Syslog RFC 3164 header format

The HEADER part contains a timestamp and an indication of the hostname or IP address of the device.

The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.

The TIMESTAMP will immediately follow the trailing ">" from the PRI part and single space characters MUST follow each of the TIMESTAMP and HOSTNAME fields.

HOSTNAME will contain the hostname, as it knows itself.  If it does not have a hostname, then it will contain its own IP address.

The TIMESTAMP field is the local time and is in the format of:

"Mmm dd hh:mm:ss" (without the quote marks).

The MSG part has two fields known as the TAG field and the CONTENT field. The value in the TAG field will be the name of the program or process that generated the message.  The CONTENT contains the  details of the message.  This has traditionally been a freeform message that gives some detailed information of the event. The TAG is a string of ABNF alphanumeric characters that MUST NOT exceed 32 characters.  Any non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field. Most commonly, the first character of the CONTENT field that signifies the conclusion of the TAG field has been seen to be the left square bracket character ("["), a colon character (":"), or a space character

Kiwi SyslogGen uses the following format for its messages:

<PRI>Jul 10 12:00:00 192.168.1.1 SyslogGen MESSAGE TEXT

The BSD Syslog protocol is discussed in RFC 3164.

http://community.roxen.com/developers/idocs/rfc/rfc3164.html

For a comprehensive description of the syslog protocol, see:

http://www.sans.org/infosecFAQ/unix/syslog.htm