syslog protocol explained

syslog is a protocol for tracking and logging system messages in Linux. Applications use syslog to export all their error and status messages to the files in the /var/log directory.

syslog uses the client-server model; a client transmits a text message to the server (receiver). The server is commonly called syslogd, syslog daemon, or syslog server. syslog uses the User Datagram Protocol (UDP) port 514 for communication. The messages are sent in cleartext, although an SSL wrapper can be used to provide encryption.

Each message sent to the syslog server has two labels associated with it that make the message easier to handle. The first label describes the function (facility) of the application that generated it. For example, mail servers typically log using the mail facility. The second label specifies the severity level. After these two labels, the action in specified. The action is usually a filename in the /var/log directory tree, in which the messages will be stored:

facility.priority  action

Here is a list of facilities available:

Number Keyword Facility description
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 cron clock daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

 

Here is a list of severity levels:

Code Severity Keyword Description
0 Emergency emerg (panic) System is unusable.
1 Alert alert Action must be taken immediately.
2 Critical crit Critical conditions.
3 Error err (error) Error conditions.
4 Warning warning (warn) Warning conditions.
5 Notice notice Normal but significant condition.
6 Informational info Informational messages.
7 Debug debug Debug-level messages.

 

Note that, when you specify a priority, you are actually specifying everything at that priority or higher. For example, mail.info would mean all messages coming from the mail facility with the info, notice, warning, err, crit, alert or emerg priority.

Geek University 2022