Syslog uses the User Datagram Protocol (UDP), port 514, for communication. Being a
connectionless protocol, UDP does not provide acknowledgments. Additionally, at the
application layer, syslog servers do not send acknowledgments back to the sender for
receipt of syslog messages. Consequently, the sending device generates syslog messages
without knowing whether the syslog server has received the messages. In fact, the sending
devices send messages even if the syslog server does not exist.
The syslog packet size is limited to 1024 bytes and carries the following information:
Facility
Severity
Hostname
Timestamp
Message
A clear understanding of each of the syslog packet parameters can help you easily deploy
syslog systems across your network. Note that the first two parameters, facility and severity,
are often misunderstood.
Facility
Syslog messages are broadly categorized on the basis of the sources that generate them.
These sources can be the operating system, the process, or an application. These categories,
called facility, are represented by integers, as shown in Table 4-1. The local use facilities
are not reserved and are available for general use. Hence, the processes and applications
that do not have pre-assigned facility values can choose any of the eight local use facilities.
As such, Cisco devices use one of the local use facilities for sending syslog messages.
Facility Values
Integer Facility
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messages
5 Messages generated internally by Syslogd
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon
10 Security/authorization messages
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Clock daemon
16 Local use 0 (local0)
17 Local use 1 (local1)
18 Local use 2 (local2)
19 Local use 3 (local3)
20 Local use 4 (local4)
21 Local use 5 (local5)
22 Local use 6 (local6)
23 Local use 7 (local7)