AppName (string)

This field contains APP-NAME, which identifies the device or application that originated the message.

Facility (int)

This field contains the numerical code of the facility in the Priority value (PRIVAL).

HostName (string)

This field contains HOSTNAME and identifies the machine that originally sent the Syslog message.

Msg (string)

This field contains MSG, a free-form message that provides information about the event.

MsgId (string)

This field contains MSGID and is used to identify the message type. For example, a firewall might use the MSGID "TCPIN" for incoming TCP traffic and "TCPOUT" for outgoing TCP traffic.

ProcId (string)

This field contains PROCID. The PROCID field is often used to provide the process name or process ID associated with a Syslog system.

Severity (int)

This field contains the numerical code of the severity in the Priority value (PRIVAL). It is used to specify the type of program that is logging the message.

StructuredData (map<string,map<string,map>>)

This field contains STRUCTURED-DATA.

This field is stored in a map that in itself contains maps of SD-ELEMENT. An SD-ELEMENT consists of a key and parameter key-value pairs. The key is referred to as SD-ID. The key-value pairs are referred to as SD-PARAM.

SD-ID is case-sensitive and uniquely identify the type and purpose of the SD-ELEMENT.

Each SD-PARAM consists of a key, referred to as PARAM-NAME, and a value, referred to as PARAM-VALUE.

Open

STRUCTURED-DATA

Timestamp (string)

 This field contains TIMESTAMP.

Version (int)

This field indicates the compliance level of the incoming messages.

0 - Compliant with RFC3164

1 - Compliant with RFC5424

If the message contains PRI followed by VERSION, the agent will interpret it as compliant with RFC5424. If the message does not contain PRI or VERSION, it will be interpreted as compliant with RFC3164.

RFC5424 is more restrictive compared to RFC3164, and deviations from the specification in any of the subsequent message fields will cause decoding errors.