Syslog Payload Format: How the Content in Messages is Formatted

Syslog Payload Format

Examination of the payload shows that there are several standard data fields in every message. Messages will also contain non-standard data fields that provide more information about the syslog message. Here, we discuss the standard data fields.

site	The hostname for which the BeyondTrust software was built.
who	The username associated with this event.
who_ip	The IP address of the system that caused the event.
event	The name of the event that occurred.

Again, each of these fields will be present somewhere within the payload, but the order is not specifically set. Of these four fields, the most significant is the event field. The value associated with the event field indicates what actually occurred.

Oct 12 14:58:35 example_host BG: 1234:01:01:site=access.example.com;who=John Smith(jsmith);who_ip=192.168.1.1;event=login;target=web/login;status=success

From the example, it can be determined that this particular message was generated by a login attempt. The remaining payload provides information about that event. In this case, the login attempt was for the /login administrative interface (target=web/login), and it was a successful attempt (status=success).

Syslog messages stack in order of occurrence. In the example below, a user attempts to log in but is required to change their password. The user tries to use an invalid password before setting one that matches the site's security policy and then log in successfully. Where the string ...<data truncated>... occurs, extraneous data was removed to make the example messages more readable.

Oct 12 14:53:24 example_host BG: 1234:01:01:site=access.example.com;…<data truncated>…event=login;status=failure;reason=change_password
Oct 12 14:53:43 example_host BG: 1234:01:01:site=access.example.com;…<data truncated>…event=change_password;status=failure;reason=invalid password
Oct 12 14:54:02 example_host BG: 1234:01:01:site=access.example.com;…<data truncated>…event=change_password;status=success
Oct 12 14:54:03 example_host BG: 1234:01:01:site=access.example.com;…<data truncated>…event=login;status=success