syslog 协议及格式

官方文档：http://tools.ietf.org/html/rfc5424

 

6.  Syslog Message Format

 

6.2.  HEADER

6.2.1.  PRI

PRI=<Facility(0-23)*8+Severity(0-7)>

6.2.2.  VERSION

6.2.3.  TIMESTAMP

Example 1

        1985-04-12T23:20:50.52Z

Example 2

        1985-04-12T19:20:50.52-04:00

Example 3

        2003-10-11T22:14:15.003Z

Example 4

         2003-08-24T05:14:15.000003-07:00

6.2.4.  HOSTNAME

6.2.5.  APP-NAME

6.2.6.  PROCID

6.2.7.  MSGID

 

6.3.  STRUCTURED-DATA

6.3.1.  SD-ELEMENT

6.3.2.  SD-ID

6.3.3.  SD-PARAM

6.3.4.  Change Control

6.3.5.  Examples

Example 1 - Valid

       [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"]

This example is a structured data element with a non-IANA controlled

SD-ID of type "exampleSDID@32473", which has three parameters.

 

Example 2 - Valid

       [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]

This is the same example as in 1, but with a second structured data

element.  Please note that the structured data element immediately

follows the first one (there is no SP between them).

 

Example 3 - Invalid

       [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] [examplePriority@32473 class="high"]

       error : 两个SD之间，多一个空格SP character 

Example 4 - Invalid

       [ exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]

        error : 第一个SD内部，多一个空格SP character 

 

Example 5 - Valid

       [sigSig ver="1" rsID="1234" ... signature="..."]

Example 5 is a valid example.  It shows a hypothetical IANA-assigned

SD-ID.  The ellipses denote missing content, which has been left out

of this example for brevity.

 

 

6.4.  MSG

 

6.5.  Examples

Example 1 - with no STRUCTURED-DATA

    <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

#header的8个部分用空格SP,分割，<34>1除外，因为不需要SP就可以分割，

#header与STRUCTURED-DATA，MSG也是用SP分割。

Facility : 4

Severity : 2

VERSION : 1

TIMESTAMP : 2003-10-11T22:14:15.003Z

HOSTNAME : mymachine.example.com

APP-NAME : su

PROCID : unknown indicated by "-" in the STRUCTURED-DATA field

MSGID : ID47

 

STRUCTURED-DATA : no this is indicated by "-" in the STRUCTURED-DATA field

形如[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]

  BOM 是控制字符，以后再搞。

MSG : 'su root' failed for lonvick on /dev/pts/8

最后的是MSG，可以包含任意空格

 

Example 2 - with no STRUCTURED-DATA

     <165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts.

 

Example 3 - with STRUCTURED-DATA

       <165>1 2003-10-11T22:14:15.003Z mymachine.example.com

       evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=

       "Application" eventID="1011"] BOMAn application

       event log entry...

 

Example 4 - STRUCTURED-DATA Only, (no MSG)

 

       <165>1 2003-10-11T22:14:15.003Z mymachine.example.com

       evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=

       "Application" eventID="1011"][examplePriority@32473

       class="high"]

This example shows a message with only STRUCTURED-DATA and no MSG

part.  This is a valid message.