What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags

View all Tags

Which format for syslog messages?



I was doing some tests with the newly introduced PRTG Syslog-Receiver Sensor. Now I have the problem that I don’t know how the syslog message has to be sent that PRTG will be able to interpret the message correct for recognizing the additional fields like “Name of the App”, “Process ID”, “Msg ID” and “Data”. Right now our devices (Paloalto Firewall) are sending the messages in a format that the whole message will be displayed in the “Message” field.

format message syslog

Created on Feb 27, 2014 1:26:09 PM

6 Replies



PRTG supports the "original" BSD Syslog Protocol ( RFC3164 http://www.ietf.org/rfc/rfc3164.txt ) and the "new" RFC5424 ( http://tools.ietf.org/html/rfc5424 )

Not all fields are included in both formats.

If the whole message is in the message field there is usually a problem with parsing the timestamp at the beginning of the message (there are a lot of different formats).

You can activate the "Log Data to Disk" option at the very end of the syslog sensor settings and send us the the generated logfile to check the message format. The file is located in the "'Logs (Debug)\" folder and has the name "UDP Debug Port x.log" (with X the port number used for the syslogs).

Created on Feb 27, 2014 3:00:06 PM by  Jens Rupp [Paessler Support]



In my case there is not the whole message in the message field. The field identifier (the one between Facility and Severity) seems to work. There it looks like that any other sign than an alphanumeric character is identified as an separator (for example: identier,message........). Are there some other separators to use that after the message the other field will be recognized?

Created on Feb 28, 2014 2:08:07 PM



If you are using BSD style syslog messages and the timestamp is read correctly please read section 4.1.3 of the RFC:

   The MSG part has two fields known as the TAG field and the CONTENT
   field.  The value in the TAG field will be the name of the program or
   process that generated the message.  The CONTENT contains the details
   of the message.  This has traditionally been a freeform message that
   gives some detailed information of the event.  The TAG is a string of
   ABNF alphanumeric characters that MUST NOT exceed 32 characters.  Any
   non-alphanumeric character will terminate the TAG field and will be
   assumed to be the starting character of the CONTENT field.  Most
   commonly, the first character of the CONTENT field that signifies the
   conclusion of the TAG field has been seen to be the left square
   bracket character ("["), a colon character (":"), or a space
   character.  This is explained in more detail in Section 5.3.

The other fields (beyond severity, facility, timestamp) are only available in the new syslog format.

Created on Mar 3, 2014 8:17:43 AM by  Jens Rupp [Paessler Support]

Last change on Mar 3, 2014 8:19:08 AM by  Jens Rupp [Paessler Support]



Hello Paessler,

I also recently fired up the new syslog sensor and was able to recieve messages, although some fields are missing.

I send the log data via the rfc5424 format, example: <30>1 2014-07-31T13:47:30.957146+02:00 host1 snmpd 23611 - - Connection from UDP: []:58374->[] and the sensor puts facility, severity, hostname and msg into the according fields.

However timestamp misses the microseconds, and the app-name + procid is completely missing.

Am I missing something or is the sensor parser not yet complete/robust?

Regards, Andreas John

Created on Jul 31, 2014 1:51:50 PM



This sensor is still in Beta so it's not yet "complete" in the sense that there are still a few bugs that we are working out. The app-name + procid not showing is a bug that is going to be fixed in one of the next versions (it should be in the preview version soon) but the milliseconds is something that we ignore from the messages.

Created on Aug 4, 2014 9:39:51 AM by  Greg Campion [Paessler Support]



Thanks for your reply,

I'm glad to see that the bugs are known and handled, so I happily wait for the next version.

Regards Andreas John

Created on Aug 5, 2014 7:27:47 AM

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.