Developer Tools
Syslog Message Parser
Parse syslog messages in RFC 5424 and RFC 3164 format, decode the PRI into facility and severity, read every header field and structured data. No signup.
Syslog message parser
One message per line. Supports RFC 5424 and RFC 3164 (BSD) syslog. Parsing runs in your browser; nothing is uploaded.
Read the PRI, then choose RFC 5424 when a version digit follows it, or RFC 3164 otherwise.
Total lines
5
Parsed
5
Parse errors
0
Format mix
5 / 0
RFC 5424 / RFC 3164
Severity breakdown
| Severity | Count |
|---|---|
| 5 Notice | 2 |
| 2 Critical | 1 |
| 3 Error | 1 |
| 6 Informational | 1 |
Facility breakdown
| Facility | Count |
|---|---|
| user | 2 |
| auth | 1 |
| local4 | 1 |
| syslog | 1 |
Parsed messages (showing 5 of 5)
- Line 1RFC 5424Critical (2)
- Priority (PRI)
- 34
- Facility
- 4 auth (security / authorization)
- Severity
- 2 Critical (crit)
- Version
- 1
- Timestamp
- 2026-06-23T22:14:15.003Z
- Hostname
- mymachine.example.com
- App name
- su
- Process ID
- (none)
- Message ID
- ID47
Structured data
exampleSDID@32473
- iut
- 3
- eventSource
- Application
- eventID
- 1011
Message
BOM'su root' failed for lonvick on /dev/pts/8
- Line 2RFC 5424Notice (5)
- Priority (PRI)
- 165
- Facility
- 20 local4
- Severity
- 5 Notice (notice)
- Version
- 1
- Timestamp
- 2026-06-23T12:14:15.000Z2026-06-23T05:14:15.000003-07:00
- Hostname
- 192.0.2.1
- App name
- evntslog
- Process ID
- 8710
- Message ID
- ID47
Structured data
origin
- ip
- 192.0.2.1
meta
- sequenceId
- 1
Message
An application event log entry
- Line 3RFC 5424Notice (5)
- Priority (PRI)
- 13
- Facility
- 1 user (user-level messages)
- Severity
- 5 Notice (notice)
- Version
- 1
- Timestamp
- 2026-06-23T09:30:00.123Z2026-06-23T09:30:00.123456Z
- Hostname
- web01
- App name
- nginx
- Process ID
- 4821
- Message ID
- (none)
Message
GET /api/health 200 in 4ms
- Line 4RFC 5424Error (3)
- Priority (PRI)
- 11
- Facility
- 1 user (user-level messages)
- Severity
- 3 Error (err)
- Version
- 1
- Timestamp
- 2026-06-23T09:31:02.000Z2026-06-23T09:31:02Z
- Hostname
- db01
- App name
- postgres
- Process ID
- 1290
- Message ID
- (none)
Message
connection to database failed
- Line 5RFC 5424Informational (6)
- Priority (PRI)
- 46
- Facility
- 5 syslog (messages from syslogd)
- Severity
- 6 Informational (info)
- Version
- 1
- Timestamp
- 2026-06-23T09:32:00.000Z2026-06-23T09:32:00Z
- Hostname
- gateway
- App name
- sshd
- Process ID
- 8022
- Message ID
- (none)
Structured data
timeQuality
- tzKnown
- 1
- isSynced
- 1
Message
Accepted publickey for deploy from 203.0.113.7
Severities (0 to 7)
0Emergency (emerg): System is unusable1Alert (alert): Action must be taken immediately2Critical (crit): Critical conditions3Error (err): Error conditions4Warning (warning): Warning conditions5Notice (notice): Normal but significant condition6Informational (info): Informational messages7Debug (debug): Debug-level messages
How PRI decodes
The number in angle brackets is the priority. Split it apart with two operations:
facility = floor(PRI / 8)gives a value from 0 (kern) to 23 (local7).severity = PRI % 8gives a value from 0 (emergency) to 7 (debug).- Example: PRI 34 is facility 4 (auth) and severity 2 (critical), because 34 = 4 times 8 plus 2.
- The largest valid PRI is 191, which is facility 23 with severity 7.
How to use
- Paste one or more syslog messages into the box, one per line, or load the RFC 5424 or RFC 3164 sample.
- Leave the format on Auto-detect to sort each line by its shape, or pin it to RFC 5424 or RFC 3164 if you know the source.
- Read each message card: the decoded priority with its facility and severity, the timestamp normalized to ISO where possible, the hostname, app name or tag, process ID, and message.
- For RFC 5424 lines, inspect the structured-data block, where each SD-ID and its quoted parameters are listed with escapes resolved.
- Check the severity and facility breakdown tables to see the spread of levels across the batch, and the notes on each card for soft warnings.
- Review the parse errors panel for any line that fails, then use Copy JSON to export every parsed message as structured data.
About this tool
Syslog Message Parser takes the raw syslog lines that Linux hosts, routers, firewalls, and network appliances emit, and breaks each one into the fields you actually need to read. It handles both wire formats. RFC 5424, the modern IETF format from 2009, has a strict shape: an angle-bracketed priority, a version number, an RFC 3339 timestamp, a hostname, an app name, a process ID, a message ID, a structured-data block, and the free-text message. RFC 3164, the original BSD format that is still the default on a lot of equipment, is looser: an optional priority, a Mmm dd hh:mm:ss timestamp with no year and no timezone, a hostname, a tag that often carries a process ID in square brackets, and then the message. Auto-detect reads the priority first and then picks the format by looking at what follows it, a version digit for RFC 5424 or a month name for RFC 3164, so a mixed paste from several sources is sorted out line by line. The centerpiece is the priority decode. The number in angle brackets, the PRI, is not arbitrary: it equals the facility times eight plus the severity. The tool splits it back apart, so a PRI of 34 is shown as facility 4 (auth) and severity 2 (critical), and it labels all 24 facilities (kern through local7) and all 8 severities (emergency through debug) with both the short keyword and the standard meaning. Each parsed message is laid out as a labelled card with a colored severity chip, every header field, and the decoded facility and severity side by side. For RFC 5424 the structured-data block is fully parsed: each SD-ID and its quoted parameters are pulled out, with the defined backslash escapes for quote, backslash, and closing bracket resolved correctly, so a value that contains spaces or brackets survives intact. Timestamps are normalized to ISO 8601 where possible; RFC 5424 times carry their own timezone, while RFC 3164 times have neither a year nor a zone, so the tool attaches the current year and reads the wall time as UTC and says so rather than guessing a locale. It is a linter as well as a reader. It flags the mistakes that trip up collectors: a PRI above 191, a PRI with no closing bracket, a missing version on an RFC 5424 line, a malformed timestamp, a missing or malformed structured-data block, an unterminated quoted value, and a line with no recognizable structure. When the parse is clean, every message exports as a structured JSON array carrying the priority, the numeric and named facility and severity, the version, both the raw and ISO timestamps, the hostname, app name, process ID, message ID, structured data as nested objects, and the message text, ready for a script, a test fixture, or a spreadsheet. One honest limit: this reads the syslog text you paste, it is not a syslog server. It does not listen on UDP 514, receive from rsyslog or journald, or store anything. Everything runs locally in your browser, so the messages you paste are never uploaded or logged.
Free to use. Works in your browser. No signup, no login.
Related tools
You may also like
Logfmt Parser and Formatter
Parse logfmt to JSON or NDJSON and emit clean logfmt from JSON, NDJSON, or rows.
Open tool
DeveloperAccess Log Parser
Parse Apache CLF, Combined, and NGINX access logs into a sortable, exportable table.
Open tool
DeveloperPrometheus Metrics Parser
Read /metrics exposition text into metric families with labels and values, export JSON or NDJSON, or build a valid metric line.
Open tool
DeveloperInfluxDB Line Protocol Parser
Read InfluxDB and Telegraf line protocol into typed points with tags and fields, export JSON or NDJSON, or build a valid line.
Open tool
Date & TimeUnix Timestamp Converter
Convert epoch timestamps to dates and back.
Open tool
DeveloperJSON Formatter
Format, minify, and validate JSON in your browser.
Open tool