Syslog protocol is supported by the majority of network equipment (switches, routers, firewalls, storages, modems, wireless devices, Unix hosts, etc.) from all major vendors (Cisco, Nortel, Juniper, 3Com, HP, etc.).
Syslog Protocol
Syslog protocol has been used for transmission of event notification messages across networks for many years. Its value to operations and management has led it to be ported to many other operating systems, as well as being embedded into many other networked devices.
Syslog uses the user datagram protocol (UDP) as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514.
The total length of the packet with a message must be 1024 bytes or less. There is no minimum length of Syslog message.
Each syslog message has a Severity level indicator:
- 0 = Emergency: system is unusable
- 1 = Alert: action must be taken immediately
- 2 = Critical: critical conditions
- 3 = Error: error conditions
- 4 = Warning: warning conditions
- 5 = Notice: normal but significant condition
- 6 = Informational: informational messages
- 7 = Debug: debug-level messages
One of the fundamental tenets of the syslog protocol and process is its simplicity. No stringent coordination is required between the transmitters and the receivers. Indeed, the transmission of syslog messages may be started on a device without a receiver being configured, or even actually physically present. Conversely, many devices will most likely be able to receive messages without explicit configuration or definitions. This simplicity has greatly aided the acceptance and deployment of syslog.
Example (from RFC):
<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
For detailed description of the syslog protocol see RFC3164.txt.
