One of the most challenging sources of event data that you will want to collect comes from the wonderful world of system logging, or syslog. Syslog information is particularly useful in environments where much of the application traffic is encrypted and cannot be analyzed by traditional packet inspection. In fact, syslog may be the only visibility you have in many cases.

In addition to being an operational and security best practice, core to several security standards and government regulations including the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and others is the collection of system log events.

In the Unix world, syslog is a standard for forwarding log messages in an IP network. Syslog messages are records of events occurring on a system. These events can take several forms, such as a record of a user logging in, a service starting, and even custom messages sent from applications running on the system.

According to the latest version of the IETF working group discussion,^[47] the format for a syslog message is suggested to be:

That is, the priority of the message, version of the syslog protocol, timestamp (as specified by RFC 3339), hostname, process identifier, message identifier (used only for filtering ...