Syslog Formats¶
The forwarder supports three output formats. The format is selected in the GUI drop-down or via --format on the command line.
RFC 5424 (IETF Syslog)¶
The modern syslog standard. Recommended for most deployments.
Message Structure¶
Example¶
<134>1 2024-01-15T10:30:01.123456-05:00 MYHOST.corp.local aaEngine 6844 60381 [aaLog@50459 component="aaEngine" sessionID="a1b2c3d4" threadID="7890" logFlag="Warning"] \xEF\xBB\xBFPlatform connection lost to galaxy node
Field Details¶
| Field | Source | Format |
|---|---|---|
| PRI | (facility * 8) + severity |
Integer in angle brackets |
| VERSION | Always 1 |
|
| TIMESTAMP | EventDateTime |
yyyy-MM-ddTHH:mm:ss.ffffffzzz |
| HOSTNAME | HostFQDN |
FQDN; "-" if empty |
| APP-NAME | ProcessName |
Max 48 chars, spaces → underscores |
| PROCID | ProcessID |
Integer; "-" if zero |
| MSGID | MessageNumber |
Integer; "-" if zero |
| STRUCTURED-DATA | Metadata block | See below |
| BOM | UTF-8 BOM | \xEF\xBB\xBF per RFC 5424 section 6.4 |
| MSG | Message |
Flattened/truncated as configured |
Structured Data¶
The forwarder emits one structured data element using private enterprise number 50459:
Values are escaped per RFC 5424: backslash (\), double-quote ("), and right-bracket (]) are prefixed with \.
TCP Framing¶
RFC 5424 over TCP uses RFC 6587 octet-counting:
Example: 185 <134>1 2024-01-15T10:30:01...
This allows messages to contain newlines safely.
RFC 3164 (BSD Syslog)¶
The legacy syslog format. Use when your receiver does not support RFC 5424.
Message Structure¶
Example¶
Field Details¶
| Field | Source | Format |
|---|---|---|
| PRI | (facility * 8) + severity |
Integer in angle brackets |
| TIMESTAMP | EventDateTime |
Mmm dd HH:mm:ss (space-padded day) |
| HOSTNAME | HostFQDN |
FQDN; "localhost" if empty |
| TAG | ProcessName |
Max 32 chars; "aaLog" if empty |
| PID | ProcessID |
Integer in brackets |
| MSG | Message |
Flattened/truncated as configured |
TCP Framing¶
Same as RFC 5424: RFC 6587 octet-counting.
KVP (Key-Value Pairs)¶
A flat, human-readable format. Useful for receivers that parse structured key-value data (e.g., Splunk).
Message Structure¶
Timestamp="...", LogFlag="...", Message="...", HostFQDN="...", MessageNumber="...", ProcessID="...", ThreadID="...", Component="...", ProcessName="...", SessionID="...", EventFileTime="..."
Example¶
Timestamp="2024-01-15 10:30:01.123", LogFlag="Warning", Message="Platform connection lost to galaxy node", HostFQDN="MYHOST.corp.local", MessageNumber="60381", ProcessID="6844", ThreadID="7890", Component="aaEngine", ProcessName="aaEngine", SessionID="a1b2c3d4", EventFileTime="133500000000000000"
TCP Framing¶
KVP messages are newline-delimited (no octet-counting). Each message ends with \n.
Severity Mapping¶
The LogFlag field from each log record is mapped to a syslog severity value:
| LogFlag | Severity | Value | Description |
|---|---|---|---|
critical |
Critical | 2 | System is unusable |
error |
Error | 3 | Error conditions |
failure |
Error | 3 | Error conditions |
warning |
Warning | 4 | Warning conditions |
success |
Informational | 6 | Normal operation |
info |
Informational | 6 | Normal operation |
debug |
Debug | 7 | Debug-level messages |
| (other) | Informational | 6 | Default fallback |
The mapping is case-insensitive.
Priority Calculation¶
The PRI value in syslog messages is calculated as:
For example, with facility=16 (local0) and severity=4 (warning):
This appears in the message as <132>.
Message Sanitization¶
Before formatting, messages pass through two optional transformations:
Flatten Messages¶
When enabled, multi-line messages are collapsed to a single line:
- Split on
\r\n,\n, or\r - Trim whitespace from each line
- Remove empty lines
- Join with
|
Before: "Error in module\r\n at Method()\r\n at Main()"
After: "Error in module | at Method() | at Main()"
Truncate to Max Length¶
When a positive max-length is set and the message exceeds it:
- Truncate to the configured character count
- Append
...
Before (150 chars): "Very long message content that goes on and on..."
After (max 100): "Very long message content that goes on and on and on and on and on and on and on and on and on an..."