MSG部分包括 TAG（标签）和 CONTENT（内容）。TAG（标签）后面以“:”分隔。

TAG包括发送该 Syslog的进程的 task_name和 pid。其中 pid写在[]中括号内，pid部分也可以忽略。

因为协议规定，Syslog单行不能超过 1024B，所以和 log4j类似，Syslog也会出现同一个事件分成多行发送的情况。这时候，通常就不太方便进行单行分析了，比如下面这段 Syslog。

Nov 26 15:42:54 LOCALHOST kernel: [ 4.235784] cciss0: <0x3230> at PCI 0000:03:00.0 IRQ 1272 using DAC

Nov 26 15:42:54 LOCALHOST kernel: [ 4.251582] blocks= 286677120 block_size= 512

Nov 26 15:42:54 LOCALHOST kernel: [ 4.255582] heads=255, sectors=32, cylinders=35132

Nov 26 15:42:54 LOCALHOST kernel: [ 4.255583]

Nov 26 15:42:54 LOCALHOST kernel: [ 4.263574] blocks= 286677120 block_size= 512

Nov 26 15:42:54 LOCALHOST kernel: [ 4.263574] heads=255, sectors=32, cylinders=35132

Nov 26 15:42:54 LOCALHOST kernel: [ 4.263574]

Nov 26 15:42:54 LOCALHOST kernel: [ 4.263574] cciss/c0d0: p1 p2 < p5 p6 >

针对 UDP的丢包请求，还有 RFC3195定义的如何使用 TCP协议传输 Syslog，而 RFC5425（http://tools.ietf.org/html/rfc5425）则进一步定义了采用 TLS协议传输 Syslog时的 HEADER格式等。

此外，RFC5424也定义了一种 Syslog格式，字段解释如下。

SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG] HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME

                   SP APP-NAME SP PROCID SP MSGID PRI = "<" PRIVAL ">" PRIVAL = 1*3DIGIT ; range 0 .. 191 VERSION = NONZERO-DIGIT 0*2DIGIT HOSTNAME = NILVALUE / 1*255PRINTUSASCII

APP-NAME = NILVALUE / 1*48PRINTUSASCII PROCID = NILVALUE / 1*128PRINTUSASCII MSGID = NILVALUE / 1*32PRINTUSASCII

TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME FULL-DATE = DATE-FULLYEAR "-" DATE-MONTH "-" DATE-MDAY DATE-FULLYEAR = 4DIGIT DATE-MONTH = 2DIGIT  ; 01-12 DATE-MDAY = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on

                           ; month/year FULL-TIME = PARTIAL-TIME TIME-OFFSET PARTIAL-TIME = TIME-HOUR ":" TIME-MINUTE ":" TIME-SECOND

[TIME-SECFRAC] TIME-HOUR = 2DIGIT  ; 00-23 TIME-MINUTE = 2DIGIT  ; 00-59 TIME-SECOND = 2DIGIT  ; 00-59 TIME-SECFRAC = "." 1*6DIGIT TIME-OFFSET = "Z" / TIME-NUMOFFSET TIME-NUMOFFSET = ("+" / "-") TIME-HOUR ":" TIME-MINUTE

STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT SD-ELEMENT = "[" SD-ID *(SP SD-PARAM) "]" SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34 SD-ID = SD-NAME PARAM-NAME = SD-NAME PARAM-VALUE = UTF-8-STRING ; characters '"', '\' and

                                ; ']' MUST be escaped. SD-NAME = 1*32PRINTUSASCII                    ; except '=', SP, ']', %d34 (")

MSG = MSG-ANY / MSG-UTF8 MSG-ANY = *OCTET ; not starting with BOM MSG-UTF8 = BOM UTF-8-STRING BOM = %xEF.BB.BF

UTF-8-STRING = *OCTET ; UTF-8 string as specified                    ; in RFC 3629

OCTET = %d00-255 SP = %d32 PRINTUSASCII = %d33-126 NONZERO-DIGIT = %d49-57 DIGIT = %d48 / NONZERO-DIGIT NILVALUE = "-"

这个格式比 RFC3164中的归档要复杂和具体很多，不过其中最关键的 PRI计算方法是一致的。所以掌握好 PRI的计算，剩下的部分交给工具解决就好了。