--- title: Syslog audit event handler properties description: Configuration properties for the Syslog audit event handler in PingIDM, including protocol, host, port, facility, and severity field mappings component: pingidm version: 8.1 page_id: pingidm:audit-guide:audit-config-prop-syslog canonical_url: https://docs.pingidentity.com/pingidm/8.1/audit-guide/audit-config-prop-syslog.html keywords: ["Audit", "Logs", "Configuration", "Syslog", "Event", "Handlers", "Properties"] --- # Syslog audit event handler properties | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The [JMS](configuring-topic-handlers.html#audit-jms-handler), [Repository](configuring-topic-handlers.html#audit-repo-handler), [Router](configuring-topic-handlers.html#audit-router-handler), and [Syslog](configuring-topic-handlers.html#audit-syslog-handler) audit event handlers are [deprecated](../release-notes/deprecated-functionality.html#deprecation-audit-event-handlers) and will be removed in a future release of IDM. Use the [JSON audit event handler](configuring-topic-handlers.html#audit-json-handler) or similar to export your data to a third-party audit framework, such as [Elastic Stack](https://www.elastic.co/elastic-stack). | | UI Label / Text | audit.json File Label | Description | | --------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | protocol | `protocol` | Transport protocol for Syslog messages; may be `TCP` or `UDP`. | | host | `host` | Host name or IP address of the receiving Syslog server. | | port | `port` | The TCP/IP port number of the receiving Syslog server. | | connectTimeout | `connectTimeout` | Timeout for connecting to the Syslog server (seconds). | | facility | `facility` | Options shown in the admin UI, `KERN`, `USER`, `MAIL`, `DAEMON`, `AUTH`, `SYSLOG`, `LPR`, `NEWS`, `UUCP`, `CRON`, `AUTPRIV`, `FTP`, `NTP`, `LOGAUDIT`, `LOGALERT`, `CLOCKD`, `LOCAL0`, `LOCAL1`, `LOCAL2`, `LOCAL3`, `LOCAL4`, `LOCAL5`, `LOCAL6`, `LOCAL7` correspond directly to facility values shown in [RFC 5424 - The Syslog Protocol](https://www.rfc-editor.org/rfc/rfc5424.html). | | SeverityFieldMappings | `severityFieldMappings` | Sets the correspondence between audit event fields and Syslog severity values. | | topic | `topic` | Severity Field Mappings: the audit event topic to which the mapping applies. | | field | `field` | Severity Field Mappings: the audit event field to which the mapping applies; taken from the JSON schema for the audit event content. | | Value Mappings | `valueMappings` | Severity Field Mappings: The map of audit event values to Syslog severities. Syslog severities may be: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, or DEBUG, in descending order of importance. | | Buffering | `buffering` | Disabled by default; all messages written immediately to the log. |