Professional Documents
Culture Documents
RFC 5424 Syslog
RFC 5424 Syslog
Gerhards
Request for Comments: 5424 Adiscon GmbH
Obsoletes: 3164 March 2009
Category: Standards Track
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
Abstract
This document has been written with the original design goals for
traditional syslog in mind. The need for a new layered specification
has arisen because standardization efforts for reliable and secure
syslog extensions suffer from the lack of a Standards-Track and
transport-independent RFC. Without this document, each other
standard needs to define its own syslog packet format and transport
mechanism, which over time will introduce subtle compatibility
issues. This document tries to provide a foundation that syslog
extensions can build on. This layered architecture approach also
provides a solid basis that allows code to be written once for each
syslog feature rather than once for each transport.
Table of Contents
1. Introduction ....................................................4
2. Conventions Used in This Document ...............................4
3. Definitions .....................................................4
4. Basic Principles ................................................5
4.1. Example Deployment Scenarios ...............................6
5. Transport Layer Protocol ........................................7
5.1. Minimum Required Transport Mapping .........................7
6. Syslog Message Format ...........................................8
6.1. Message Length .............................................9
6.2. HEADER .....................................................9
6.2.1. PRI .................................................9
6.2.2. VERSION ............................................11
6.2.3. TIMESTAMP ..........................................11
6.2.4. HOSTNAME ...........................................13
6.2.5. APP-NAME ...........................................14
6.2.6. PROCID .............................................14
6.2.7. MSGID ..............................................14
6.3. STRUCTURED-DATA ...........................................15
6.3.1. SD-ELEMENT .........................................15
6.3.2. SD-ID ..............................................15
6.3.3. SD-PARAM ...........................................16
6.3.4. Change Control .....................................17
6.3.5. Examples ...........................................17
1. Introduction
This document describes the standard format for syslog messages and
outlines the concept of transport mappings. It also describes
structured data elements, which can be used to transmit easily
parseable, structured information, and allows for vendor extensions.
This document does not describe any storage format for syslog
messages. It is beyond of the scope of the syslog protocol and is
unnecessary for system interoperability.
This document has been written with the original design goals for
traditional syslog in mind. The need for a new layered specification
has arisen because standardization efforts for reliable and secure
syslog extensions suffer from the lack of a Standards-Track and
transport-independent RFC. Without this document, each other
standard would need to define its own syslog packet format and
transport mechanism, which over time will introduce subtle
compatibility issues. This document tries to provide a foundation
that syslog extensions can build on. This layered architecture
approach also provides a solid basis that allows code to be written
once for each syslog feature instead of once for each transport.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Definitions
o The "syslog transport" layer puts messages on the wire and takes
them off the wire.
+---------------------+ +---------------------+
| content | | content |
|---------------------| |---------------------|
| syslog application | | syslog application | (originator,
| | | | collector, relay)
|---------------------| |---------------------|
| syslog transport | | syslog transport | (transport sender,
| | | | (transport receiver)
+---------------------+ +---------------------+
^ ^
| |
--------------------------
4. Basic Principles
+----------+ +---------+
|Originator|---->----|Collector|
+----------+ +---------+
+----------+ +---------+
|Originator|---->----|Collector|
| |-+ +---------+
+----------+ \
\ +-----+ +---------+
+->--|Relay|---->----|Collector|
+-----+ +---------+
Any syslog transport protocol MUST NOT deliberately alter the syslog
message. If the transport protocol needs to perform temporary
transformations at the transport sender, these transformations MUST
be reversed by the transport protocol at the transport receiver so
that the relay or collector will see an exact copy of the message
generated by the originator or relay. Otherwise, end-to-end
cryptographic verifiers (such as signatures) will be broken. Of
course, message alteration might occur due to transmission errors or
other problems. Guarding against such alterations is not within the
scope of this document.
OCTET = %d00-255
SP = %d32
PRINTUSASCII = %d33-126
NONZERO-DIGIT = %d49-57
DIGIT = %d48 / NONZERO-DIGIT
NILVALUE = "-"
6.2. HEADER
6.2.1. PRI
The PRI part MUST have three, four, or five characters and will be
bound with angle brackets as the first and last characters. The PRI
part starts with a leading "<" (’less-than’ character, %d60),
followed by a number, which is followed by a ">" (’greater-than’
Facility and Severity values are not normative but often used. They
are described in the following tables for purely informational
purposes. Facility values MUST be in the range of 0 to 23 inclusive.
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
Numerical Severity
Code
6.2.2. VERSION
6.2.3. TIMESTAMP
o The "T" and "Z" characters in this syntax MUST be upper case.
6.2.3.1. Examples
Example 1
1985-04-12T23:20:50.52Z
This represents 20 minutes and 50.52 seconds after the 23rd hour of
12 April 1985 in UTC.
Example 2
1985-04-12T19:20:50.52-04:00
Example 3
2003-10-11T22:14:15.003Z
Example 4
2003-08-24T05:14:15.000003-07:00
2003-08-24T05:14:15.000000003-07:00
6.2.4. HOSTNAME
The HOSTNAME field identifies the machine that originally sent the
syslog message.
The HOSTNAME field SHOULD contain the hostname and the domain name of
the originator in the format specified in STD 13 [RFC1034]. This
format is called a Fully Qualified Domain Name (FQDN) in this
document.
1. FQDN
2. Static IP address
3. hostname
4. Dynamic IP address
5. the NILVALUE
The NILVALUE SHOULD only be used when the syslog application has no
way to obtain its real hostname. This situation is considered highly
unlikely.
6.2.5. APP-NAME
The NILVALUE MAY be used when the syslog application has no idea of
its APP-NAME or cannot provide that information. It may be that a
device is unable to provide that information either because of a
local policy decision, or because the information is not available,
or not applicable, on the device.
6.2.6. PROCID
The PROCID field is often used to provide the process name or process
ID associated with a syslog system. The NILVALUE might be used when
a process ID is not available. On an embedded system without any
operating system process ID, PROCID might be a reboot ID.
6.2.7. MSGID
The NILVALUE SHOULD be used when the syslog application does not, or
cannot, provide any value.
6.3. STRUCTURED-DATA
6.3.1. SD-ELEMENT
6.3.2. SD-ID
SD-IDs are case-sensitive and uniquely identify the type and purpose
of the SD-ELEMENT. The same SD-ID MUST NOT exist more than once in a
message.
o Names that do not contain an at-sign ("@", ABNF %d64) are reserved
to be assigned by IETF Review as described in BCP26 [RFC5226].
Currently, these are the names defined in Section 7. Names of
this format are only valid if they are first registered with the
IANA. Registered names MUST NOT contain an at-sign (’@’, ABNF
6.3.3. SD-PARAM
Inside PARAM-VALUE, the characters ’"’ (ABNF %d34), ’\’ (ABNF %d92),
and ’]’ (ABNF %d93) MUST be escaped. This is necessary to avoid
parsing errors. Escaping ’]’ would not strictly be necessary but is
REQUIRED by this specification to avoid syslog application
implementation errors. Each of these three characters MUST be
escaped as ’\"’, ’\\’, and ’\]’ respectively. The backslash is used
for control character escaping for consistency with its use for
escaping in other parts of the syslog message as well as in
traditional syslog.
6.3.5. Examples
All examples in this section show only the structured data part of
the message. Examples should be considered to be on one line. They
are wrapped on multiple lines in this document for readability
purposes. A description is given after each example.
Example 1 - Valid
Example 2 - Valid
Example 3 - Invalid
Example 4 - Invalid
Example 5 - Valid
6.4. MSG
The character set used in MSG SHOULD be UNICODE, encoded using UTF-8
as specified in [RFC3629]. If the syslog application cannot encode
the MSG in Unicode, it MAY use any other encoding.
6.5. Examples
In this example, the VERSION is 1 and the Facility has the value of
4. The Severity is 2. The message was created on 11 October 2003 at
10:14:15pm UTC, 3 milliseconds into the next second. The message
originated from a host that identifies itself as
"mymachine.example.com". The APP-NAME is "su" and the PROCID is
unknown. The MSGID is "ID47". The MSG is "’su root’ failed for
lonvick...", encoded in UTF-8. The encoding is defined by the BOM.
There is no STRUCTURED-DATA present in the message; this is indicated
by "-" in the STRUCTURED-DATA field.
The message is "%% It’s time to make the do-nuts.". As the Unicode
BOM is missing, the syslog application does not know the encoding of
the MSG part.
7.1. timeQuality
7.1.1. tzKnown
7.1.2. isSynced
7.1.3. syncAccuracy
If the value "0" is used for "isSynced", this parameter MUST NOT be
specified. If the value "1" is used for "isSynced" but the
"syncAccuracy" parameter is absent, a collector or relay can assume
that the time information provided is accurate enough to be
considered correct. The "syncAccuracy" parameter MUST be written
only if the originator actually has knowledge of the reliability of
the external time source. In most cases, it will gain this in-depth
knowledge through operator configuration.
7.1.4. Examples
The difference between this and the previous example is that the
originator expects that its clock will be kept within 60 seconds of
the official time. Thus, if the originator reports it is 9:00:00, it
is no earlier than 8:59:00 and no later then 9:01:00.
7.2. origin
7.2.1. ip
7.2.2. enterpriseId
7.2.3. software
7.2.4. swVersion
7.2.5. Example
7.3. meta
7.3.1. sequenceId
7.3.2. sysUpTime
As syslog does not support the SNMP "INTEGER" syntax directly, the
value MUST be represented as a decimal integer (no decimal point)
using only the characters "0", "1", "2", "3", "4", "5", "6", "7",
"8", and "9".
Note that the semantics in RFC 3418 are "The time (in hundredths of a
second) since the network management portion of the system was last
re-initialized." This of course relates to the SNMP-related
management portion of the system, which MAY be different than the
syslog-related management portion of the system.
7.3.3. language
8. Security Considerations
8.1. UNICODE
This document uses UTF-8 encoding for the PARAM-VALUE and MSG fields.
There are a number of security issues with UNICODE. Any implementer
and operator is advised to review UNICODE TR36 [UNICODE-TR36] (UTR36)
to learn about these issues. This document guards against the
This document does not impose any mandatory restrictions on the MSG
or PARAM-VALUE content. As such, they MAY contain control
characters, including the NUL character.
Many popular text editors are also written in languages with this
restriction. Encoding NUL characters when writing to text files is
advisable. If they are stored without encoding, the file can become
unreadable.
8.4. Replay
The only environments where the syslog UDP transport MAY be used as
an alternative to the TLS transport are managed networks, where the
network path has been explicitly provisioned for UDP syslog traffic
through traffic engineering mechanisms, such as rate limiting or
capacity reservations. In all other environments, the TLS transport
SHOULD be used.
9. IANA Considerations
9.1. VERSION
VERSION FORMAT
1 Defined in [RFC5424]
9.2. SD-IDs
New SD-ID and new PARAM-NAME values must be registered through the
IETF Review method as described in [RFC5226].
Once SD-IDs and SD-PARAMs are defined, syntax and semantics of these
objects MUST NOT be altered. Should a change to an existing object
be desired, a new SD-ID or SD-PARAM MUST be created and the old one
remain unchanged.
A provision is made here for locally extensible names. The IANA will
not register, and will not control names with the at-sign (ABNF %d64)
in them.
SD-ID PARAM-NAME
timeQuality OPTIONAL
tzKnown OPTIONAL
isSynced OPTIONAL
syncAccuracy OPTIONAL
origin OPTIONAL
ip OPTIONAL
enterpriseId OPTIONAL
software OPTIONAL
swVersion OPTIONAL
meta OPTIONAL
sequenceId OPTIONAL
sysUpTime OPTIONAL
language OPTIONAL
syslog@ietf.org
Chris Lonvick
Cisco Systems
EMail: clonvick@cisco.com
David Harrington
Huawei Technologies USA
EMail: dbharrington@comcast.net
11. Acknowledgments
The authors wish to thank Chris Lonvick, Jon Callas, Andrew Ross,
Albert Mietus, Anton Okmianski, Tina Bird, Devin Kowatch, David
Harrington, Sharon Chisholm, Richard Graveman, Tom Petch, Dado
Colussi, Clement Mathieu, Didier Dalmasso, and all the other people
who commented on various versions of this proposal.
12. References
[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the
Internet: Timestamps", RFC 3339, July 2002.
While BSD syslog is in widespread use, its format has never been
formally standardized. [RFC3164] describes observed formats. It is
an Informational RFC, and practice shows that there are many
different implementations. Research during creation of this document
showed that there is very little in common between different syslog
implementations on different platforms. The only thing that all of
them agree upon is that messages start with "<" PRIVAL ">". Other
than that, legacy syslog messages are not formatted in a consistent
way. Consequently, RFC 3164 describes no specific elements inside a
syslog message. It states that any message destined to the syslog
UDP port must be treated as a syslog message, no matter what its
format or content is.
This document retains the PRI value syntax and semantics. This will
allow legacy syslog implementations to put messages generated by
syslog applications compliant to this specification into the right
bins.
RFC 3164 describes relay behavior. This document does not specify
relay behavior. This might be done in a separate document.
The TIMESTAMP described in RFC 3164 offers less precision than the
timestamp specified in this document. It also lacks the year and
time zone information. If a message formatted according to this
document needs to be reformatted to be in RFC 3164 format, it is
suggested that the originator’s local time zone be used, and the time
zone information and the year be dropped. If an RFC 3164 formatted
message is received and must be transformed to be compliant to this
document, the current year should be added and the time zone of the
relay or collector MAY be used.
The HOSTNAME in RFC 3164 is less specific, but this format is still
supported in this document as one of the alternate HOSTNAME
representations.
The MSG part of the message is described as TAG and CONTENT in RFC
3164. In this document, MSG is what was called CONTENT in RFC 3164.
The TAG is now part of the header, but not as a single field. The
TAG has been split into APP-NAME, PROCID, and MSGID. This does not
totally resemble the usage of TAG, but provides the same
functionality for most of the cases.
There are other use cases where syslog messages are used to transmit
inherently lengthy information, e.g., audit data. By not enforcing
any upper limit on the message size, syslog applications can be
implemented with any size needed and still be compliant with this
document. In such cases, it is the operator’s responsibility to
It must be noted that the IPv6 MTU is about 2.5 times 480. An
implementation targeted towards an IPv6-only environment might thus
assume this as a larger minimum size.
Names are used at various places in this document, for example for
SD-IDs and PARAM-NAMEs. This document uses "lower camel case"
consistently. With that, each name begins with a lower case letter
and each new embedded word starts with an upper case letter, with no
hyphen or other delimiter. An example of this is "timeQuality".
Author’s Address
Rainer Gerhards
Adiscon GmbH
Mozartstrasse 21
Grossrinderfeld, BW 97950
Germany
EMail: rgerhards@adiscon.com