What is Syslog, including Linux and Windows Servers, Ports and more.

What is Syslog and port number

Syslog, is a standardized way (or Protocol) of producing and sending Log and Event information from Unix/Linux and Windows systems (which produces Event Logs) and Devices (Routers, Firewalls, Switches, Servers, etc) over UDP Port 514 to a centralized Log/Event Message collector which is known as a Syslog Server.

One of the main reasons Syslog was so widely accepted throughout the industry was because of its simplicity – There is little to no uniformity or standardization when it comes to the content that a Device, Server or Operating system is written and sends log information.

It simply sends and transports messages over Syslog protocol with no acknowledgement of receipt (hence the use of UDP). Furthermore, there is no complex requirements between the Sending device and Receiving/Collecting Server, as Syslog messages are simply just sent regardless if there is a Receiver configured on the other end or not.

Kiwi Syslog Free

The Basics

Definition and Overview

Syslog stands for System Logging Protocol, and is used on Devices such as routers, switches, firewalls, wifi access points, Unix/Linux Servers (Windows servers use Event Logs, which can be used in conjunction with a Syslog server) and other network devices to store events or log messages locally within the device and send the Event/Log Information to a Collector (otherwise known as a Syslog Server) to collect, organize and filter all the logs and data. Simply, a Server or other Network device on your network can be Configured to generate Syslog/Event Messages and forward them to a Syslog Server (or Daemon), which then allows network administrators to track and monitor those networked devices of any issues or problems that need to be attended to immediately.

A message/event is sent from the Device to a collector (or Server) using UDP, which is a connectionless protocol. Messages are usually text and usually no larger than 1024 bytes. Since they are sent using UDP, no receipt of transmission or arrival is sent to the originator, which means that if a packet gets lost during transmission, its gone!

A Server/Daemon allows you to collect, filter, organize, setup alerts for certain events from one location within your network. Having all the log information data in one place also gives you the ability to create elaborate reports, diagrams and charts to visualize certain aspects of your systems and infrastructure.

Port and OSI Layer

Syslog is part of the Transport layer in the OSI Model, using User Datagram Protocol (UDP) to transport/transfer information across the network.

Syslog Port Number: UDP 514

Syslog Server/Daemon or Collector

The Server/Daemon listens for Syslog messages being sent to it, but unlike other monitoring protocols, such as SNMP, the server cannot Request information to be sent from a Device, as the protocol does not support that type of behavior. Simpy, its like watching Live Television, what they show you on Live TV is what you get, you cannot request for them to show you anything else, its a one-way broadcast.

Its recommended that Syslog Servers be heavily equipped with large amounts of Disk space, CPU and Memory for running larger reports and having a lengthy history of logs from multile devices, as well as keeping older events/logs for historical purposes.

Collecting, compiling and calculating large amounts of data, along with configuring alerts and monitors is a very important part of making sure you know the status of your network and the components that make it up.

What Makes a Syslog Message/Packet

A Syslog Packet is made up of 3 parts and cannot exceed 1,204 bytes (or 1 Kb):

  1. PRI – Priority Value
  2. HEADER – Header
  3. MSG – Message

PRI – Priority Value

The Priority Value is the first part of the Syslog Message, spanning exactly either 3, 4 or 5 characters and bound by Angle Brackets (“<” and “>”), and represents the Facility and theSeverity of the message.

Priority Values are calculated as follows: Facility Value * 8 + Severity Value = Priority Value

For example: if you get a “Mail System” Facility, the value is 2, and a Severity Value of 1 (Alert: action must be taken immediately), then the Priority Value = <17> (priority values are enclosed in Angle brackets, or inbetween less-than and greater-than brackets).

Facility and Severity values are coded Numerically with Decimal Values and have the following values assigned to them.

Facility Codes

Facility Codes is a component of either an application or operating system that generates a Log/Event Message from the table below:

Numerical CodeFacility
0kernel messages
1user-level messages
2mail system
3system daemons
4security/authorization messages
5messages generated internally by syslogd
6line printer subsystem
7network news subsystem
8UUCP subsystem
9clock daemon
10security/authorization messages
11FTP daemon
12NTP subsystem
13log audit
14log alert
15clock daemon
16local use 0
17local use 1
18local use 2
19local use 3
20local use 4
21local use 5
22local use 6
23local use 7


Severity Codes

Severity Codes is a numerical code or number that tranlates into a Severity Level or message. A list of Numerical Codes and its corresponding message are highlighted in the table below:

Numerical CodeSeverity
0Emergency: System is Unusable
1Alert: Action must be taken immediately
2Critical: Critical Conditions
3Error: Error Conditions
4Warning: Warning Conditions
5Notice: Normal but Significant Condition
6Informational: Informational messages
7Debug: Debug-Level messages



The header portion of a Syslog packet contains the following informatin:

  1. Timestamp – the Combination of the DATE and TIME that the message was initially generated (based on each individuals systems’ time). Be sure that each system’s time is in sync in order to maintain proper timestamps.
  2. Hostname or IP Addresss of the Network Device

MSG – (Message portion of the Packet)

The last part of the Syslog packet is the MSG, which will use the remainder of the available space of a packet. The MSG will contain information generated by the device with information regarding the log or event. The MSG contains 2 fields as well:

  1. TAG – indicates the Process or Program that has triggered or generated the message.
  2. CONTENT – contains details of the message.


Kiwi Syslog Download