert | Should be corrected immediately |
| 2 | Critical | crit | Critical conditions | 3 | Error | err | Error conditions |
| 4 | Warning | warning | May indicate that an error will occur if an action is not taken. |
| 5 | Notice | notice | Events that are unusual but not error conditions |
| 6 | Information | info | Normal operational messages that require no action. |
| 7 | Debug | debug | Info useful to developers for debugging the app. |