Linux Syslog
General system messages and application logs
Quick Facts
Default Path (Linux)
/var/log/syslogDefault Format
RFC 3164 / RFC 5424
JSON Native
No
Rotation
logrotate
Log Example
Default format: RFC 3164 (BSD Syslog)
Example Log Entrylog
Dec 20 14:32:18 webserver01 sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2Structure:
<priority>timestamp hostname program[pid]: messagePaths by Platform
Debian / Ubuntu
/var/log/syslogRHEL / CentOS
/var/log/messagesArch
/var/log/syslogAvailable Formats
RFC 3164 (BSD Syslog)
Default
Example:
Dec 20 14:32:18 webserver01 sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2Structure:
<priority>timestamp hostname program[pid]: messageRFC 5424 (IETF Syslog)
Example:
<165>1 2025-12-20T14:32:18.123456+01:00 webserver01 sshd 1234 - - Accepted publickey for adminStructure:
<priority>version timestamp hostname app-name procid msgid structured-data msgFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
priority | integer | Facility * 8 + Severity | 165 |
timestamp | datetime | When the message was generated | Dec 20 14:32:18 |
hostname | string | Originating host | webserver01 |
program | string | Program or service name | sshd |
pid | integer | Process ID | 1234 |
message | string | Log message content | Accepted publickey for admin from 192.168.1.100 port 54321 ssh2 |
Parsing Patterns
Grok Patterns
rfc3164:
%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}Regular Expressions
rfc3164:
^(?P<timestamp>\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)\s+(?P<program>[^\[\s]+)(?:\[(?P<pid>\d+)\])?:\s+(?P<message>.*)$Collector Configurations
logstashruby
1filter {2 grok {3 match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:syslog_message}" }4 }5}Configuration
Enable Logging
Directive:
*.info /var/log/syslogLog Rotation
Tool: logrotate | Config: /etc/logrotate.d/rsyslog
/etc/logrotate.d/rsyslog
/var/log/syslog {
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}Use Cases
Service status
Monitor service start/stop events
program
message
System health
Track system warnings and errors
message
Troubleshooting
Tested On
vrsyslog 8.2312 on Ubuntu 24.04
linux_expert - 2025-12-10
Last updated: 2025-12-10 by linux_expert
2 contributors178 upvotes
Validated
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!