Data Fields

A formatted text can include any number of fields enclosed in braces ({…​}). A field name can be followed by one or more modifiers separated by vertical pipes (|).

Common Message Fields

RECEIVED

The timestamp the message was received by the Syslog Watcher server. There are 6 options available.

Field Description

RECEIVED

timestamp in microseconds, the storage timezone

RECEIVED_UTC

timestamp in microseconds, UTC

RECEIVED_MS

timestamp rounded to milliseconds, the storage timezone

RECEIVED_MS_UTC

timestamp rounded to milliseconds, UTC

RECEIVED_S

timestamp rounded to seconds, the storage timezone

RECEIVED_S_UTC

timestamp rounded to seconds, UTC

ORIGINATOR

There are two fields associated with the message originator.

Field Description

ORIGINATOR_ID

the originator’s identification (ID). Example: 123

ORIGINATOR_NAME

the originator’s name

SEVERITY

  • SEVERITY - the message severity level in text form, e.g., Emergency

  • SEVERITY_NUM - the message severity level in numeric form (0-7)

FACILITY

  • FACILITY - the facility level in text form, e.g., Kernel

  • FACILITY_NUM - the facility level in numeric form (0-23)

PRIORITY

The priority prefix is a number that equals FACILITY_NUM * 8 + SEVERITY_NUM. It is usually necessary to form the correct syslog messages for forwarding.

RAW_MESSAGE

The entire message, as received, except for the priority prefix.

Example 1. Example

To forward a syslog message in the same form as it was received without modification, use <{PRIORITY}>{RAW_MESSAGE}.

MESSAGE

The message body without any headers extracted by a parser.