SYSLOG Output Format Message Structure

The SYSLOG output format generates messages formatted according to the Syslog specifications described in RFC 3164.
Syslog messages consist of six parts, and the SYSLOG output format provides parameters that allow users to assign constants or output record fields to the different parts of a message.

A sample Syslog message is formatted as follows:

<14>Nov 11 16:05:33 MYSERVER-M LogParser:The service was started.

This message consists of the following parts:

PRI: <14>
The PRI part is bound with angle brackets and contains a decimal Priority value, which in turn is built as follows:
- The first 7 bits contain the facility value, describing the origin of the message;
- The last 3 bits contain the severity value, describing the importance of the message.
HEADER: Nov 11 16:05:33 MYSERVER-M
The HEADER part consists of the following two elements:
- A timestamp value, indicating the local time at which the message was generated;
- A hostname value, indicating the host on which the message originated.
MSG: LogParser:The service was started.
The MSG part consists of the following two elements:
- A tag value, indicating the name of the program or process that generated the message, followed by a colon character (":");
- A content value, containing the details of the message.

Facility

The facility value is represented by the upper 7 bits of the priority value in the PRI part of the message, and it describes the application or operating system component that originated the message. For a detailed list of the numeric values designated for well-known operating system components, refer to RFC 3164.
The following table shows the names assigned to the most common facility values:

Numerical Value	Facility Name
0	kern
1	user
2	mail
3	daemon
4	auth
5	mark
6	lpr
7	news
8	uucp
9	cron
10	auth2
11	ftp
12	ntp
13	logaudit
14	logalert
15	clock
16	local0
17	local1
18	local2
19	local3
20	local4
21	local5
22	local6
23	local7

In the previous example message, the priority value "14" indicates a facility value of 1 ("user").

The facility parameter of the SYSLOG output format allows users to control the value of the facility field in the output messages.
This parameter can be set to any of the following values:

A numeric value, such as "1" or "23";
The name of a facility value, such as "user" or "local7";
The name or the 1-based index of an output record field prepended with a dollar character ("$"), such as "$MyFacility" or "$2". The specified output record field must be of either the INTEGER data type - in which case its values are assumed to be numerical facility values, or of the STRING data type - in which case its values are assumed to be facility names among those described in the previous table.
When an output record field value does not contain a recognized facility name or it contains a facility value greater than 23, the SYSLOG output format uses a default facility value of 1 ("user").

The following example query returns event messages from the System event log together with a "MyFacility" field that maps each event source to a Syslog facility name:

SELECT CASE SourceName
		 WHEN 'EventLog' THEN 'mark'
		 WHEN 'Service Control Manager' THEN 'daemon'
		 WHEN 'Print' THEN 'lpr'
		 WHEN 'Kerberos' THEN 'auth'
		 WHEN 'NETLOGON' THEN 'logaudit'
		 WHEN 'Application Popup' THEN 'local7'
		 ELSE 'local0'
	 END AS MyFacility,
	 Message
INTO SYSLOG
FROM System

This query can be executed with the following command, which specifies that the facility value of each output message is to be retrieved from the "MyFacility" output record field:

LogParser file:MyQuery.sql -o:SYSLOG -conf:Myconfig.conf -facility:$MyFacility

The Syslog messages generated by this command will look like the following examples:

<134>Nov 13 18:17:25 MYSERVER-M LogParser:The service was started. 
<46>Nov 13 18:17:46 MYSERVER-M LogParser:The Event log service was started. 
<30>Nov 13 18:17:46 MYSERVER-M LogParser:The Telephony service entered the running state. 
<46>Nov 13 18:17:46 MYSERVER-M LogParser:The Event log service was stopped. 
<134>Nov 13 18:17:46 MYSERVER-M LogParser:The service was started. 
<46>Nov 13 18:17:46 MYSERVER-M LogParser:The Event log service was started. 
<30>Nov 13 18:17:46 MYSERVER-M LogParser:The Telephony service entered the running state. 
<46>Nov 13 18:17:46 MYSERVER-M LogParser:The Event log service was stopped. 
<134>Nov 13 18:17:46 MYSERVER-M LogParser:The service was started. 
<46>Nov 13 18:17:46 MYSERVER-M LogParser:The Event log service was started. 
<30>Nov 13 18:17:46 MYSERVER-M LogParser:The Telephony service entered the running state.

The upper 7 bits of the priority field of each of these messages contain the facility value provided by the "MyFacility" output record field.

Severity

The severity value is represented by the lower 3 bits of the priority value in the PRI part of the message, and it describes the importance of the message. For a detailed description of the different values of the severity field, refer to RFC 3164.
The following table shows the names commonly assigned to the different severity values:

Numerical Value	Severity Name
0	emerg
1	alert
2	crit
3	err
4	warning
5	notice
6	info
7	debug

For example, a priority value of "14" indicates a severity value of 6 ("info").

The severity parameter of the SYSLOG output format allows users to control the value of the severity field in the output messages.
This parameter can be set to any of the following values:

A numeric value, such as "1" or "7";
The name of a severity value, such as "alert" or "debug";
The name or the 1-based index of an output record field prepended with a dollar character ("$"), such as "$MySeverity" or "$2". The specified output record field must be of either the INTEGER data type - in which case its values are assumed to be numerical severity values, or of the STRING data type - in which case its values are assumed to be severity names among those described in the previous table.
When an output record field value does not contain a recognized severity name or it contains a severity value greater than 7, the SYSLOG output format uses a default severity value of 6 ("info").

The following example query returns event messages from the System event log together with a "MySeverity" field that maps each event type to a Syslog severity name:

SELECT CASE EventTypeName
		 WHEN 'Error event' THEN 'err'
		 WHEN 'Warning event' THEN 'warning'
		 WHEN 'Information event' THEN 'info'
		 ELSE 'info'
	 END AS MySeverity,
	 Message
INTO SYSLOG
FROM System

This query can be executed with the following command, which specifies that the severity value of each output message is to be retrieved from the "MySeverity" output record field:

LogParser file:MyQuery.sql -o:SYSLOG -conf:Myconfig.conf -severity:$MySeverity

The Syslog messages generated by this command will look like the following examples:

<14>Nov 13 21:42:15 MYSERVER-M LogParser:The Event log service was started. 
<11>Nov 13 21:42:15 MYSERVER-M LogParser:The Computer Browser service terminated with service-specific error 2550 (0x9F6). 
<14>Nov 13 21:42:15 MYSERVER-M LogParser:The Terminal Services service was successfully sent a start control. 
<12>Nov 13 21:42:15 MYSERVER-M LogParser:A request to suspend power was denied by winlogon.exe. 
<14>Nov 13 21:42:15 MYSERVER-M LogParser:The Event log service was stopped.

The lower 3 bits of the priority field of each of these messages contain the severity value provided by the "MySeverity" output record field.

Timestamp

The timestamp field indicates the local time at which the message was originated, and it is usually formatted as follows:

Nov 11 16:05:33

If the first field in the query output records is of the TIMESTAMP data type, the SYSLOG output format will use the field values to populate the timestamp field in the output messages.
On the other hand, if the first field is not of the TIMESTAMP data type, the SYSLOG output format will use the current local time.

The following example query returns event messages from the System event log together with the date and time at which the events have been generated:

SELECT TimeGenerated,
	 Message
INTO SYSLOG
FROM System
WHERE SourceName = 'EventLog'

The Syslog messages generated by this query will look like the following examples:

<14>Apr 18 18:48:04 MYSERVER-M LogParser:The Event log service was started. 
<14>Apr 18 18:51:37 MYSERVER-M LogParser:The Event log service was stopped. 
<14>Apr 18 19:20:07 MYSERVER-M LogParser:Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free. 
<14>Apr 18 19:20:07 MYSERVER-M LogParser:The Event log service was started. 
<14>Apr 18 19:33:17 MYSERVER-M LogParser:The Event log service was stopped. 
<14>Apr 19 07:01:41 MYSERVER-M LogParser:Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free. 
<14>Apr 19 07:01:41 MYSERVER-M LogParser:The Event log service was started. 
<14>Apr 19 07:29:19 MYSERVER-M LogParser:The Event log service was stopped.

Hostname

The hostname field indicates the server on which the message originated.

The hostName parameter of the SYSLOG output format allows users to control the value of the hostname field in the output messages.
This parameter can be set to any of the following values:

The "localhost" keyword, specifying that the field should be populated with the local computer name;
A generic string indicating the desired host name, such as "MYCOMPUTER";
The name or the 1-based index of an output record field prepended with a dollar character ("$"), such as "$MyHostname" or "$2". The specified output record field must be of the STRING data type, and its values will be used to populate the hostname field in the output messages.

When no value is specified for the "hostName" parameter, the hostname field is automatically populated with the local computer name.

The following example query returns event messages from the System event log of different computers, together with the computer name on which the event originated:

SELECT Message,
	 ComputerName
INTO SYSLOG
FROM \\MYSERVER01\System,\\MYSERVER02\System,\\MYSERVER03\System

This query can be executed with the following command, which specifies that the hostname field of each output message is to be retrieved from the second output record field:

LogParser file:MyQuery.sql -o:SYSLOG -conf:Myconfig.conf -hostName:$2

The Syslog messages generated by this command will look like the following examples:

<14>Nov 13 22:07:11 MYSERVER03 LogParser:Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free. 
<14>Nov 13 22:07:11 MYSERVER03 LogParser:The Event log service was started. 
<14>Nov 13 22:07:11 MYSERVER01 LogParser:The Terminal Services service was successfully sent a start control. 
<14>Nov 13 22:07:11 MYSERVER02 LogParser:The Network Connections service was successfully sent a start control. 
<14>Nov 13 22:07:11 MYSERVER01 LogParser:The Terminal Services service entered the running state. 
<14>Nov 13 22:07:11 MYSERVER02 LogParser:The Network Connections service entered the running state. 
<14>Nov 13 22:07:11 MYSERVER02 LogParser:The SSDP Discovery Service service was successfully sent a start control. 
<14>Nov 13 22:07:11 MYSERVER03 LogParser:The SSDP Discovery Service service was successfully sent a start control.

Content

The content field contains the details of the message, and its value is built by the SYSLOG output format by concatenating the values of all the output record fields, excluding those fields that are used for the values of the facility, severity, timestamp, hostname, and tag message fields.

The following example query returns information from the System event log:

SELECT SourceName,
	 EventTypeName,
	 EventCategoryName,
	 Message
INTO SYSLOG
FROM System

The Syslog messages generated by this query will look like the following examples:

<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None The Event log service was started. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:Service Control Manager Error event None The Computer Browser service terminated with service-specific error 2550 (0x9F6). 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None The Event log service was stopped. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:Ati HotKey Poller Information event None The service was started. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None The Event log service was started. 
<14>Nov 13 22:27:17 MYSERVER-M LogParser:EventLog Information event None The Event log service was stopped.

SYSLOG Output Format Message Structure

Facility

Severity

Timestamp

Hostname

Tag

Content