官方文档:http://tools.ietf.org/html/rfc5424
6. Syslog Message Format
6.2. HEADER
6.2.1. PRI
PRI=<Facility(0-23)*8+Severity(0-7)>
6.2.2. VERSION
6.2.3. TIMESTAMP
Example 1
1985-04-12T23:20:50.52Z
Example 2
1985-04-12T19:20:50.52-04:00
Example 3
2003-10-11T22:14:15.003Z
Example 4
2003-08-24T05:14:15.000003-07:00
6.2.4. HOSTNAME
6.2.5. APP-NAME
6.2.6. PROCID
6.2.7. MSGID
6.3. STRUCTURED-DATA
6.3.1. SD-ELEMENT
6.3.2. SD-ID
6.3.3. SD-PARAM
6.3.4. Change Control
6.3.5. Examples
Example 1 - Valid
[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"]
This example is a structured data element with a non-IANA controlled
SD-ID of type "exampleSDID@32473", which has three parameters.
Example 2 - Valid
[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
This is the same example as in 1, but with a second structured data
element. Please note that the structured data element immediately
follows the first one (there is no SP between them).
Example 3 - Invalid
[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] [examplePriority@32473 class="high"]
error : 两个SD之间,多一个空格SP character
Example 4 - Invalid
[ exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
error : 第一个SD内部,多一个空格SP character
Example 5 - Valid
[sigSig ver="1" rsID="1234" ... signature="..."]
Example 5 is a valid example. It shows a hypothetical IANA-assigned
SD-ID. The ellipses denote missing content, which has been left out
of this example for brevity.
6.4. MSG
6.5. Examples
Example 1 - with no STRUCTURED-DATA
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
#header的8个部分用空格SP,分割,<34>1除外,因为不需要SP就可以分割,
#header与STRUCTURED-DATA,MSG也是用SP分割。
Facility : 4
Severity : 2
VERSION : 1
TIMESTAMP : 2003-10-11T22:14:15.003Z
HOSTNAME : mymachine.example.com
APP-NAME : su
PROCID : unknown indicated by "-" in the STRUCTURED-DATA field
MSGID : ID47
STRUCTURED-DATA : no this is indicated by "-" in the STRUCTURED-DATA field
形如[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
BOM 是控制字符,以后再搞。
MSG : 'su root' failed for lonvick on /dev/pts/8
最后的是MSG,可以包含任意空格
Example 2 - with no STRUCTURED-DATA
<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts.
Example 3 - with STRUCTURED-DATA
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=
"Application" eventID="1011"] BOMAn application
event log entry...
Example 4 - STRUCTURED-DATA Only, (no MSG)
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=
"Application" eventID="1011"][examplePriority@32473
class="high"]
This example shows a message with only STRUCTURED-DATA and no MSG
part. This is a valid message.