The universal standard for message logging across network devices, servers, and applications — defined in RFC 5424.
SYSLOG is a standard protocol that allows network devices, operating systems, and applications to send event messages to a centralized logging server. Originally developed for BSD Unix, it is now the de facto standard for log management across routers, switches, firewalls, servers, and virtually every networked device.
The protocol operates on a client-server model: devices (originators) generate log messages and transmit them to a syslog server (collector). Syslog is defined in RFC 5424 (2009), which superseded the older RFC 3164 (BSD syslog).
📌 Key Fact: By default, syslog uses UDP port 514. For reliable delivery, TCP port 514 or TLS/TCP port 6514 may be used. UDP offers no delivery guarantee — messages can be lost silently.
The modern IETF standard provides a consistent, parseable format with clearly defined fields for priority, timestamp, hostname, application, and structured data.
Syslog messages can travel over UDP (unreliable, low overhead), TCP (reliable), or TLS-encrypted TCP for secure transmission in compliance environments.
Used for security auditing, compliance (PCI DSS, HIPAA, SOX), troubleshooting, performance monitoring, and SIEM integration across enterprise environments.
Every message carries a Priority (PRI) value, mathematically derived from a Facility code (source type) and a Severity level (urgency), giving 192 possible combinations.
Routers, switches, firewalls, Linux/Unix servers, Windows (via agents), printers, and IoT devices all speak syslog — making it the lingua franca of network logging.
Syslog messages reveal device status, interface changes, routing protocol events, authentication attempts, and system errors in near real-time.
Failed login attempts, ACL violations, port scans, and firewall rule triggers all generate syslog messages. Without syslog, these events are invisible.
PCI DSS, HIPAA, SOX, and NIST SP 800-92 all mandate centralized log management. Syslog is typically the mechanism for collecting those logs.
Network outages, routing loops, spanning tree topology changes, and hardware failures all leave traces in syslog — often before users even notice.
Traffic spikes, memory exhaustion warnings, and interface error rates surfaced in syslog data inform infrastructure planning decisions.
Security Information and Event Management (SIEM) platforms like Splunk, IBM QRadar, and Microsoft Sentinel ingest syslog as a primary data source.
Understanding the anatomy of a syslog message — from the PRI value to structured data and the message body.
A complete syslog message has three top-level components. Hover over each field below for details:
💡 Hover over each colored field in the diagram above to learn about that field's purpose, format, and constraints.
This is a fully-formed RFC 5424 syslog message. Each color corresponds to a field in the diagram above:
RFC 3164 (2001) is the original BSD syslog format. It's widely implemented but has inconsistencies and is harder to parse automatically.
Limitations of RFC 3164:
RFC 5424 (2009) addresses all legacy limitations with a fully structured, parseable format.
Improvements in RFC 5424:
| Feature | RFC 3164 (BSD) | RFC 5424 (IETF) |
|---|---|---|
| Year in timestamp | ❌ No | ✅ Yes |
| Timezone support | ❌ No | ✅ Yes (UTC/offset) |
| Microsecond precision | ❌ No | ✅ Up to 6 digits |
| Structured data | ❌ No | ✅ Yes |
| Message ID field | ❌ No | ✅ Yes (MSGID) |
| APP-NAME field | Partial (TAG) | ✅ Explicit |
| Max message size | 1024 bytes | No hard limit (RFC) |
| Character encoding | ASCII assumed | ✅ UTF-8 explicit |
| NILVALUE support | ❌ No | ✅ Yes ("-") |
| Status | Informational/Legacy | Standards Track |
The Augmented Backus-Naur Form (ABNF) definition shows the exact message structure:
The PRI value encodes both the message source (Facility) and urgency (Severity) into a single number using a simple formula.
Range: 0 (KERN/EMERG) to 191 (LOCAL7/DEBUG)
The PRI value is always enclosed in angle brackets in the message, e.g., <34>. To decode it: Facility = ⌊PRI ÷ 8⌋, Severity = PRI mod 8.
| Code | Facility | Description | Typical Source |
|---|---|---|---|
0 | kern | Kernel messages | Linux/Unix kernel |
1 | user | User-level messages | User processes |
2 | Mail system | sendmail, postfix | |
3 | daemon | System daemons | Various system services |
4 | auth | Security/authorization | SSH, sudo, login |
5 | syslog | Syslog internal messages | syslogd itself |
6 | lpr | Line printer subsystem | Print services |
7 | news | Network news subsystem | NNTP services |
8 | uucp | UUCP subsystem | UUCP protocol |
9 | cron | Clock daemon | cron, at |
10 | authpriv | Security (private) | PAM, private auth logs |
11 | ftp | FTP daemon | FTP servers |
12 | ntp | NTP subsystem | NTP synchronization |
13 | audit | Log audit | Security audit logs |
14 | alert | Log alert | Alert generation |
15 | clock | Clock daemon | Clock/time services |
16–23 | local0–local7 | Local use | Custom device/app logs (Cisco, Juniper, etc.) |
📌 Network Admin Tip: Cisco IOS and Junos devices use local6 or local7 (codes 22–23) by default for their syslog messages. Always confirm the facility your network devices are configured to use.
| Level | Name | Keyword | Description | Action Required |
|---|---|---|---|---|
| 0 | Emergency | emerg | System is unusable | 🚨 Immediate action required |
| 1 | Alert | alert | Action must be taken immediately | 🚨 Immediate action required |
| 2 | Critical | crit | Critical conditions | 🔴 Urgent response needed |
| 3 | Error | err | Error conditions | 🔴 Fix required |
| 4 | Warning | warning | Warning conditions | 🟡 Monitor and investigate |
| 5 | Notice | notice | Normal but significant condition | 🟡 Note for review |
| 6 | Informational | info | Informational messages | 🟢 Normal operations |
| 7 | Debug | debug | Debug-level messages | ⚪ Development/troubleshooting |
⚠️ Cisco Note: Cisco IOS uses reversed severity naming in some contexts. In Cisco's logging levels command: level 0 = emergencies, level 7 = debugging — which matches RFC 5424. Set logging trap warnings to send levels 0–4 to the syslog server.
Use this interactive calculator to encode or decode any PRI value.
Build a valid RFC 5424 syslog message by filling in each field. The message updates in real time as you type.
✅ Validation Rules: HOSTNAME max 255 chars · APP-NAME max 48 chars · PROCID max 128 chars · MSGID max 32 chars · Use - (NILVALUE) for any optional field with no data · Facility 0–23 · Severity 0–7
How syslog messages flow from devices through the network to collectors, and how administrators configure enterprise logging infrastructure.
Any device generating log data. Configuring an originator involves setting the syslog server IP, port, transport protocol, and the minimum severity level to transmit.
Relays receive syslog from multiple sources, optionally filter/transform messages, and forward to a central collector. Tools like rsyslog and syslog-ng act as relays.
Central repository for all syslog data. Common solutions include Splunk, Graylog, ELK Stack (Elasticsearch), IBM QRadar, and Microsoft Sentinel.
| Transport | RFC | Port | Delivery | Security | Use Case |
|---|---|---|---|---|---|
| UDP | RFC 5426 | 514 | Best-effort (unreliable) | None | LAN environments, high-volume, low-overhead logging |
| TCP | RFC 6587 | 514 | Reliable (guaranteed delivery) | None | Critical logs, WAN environments where loss is unacceptable |
| TLS/TCP | RFC 5425 | 6514 | Reliable | Encryption + Authentication | Compliance environments (PCI, HIPAA), internet transmission |
The most widely deployed syslog daemon on Linux systems (Ubuntu, CentOS, RHEL). Supports both RFC 3164 and RFC 5424, TCP/UDP/TLS, and complex filtering rules.
Advanced syslog daemon with powerful message routing, filtering, and transformation capabilities. Popular in enterprise environments requiring complex log processing pipelines.
Industry-leading platform for ingesting, indexing, and analyzing syslog and other log data. Uses the Splunk Processing Language (SPL) for searching and correlation. Widely used for security operations (SIEM).
Open-source centralized log management platform built on Elasticsearch. Natively understands RFC 5424 structured data and provides powerful search and alerting capabilities at lower cost than Splunk.
Syslog carries critical security event data, yet the protocol itself has no built-in authentication, integrity checking, or confidentiality by default.
🔴 Critical Vulnerability: Default UDP syslog has NO authentication, NO encryption, and NO delivery guarantee. Any host on the network can forge syslog messages and spoof the source address.
An attacker can send forged syslog messages to a collector, injecting false events, hiding malicious activity, or framing legitimate systems as attackers.
Mitigation: Use TLS (RFC 5425) with mutual certificate authentication, or restrict accepted source IPs on the collector.
An attacker records legitimate syslog messages and replays them later to obscure an ongoing attack or confuse timeline analysis.
Mitigation: RFC 5848 (Signed Syslog Messages) provides cryptographic signing with sequence numbers to detect replay.
An attacker generates massive volumes of syslog messages to overwhelm the collector's storage, CPU, or network bandwidth, potentially causing legitimate messages to be dropped.
Mitigation: Rate limiting, dedicated logging networks, and syslog server capacity planning.
UDP syslog messages traverse the network in cleartext. Any network device or attacker with packet capture capability can read all log entries.
Mitigation: TLS/TCP (RFC 5425) on port 6514 encrypts the syslog stream. Use a dedicated VLAN for logging traffic.
Logs stored on compromised systems can be modified to cover attacker tracks. Log-forwarding to an out-of-band system ensures tamper-evident records.
Mitigation: Forward logs in real-time to a write-once or immutable storage system. Use WORM (Write Once Read Many) media.
Log correlation across multiple devices requires accurate, synchronized timestamps. Unsynchronized clocks make incident timeline reconstruction impossible.
Mitigation: NTP on all devices. Configure NTP before logging. The TIMESTAMP field in RFC 5424 includes timezone, making cross-timezone correlation feasible.
| Framework/Regulation | Log Retention | Key Requirement |
|---|---|---|
| PCI DSS | 12 months (3 months online) | Centralized logging of all system components; daily log review |
| HIPAA | 6 years | Audit controls, information activity review, access logs |
| SOX (Sarbanes-Oxley) | 7 years | Financial system logs to prevent tampering and ensure accountability |
| NIST SP 800-92 | Varies (90 days minimum typical) | Guide for computer security log management; defines log management infrastructure |
| ISO 27001 | Defined by risk assessment | Event logging, monitoring system use, protecting log information |
| FISMA / FedRAMP | 90+ days online, 3 years total | Centralized logging, automated log analysis, incident response integration |
Test your understanding of syslog concepts. Select the best answer for each question.
Q1 What is the default transport protocol and port number used by syslog?
Q2 A syslog message has a PRI value of <165>. What is the Facility code and Severity level?
Q3 Which RFC defines the modern, structured syslog protocol standard currently in use?
Q4 What does a Severity level of 0 indicate in the syslog priority system?
Q5 Which field in an RFC 5424 syslog header provides key-value structured metadata about the event?
Q6 A Cisco router is configured with logging trap warnings. Which severity levels will be sent to the syslog server?
Q7 What is the primary security concern with using default UDP syslog for transmitting sensitive network events?