Skip to main content

Syslog

A recap of the RFC 5424:

In summary, regarding the expected Syslog header, here are the main points:

  • Between two angle brackets, is found a numerical value between 1 and 165.
    The formula used is based on the Severity and Facility (https://tools.ietf.org/html/rfc5424#section-6.2.3), as follow:
    Facility(0;23) * 8 + Severity(0;7)
  • The version number for the Syslog protocol in use. The RFC5424 shows version 1, which is to be used.
  • A single space
  • The full timestamp (https://tools.ietf.org/html/rfc5424#section-6.2.3), following the guildelines for a compatible format, listed in the examples. Note, hours are expressed on a 24h format and not 12h.
    • This includes the old format, such as: Apr 12 19:20:52
    • Or the latest one, as illustrated here: 2019-04-12T19:20:50.52-04:00
  • A single space
  • The hostname for the machine generating the log, based on the following preferences list: IP address, Hostname.
  • A single space
  • Finally, the Payload, based on the format of the equipment that has generated the log.

As an example, here are two log headers, based on the specifications described above. The first one describes the most recent format (RFC 5424), while the second shows the legacy Syslog format:

<50>1 2019-04-29T14:10:27+0200 tetpte1-dc-xxx dotxMsgTask %DOTX-1-MAX_EAP_RETRIES 1x_auth_pae.c:4155 Max EAP identity request retries (13) exceeded for client 12:xx:xx:63:xx:00

<50>Apr 29 14:10:27 tetpte1-dc-xxx dotxMsgTask %DOTX-1-MAX_EAP_RETRIES 1x_auth_pae.c:4155 Max EAP identity request retries (13) exceeded for client 12:xx:xx:63:xx:00

Please note this is not exhaustive, and the 38 pages of the RFC 5424 are there to specify the format of the different fields in depth, with all details.nThis has only the goal of providing a quick guide for security event collection and therefore focuses on compatible, mostly used formats.

Here (https://tools.ietf.org/html/rfc5424#section-6.2.3) you can find the full document. This has to be the reference for Syslog format, and must be used to address questioning regarding format if any is left.

Further information regarding the format: RFC 3164 is still widely in use despite the 5424 taking over. The older one includes less details and less options for timestamping as an example.

EXAMPLE:

    <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
    <165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts.
    2019-09-25T12:22:51.037414+02:00 tetpte1 pgpool[29951]: [41950-4] 2019-09-25 12:22:51: pid 29951: CONTEXT:  while checking replication time lag

    PRI
        Must be 3, 4, 5 characters long
        Leading <, trailing >
        Max is 192?
        
    VERSION
        <Empty>   if RFC 3624
        1         if RFC 5424

    TIMESTAMP
        1985-04-12T23:20:50.52Z
        1985-04-12T19:20:50.52-04:00
        2003-10-11T22:14:15.003Z
        2003-08-24T05:14:15.000003-07:00

        Invalid example
            2003-08-24T05:14:15.000000003-07:00
            2003-08-24T05:14:15.003-0700

ATTENTION !

https://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html
http://cdsportal.u-strasbg.fr/taptuto/javadoc/uws/ISO8601Format.html
Java implémente l'ISO8601 time zone designator comme:
TZD = Z or +hh:mm or -hh:mm
Alors que l'ISO8601 définit le TZD tel que
TZD = Z or +hhmm or -hhmm

    HOSTNAME
        Can be one of the following:
            FQDN
            Static IP address
            Hostname
            Dynamic IP address
            The NILVALUE

 

No comments to display

Back to top