Syslog is a long-standing standard for sending event messages across a network to a central collector. Routers, firewalls, Linux servers, and applications all emit syslog. Each message carries a priority value, usually a timestamp and hostname, and a free-form text body. The modern format is defined by RFC 5424; the older BSD format is RFC 3164.

Do these tools send my log data anywhere?

No. Every tool here runs entirely in your browser using client-side JavaScript. The syslog lines you paste are parsed locally and never uploaded, which makes the tools safe to use with production logs that may contain sensitive data.

What is the difference between RFC 5424 and RFC 3164?

RFC 3164 is the original BSD syslog format with a loose structure and a non-year timestamp like 'Oct 11 22:14:15'. RFC 5424 replaced it with a strict, ordered header, ISO 8601 timestamps, explicit nil values, and optional structured data. New deployments should prefer RFC 5424.

How is the syslog priority (PRI) calculated?

PRI = facility × 8 + severity. The facility (0–23) says where the message came from and the severity (0–7) says how urgent it is. For example, facility 4 (auth) with severity 2 (critical) gives PRI 34, written as at the start of the message.

syslog.tools

Read, decode, and ship <syslog> without leaving the browser.

A small set of focused utilities for the format every router, firewall, and Linux box speaks. Paste a line and see its fields. Work out a priority value. Convert to JSON or CEF. Generate a forwarding config. No accounts, no uploads.

Parse a message Open PRI calculator

raw syslog

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - 'su root' failed for lonvick

parses to ↓

PRI

<34>

timestamp

2003-10-11T22:14:15.003Z

host

mymachine.example.com

app

message

'su root' failed for lonvick

<34> decodes tofacility 4 · authseverity 2 · crit

The toolbox

5 tools · all client-side

<msg>01

Syslog Parser & Viewer

Paste a raw syslog line and see every field broken out and colour-coded — works with RFC 5424 and RFC 3164.

syslog parsersyslog viewerparse syslog

<14>102

RFC 5424 Format Reference & Builder

A field-by-field guide to the RFC 5424 message format with an interactive builder that emits a compliant line.

rfc5424rfc5424 examplerfc3164

<pri>03

Syslog PRI, Facility & Severity Calculator

Convert between PRI values and facility/severity both ways. Includes the full facility and severity tables.

syslog severitysyslog facilitysyslog priority

{ }04

Syslog to JSON & CEF Converter

Turn a raw syslog message into clean JSON or a best-effort CEF line for your SIEM — entirely in the browser.

syslog to jsonsyslog to cef convertercef syslog

*.*05

Syslog Config Generator

Generate a ready-to-paste forwarding config for rsyslog, syslog-ng, or Cisco IOS from a few choices.

configuring syslogrsyslog examplesyslog-ng config

severity ramp

Eight levels, 0 to 7, from system-down to debug noise. The colour language used across every tool here.

0emergEmergency

1alertAlert

2critCritical

3errError

4warningWarning

5noticeNotice

6infoInformational

7debugDebug

Reference

A quick primer on syslog

Syslog is the lingua franca of operational logging. It began life on BSD Unix in the 1980s, was documented after the fact as RFC 3164, and was later modernised into RFC 5424. Despite its age it is still how the vast majority of network gear and servers report what they are doing — a Cisco switch, a pfSense firewall, an Ubuntu host, and a Java application can all ship to the same collector because they all speak syslog.

Anatomy of a message

Every syslog message starts with a priority value in angle brackets, such as <34>. That number packs two pieces of information: the facility, which says which subsystem produced the message, and the severity, which says how urgent it is. After the priority comes a header — a timestamp, the hostname, and in RFC 5424 an app-name, process ID, and message ID — followed by optional structured data and the free-form message text. The syslog parser breaks any line into exactly these parts.

Facility and severity

The priority is computed as facility * 8 + severity. There are 24 facilities (0–23), including kern, auth, daemon, and the eight local0–local7 slots reserved for your own use. There are 8 severities, from emerg (0, the system is unusable) down to debug (7). If you ever need to go from a priority number back to its parts, or the other way around, the PRI calculator does it both ways.

Getting logs where they need to go

Reading a message is half the job; the other half is shipping it. On Linux that usually means rsyslog or syslog-ng forwarding selected facilities and severities to a central host over UDP or TCP. On network hardware it is a few logging lines. The config generator writes a starting configuration for all three. And when your destination is a SIEM rather than a plain collector, the JSON and CEF converter reshapes a message into something a pipeline can index.

Frequently asked questions

What is syslog?: Syslog is a long-standing standard for sending event messages across a network to a central collector. Routers, firewalls, Linux servers, and applications all emit syslog. Each message carries a priority value, usually a timestamp and hostname, and a free-form text body. The modern format is defined by RFC 5424; the older BSD format is RFC 3164.
Do these tools send my log data anywhere?: No. Every tool here runs entirely in your browser using client-side JavaScript. The syslog lines you paste are parsed locally and never uploaded, which makes the tools safe to use with production logs that may contain sensitive data.
What is the difference between RFC 5424 and RFC 3164?: RFC 3164 is the original BSD syslog format with a loose structure and a non-year timestamp like 'Oct 11 22:14:15'. RFC 5424 replaced it with a strict, ordered header, ISO 8601 timestamps, explicit nil values, and optional structured data. New deployments should prefer RFC 5424.
How is the syslog priority (PRI) calculated?: PRI = facility × 8 + severity. The facility (0–23) says where the message came from and the severity (0–7) says how urgent it is. For example, facility 4 (auth) with severity 2 (critical) gives PRI 34, written as <34> at the start of the message.