Syslog provides a flexible, simple means to generate, store, and transfer log messages that's supported on most UNIX and Linux operating systems.

The quasi-standard syslog message format cannot exceed 1 KB and has three important parts:

Specifies the message priority based on its facility and severity. The message facility is a numeric identifier that specifies the type of log messages, such as kernel messages and mail system messages. The severity is a numeric identifier that specifies the severity level of the operation that is being reported. Together, the facility and the severity determine the priority of the log message indicated by angled brackets and 1-3 digit priority number. For example, <0>, <13>, and <103> are valid representations of the PRI.
Timestamp and host name
The timestamp displays the current date and time of the log. The host name or IP address displays the source of the log.
Displays the actual log message.

You can configure syslog to handle log messages using log priorities that are based on the message’s facility and severity. This feature allows users to configure the logging system so that messages with high severities are sent to a centralized repository while lower severity messages are stored locally on a server.


Because the numeric values of the severity and facility are operating system-dependent, the central repository must only include syslog messages from compatible OS types. Otherwise, the meaning of the PRI field is ambiguous.