Syslog Standards: A simple Comparison between RFC3164 (old format) & RFC5424 (new format)
Though syslog standards have been for quite long time, lot of people still doesn't understand the formats in detail. The original standard document is quite lengthy to read and purpose of this article is to explain with examplesSome of things you might need to understand
- The RFC standards can be used in any syslog daemon (syslog-ng, rsyslog etc.)
- Always try to capture the data in these standards. Especially when you have log aggregation like Splunk or Elastic, these templates are built-in which makes your life simple.
- Syslog can work with both UDP & TCP
Link to the documents
RFC3164 (the old format)
RFC3164 originated from combining multiple implementations (Year 2001)
and have slightly different variations. But the message format should
like
<35>Oct 12 22:14:15 client_machine su: 'su root' failed for joe on /dev/pts/2
-
<35> is a priority number. From the below matrix, you can see it is Auth , Error
-
Oct 12 22:14:15 is commonly known as syslog timestamp. Sometimes it will be ISO-8601 format too
-
client_machine is the sender of the message (%hostname% field in payload)
- su: is a tag (mostly process name)
-
Rest is the MSG component
RFC5424 (the new format)
RFC5424 came towards end of 2009 and is a better standard and more
precise timestamp. The message limit is also configurable in this standard
thus able to accept more than 1K size messages.
<35>1 2013-10-11T22:14:15.003Z client_machine su - - - 'su root' failed for joe on /dev/pts/2
Also RFC5424 supports Structured Message payload in the MSG component
making it easier for parsing.