Syslog Header Specifications

There are two main conventions for the structure and contents of syslog messages, both described in Request for Comment (RFC) documents created by the Internet Engineering Task Force. The older convention is RFC 3164, the more recent one is RFC 5424. When defining a Format, one of these two conventions must be specified in the “Header specification” parameter of the Create Format panel (with the exception of JSON, which defaults to None since there is no header, and LEEF, which has its own proprietary header specification).

See the following for header descriptions.

The RFC 3164 (“Legacy”) Header Convention

RFC 3164, also referred to as “BSD-syslog” or “legacy syslog”, is the older of the two formats.

The RFC 3164 has the following structure:

  • PRI(ority), calculated from:
    • Severity
    • Facility
  • HEADER
    • Timestamp
    • Host name
    • Application name
  • A Colon
  • MSG
EXAMPLE:
<38>Apr 16 08:31:50 V7R3M0#O SYSLOG:0|Powertech|SIEM Agent|4.4|TIP0013|IPC Reason|6| src=V7R3M0#O dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:QRMCCTRMCD JUSER:QSYS JNBR:020706 PGM:QP0ZPCP2 DETAIL:N/A

The RFC 3164 standard also:

  • Is limited to a total message length of 1,024 bytes.
  • Specifies the timestamp in the format “Mmm dd hh:mm:ss”, where “Mmm” is a three-letter abbreviation for the English name of month, e.g. “Aug” for “August”. (ISO-compatible timestamps are also used.)

RFC 3164 has a simple, relatively flat structure. Don’t select RFC 3161 as header specification for a Format unless you need to, for example, in order to provide compatibility with a legacy SIEM solution.

The RFC 5424 (“Modern”) Header Convention

Messages following RFC 5424 (also referred to as “IETF-syslog”) have the following structure:

  • HEADER
    • PRI(ority), calculated from
      • Severity
      • Facility
    • Version
    • Timestamp
    • Host name
    • Application name
    • Process ID [or corresponding OS construct]
    • Message ID
  • STRUCTURED DATA (optional)
    • Data Block 1
    • Block ID 1
      • Name–value pair 1-1
      • Name–value pair 1-2
      • Name–value pair 1-3
    • Data Block 2
      • Block ID 2
        • Name–value pair 2-1
        • Name–value pair 2-2
        • Name–value pair 2-3
  • MSG
EXAMPLE:
<38>1 2021-04-16T08:27:50-5:00 V7R3M0-ON-POWER8.HELPSYSTEMS.COM - - SYSLOG:0|Powertech|SIEM Agent|4.4|TIP0013|IPC Reason|6| src=V7R3M0#O dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:QRMCCTRMCD JUSER:QSYS JNBR:020706 PGM:QP0ZPCP2 DETAIL:N/A
NOTE: The example uses the CEF message style in combination with the RFC 5424 header specification.

RFC 5424 is the recommended header specification.