SYSLOG is the standard Unix logging mechanism. SYSLOGs are not only on full-blown Unix servers; most mid-range to high-end network devices also implement this logging mechanism.

SYSLOG consists of client and server based on UDP protocol.

The default UDP port is 514.

Each UDP packet contains one line of SYSLOG message.

The message format is as follows:

<150>demo[1604]: syslog client at 10.0.0.6 started.

 (1)  (2)  (3)    (4)

1. This is the message priority (LOG_EMERG – LOG_DEBUG) and facility value (LOG_KERN – LOG_LOCAL7) OR’ed together. This field cannot be suppressed. The priority is in the lower 4 bits and facility value in the rest. Use the LOG_PRI() macro to extract the priority. And use the LOG_FAC() macro to extract the facility.
2. This is the log-tag or identifier from openlog() or setlogtag().
3. This is the process-id (pid) of the running process. It will be shown only if LOG_PID was given in openlog().
4. This is the actual message.

   The constants of message priority are listed as follows:

   
   #define LOG_EMERG		0	/* system is unusable 			*/
   
   #define	LOG_ALERT		1	/* action must be taken immediately 	*/
   
   #define	LOG_CRIT		2	/* critical conditions 			*/
   
   #define	LOG_ERR			3	/* error conditions 			*/
   
   #define	LOG_WARNING		4	/* warning conditions 			*/
   
   #define	LOG_NOTICE		5	/* normal but significant condition 	*/
   
   #define	LOG_INFO		6	/* informational 			*/
   
   #define	LOG_DEBUG		7	/* debug-level messages 		*/
   
   

   The constants of message facility are listed as follows:

   
   #define	LOG_KERN		(0<<3)	/* kernel messages 			*/
   
   #define	LOG_USER		(1<<3)	/* random user-level messages 		*/
   
   #define	LOG_MAIL		(2<<3)	/* mail system 				*/
   
   #define	LOG_DAEMON		(3<<3)	/* system daemons 			*/
   
   #define	LOG_AUTH		(4<<3)	/* security/authorization messages 	*/
   
   #define	LOG_SYSLOG		(5<<3)	/* internally by syslog 		*/
   
   #define	LOG_LPR			(6<<3)	/* line printer subsystem 		*/
   
   #define	LOG_NEWS		(7<<3)	/* network news subsystem 		*/
   
   #define	LOG_UUCP		(8<<3)	/* UUCP subsystem 			*/
   
   #define	LOG_CRON		(9<<3)	/* clock daemon 			*/
   
   #define	LOG_AUTHPRIV		(10<<3)	/* security/authorization messages (private)	    */
   
   					/* Facility #10 clashes in DEC UNIX, where 	    */
   
   					/* it's defined as LOG_MEGASAFE for AdvFS  	    */
   
   					/* event logging.                          	    */
   
   #define	LOG_FTP			(11<<3)	/* ftp daemon 				*/
   
   #define	LOG_NTP			(12<<3)	/* NTP subsystem 			*/
   
   					/* other codes through 15 reserved for system use   */
   
   #define	LOG_LOCAL0		(16<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL1		(17<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL2		(18<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL3		(19<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL4		(20<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL5		(21<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL6		(22<<3)	/* reserved for local use 		*/
   
   #define	LOG_LOCAL7		(23<<3)	/* reserved for local use 		*/