Log Formats#
Reference of common log formats an operator parses, ingests, or generates: syslog, JSON, NCSA Combined, journald, OpenTelemetry, Windows Event Log, and the structured-logging conventions in common languages.
For protocols context, see Network Protocols. For SIEM detection, see Sigma.
Syslog#
Standard |
Notes |
|---|---|
RFC 3164 (BSD) |
legacy free-form; one line per message. |
RFC 5424 |
modern; structured-data sections. |
RFC 5425 (TLS) |
syslog over TLS; port 6514. |
RFC 5426 (UDP) |
port 514 default. |
RFC 6587 (TCP) |
stream framing. |
RELP |
Reliable Event Logging Protocol; rsyslog extension. |
PRI = facility × 8 + severity:
Severity |
Numeric |
|---|---|
Emergency |
0 |
Alert |
1 |
Critical |
2 |
Error |
3 |
Warning |
4 |
Notice |
5 |
Informational |
6 |
Debug |
7 |
Facility |
Numeric |
|---|---|
kern |
0 |
user |
1 |
2 |
|
daemon |
3 |
auth |
4 |
syslog |
5 |
lpr |
6 |
news |
7 |
uucp |
8 |
cron |
9 |
authpriv |
10 |
ftp |
11 |
local0..7 |
16..23 |
Common log lines#
Source |
Sample |
|---|---|
NCSA Common Log |
|
NCSA Combined Log |
adds |
nginx access (def.) |
|
nginx error |
|
Apache access |
similar to NCSA. |
HAProxy |
|
Squid |
|
Postfix |
|
JSON / structured#
Convention |
Notes |
|---|---|
JSON Lines (NDJSON) |
one JSON object per line; the modern default. |
ECS (Elastic |
opinionated field schema; used by Beats / Logstash / |
Common Schema) |
OpenSearch. |
OTel logs |
OpenTelemetry log data model; SDK + Collector. |
GCP Cloud Logging |
structured payload; severity, labels, traces. |
AWS CloudWatch Logs |
lines or structured (JSON) per stream. |
Azure Monitor Log |
KQL-queryable structured tables. |
Windows ETW |
binary; high-throughput; Event Tracing for Windows. |
Honeycomb / Datadog |
/ Splunk / Sumo vendor JSON variants. |
Recommended JSON log fields:
Field |
Notes |
|---|---|
|
RFC 3339; UTC with timezone offset. |
|
|
|
human-readable description. |
|
emitting service name. |
|
service version / build. |
|
environment (prod / staging / dev). |
|
host or pod name. |
|
/ |
|
caller identifier (PII-class, mind retention). |
|
|
|
|
|
|
journald (systemd)#
Field |
Notes |
|---|---|
__REALTIME_TIMESTAMP |
microseconds since epoch. |
__MONOTONIC_TIMESTAMP |
host monotonic clock. |
__BOOT_ID |
unique-per-boot UUID. |
PRIORITY |
syslog priority (above). |
SYSLOG_FACILITY |
per-syslog facility. |
_PID, _UID, _GID |
caller process / user / group. |
_COMM, _EXE |
process name / executable path. |
_CMDLINE |
full command-line. |
_SYSTEMD_UNIT |
|
_HOSTNAME |
host. |
MESSAGE |
free-form text. |
MESSAGE_ID |
RFC 5424 STRUCTURED-DATA-style message-class UUID. |
Query: journalctl -u nginx -p err --since "1h ago" -o json.
Windows Event Log#
Channel |
Notes |
|---|---|
Application |
per-app events. |
Security |
audit; cred + login + privilege use. |
System |
kernel + driver + OS. |
Setup |
install events. |
Forwarded Events |
WEC subscriber-collected. |
Microsoft-Windows-* |
hundreds of subscribed channels (PowerShell, Sysmon, Defender, etc.). |
ETL files |
Event Tracing binary; .etl. |
EVTX |
XML serialised event log; .evtx. |
Sysmon |
configurable detailed process / file / network / registry events. |
Important Event IDs (Security):
ID |
Meaning |
|---|---|
4624 |
successful logon. |
4625 |
failed logon. |
4634 |
logoff. |
4647 |
user-initiated logoff. |
4648 |
explicit-cred logon (RunAs). |
4663 |
object access (audit). |
4672 |
special privileges assigned. |
4688 |
process creation. |
4697 |
service install. |
4720 |
user account created. |
4724 |
password reset. |
4732 |
added to local group. |
4756 |
added to universal group. |
4768 |
Kerberos AS-REQ (TGT). |
4769 |
Kerberos TGS-REQ. |
4776 |
NTLM credential validation. |
Sysmon Event IDs:
ID |
Meaning |
|---|---|
1 |
Process create. |
3 |
Network connection. |
5 |
Process terminated. |
7 |
Image loaded. |
10 |
Process accessed (LSASS read alarm). |
11 |
File created. |
12-14 |
Registry events. |
15 |
FileCreateStreamHash. |
22 |
DNS query. |
23 |
File delete. |
Linux audit (auditd)#
Concept |
Notes |
|---|---|
|
rule definitions. |
ausearch / aureport |
|
Syscall auditing |
per-syscall match (open, execve, …). |
Watch rules |
file / dir-based audits. |
SELinux / AppArmor |
separately log AVC denials. |
auditd rules per benchmark |
CIS / DISA STIG benchmarks ship rule-sets. |
Tooling#
Tool |
Notes |
|---|---|
rsyslog |
Linux syslog daemon; default on most distros. |
syslog-ng |
alternative; more programmable. |
journald |
systemd-bundled; binary log store. |
Vector (Datadog) |
fast Rust log shipper; aggregator. |
Fluent Bit / Fluent |
d CNCF; container-friendly. |
Logstash |
Elastic; JVM-heavy. |
Filebeat / Winlogbe |
at Elastic shippers. |
Promtail (Loki) |
Grafana log shipper. |
OpenTelemetry Collector |
Collector for logs / metrics / traces. |
auditd-monitor |
SOC integrations. |
Wazuh |
OSS XDR; ingests + correlates. |
Kafka / Pulsar / Redpanda |
The durable transport bus for logs at scale. |
Operator notes#
Always log in UTC (or RFC 3339 with offset); the parsing pipeline normalises.
Structure beats text, emit JSON Lines; SIEM parsing, field extraction, and search are an order of magnitude cheaper.
PII / PHI, mind retention regulations; redact at the edge if possible (Vector / Fluent Bit can do this in flight).
Field naming, pick ECS or OTel semantic conventions; do not invent custom names (
user_idvsuseridvsuidfragments queries forever).Correlate with trace IDs (W3C TraceContext) so logs and traces line up in OTel-aware backends.
Retention vs cost, hot tier (≤90 days, full search), warm (≤1y, restricted), cold (compliance-only). Compliance regimes (HIPAA 6y, SOX 7y, GDPR shorter) drive minimums.