Syslog Message Format Reference

RhythmX exports two types of syslog feeds — Alert Syslog for RhythmX detections and Incident/Case Syslog for incident lifecycle events. Both use RFC 5424 format over TCP or UDP.

Overview

Feed	Service	Facility	App Name	Health Port	What It Sends
Alert Syslog	`sigma-syslog-sender`	local0 (16)	`SigmaAlert`	8888	Deduplicated sigma_alerts with raw logs
Incident/Case Syslog	`sigma-incident-syslog`	local1 (17)	`SigmaIncident`	8889	Incident & case lifecycle events with enriched data

RFC 5424 Message Structure

Both feeds follow the RFC 5424 format:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MSG

Example:

<134>1 2026-03-13T04:30:00Z RhythmX SigmaAlert 12345 FIRST [sigma@32473 hash="a1b2c3d4" count="47" risk="85" ml_cluster="3" first_seen="2026-03-12T08:00:00Z" last_seen="2026-03-13T04:30:00Z"] {"raw": "...original log..."}

Alert Syslog Format

The alert syslog sender exports deduplicated RhythmX rule detections. Each unique alert is sent once on first detection, then hourly with delta counts.

Event Types

Message ID	When Sent	Content
`FIRST`	New alert detected	Full raw log + metadata
`HOURLY`	Every 60 minutes	Raw log + new occurrence count since last send

Structured Data Fields

Enterprise number: 32473 (SD-ID: sigma@32473)

Field	Type	Description	Example
`hash`	string	Unique alert hash (first 16 chars)	`a1b2c3d4e5f67890`
`count`	integer	Total occurrence count	`47`
`risk`	integer	Alert risk score	`85`
`ml_cluster`	integer	ML anomaly cluster (-1 if none)	`3`
`first_seen`	ISO 8601	First occurrence timestamp	`2026-03-12T08:00:00Z`
`last_seen`	ISO 8601	Most recent occurrence	`2026-03-13T04:30:00Z`
`hourly_delta`	integer	New occurrences since last send (hourly only)	`5`
`burst`	boolean	Burst/spike detected (hourly only)	`true`

Message Body

The message body contains the raw log from the original detection — the full Windows Event Log, Sysmon event, or Linux Auditd record.

Complete Alert Syslog Example

First detection:

<134>1 2026-03-13T04:30:00Z RhythmX SigmaAlert 12345 FIRST [sigma@32473 hash="a1b2c3d4e5f6" count="1" risk="85" ml_cluster="3" first_seen="2026-03-13T04:30:00Z" last_seen="2026-03-13T04:30:00Z"] {"EventTime":"2026-03-13 04:29:55","Computer":"WS-101","Channel":"Security","EventID":"4624","UserName":"jsmith","LogonType":"10",...}

Hourly update with burst:

<134>1 2026-03-13T05:30:00Z RhythmX SigmaAlert 12345 HOURLY [sigma@32473 hash="a1b2c3d4e5f6" count="147" risk="85" ml_cluster="3" first_seen="2026-03-13T04:30:00Z" last_seen="2026-03-13T05:28:00Z" hourly_delta="146" burst="true"] {"EventTime":"2026-03-13 05:28:00","Computer":"WS-101",...}

Burst Detection

An alert is flagged as burst=true when:

Hourly delta exceeds 100 occurrences, or
Hourly delta exceeds 5x the average hourly rate for that alert

Incident/Case Syslog Format

The incident/case syslog sender exports lifecycle events — when incidents or cases are created and when they change status. Each message includes enriched data from the risk scoring engine, MITRE ATT&CK mapping, and cross-references between incidents and cases.

Event Types

Event	Source	When Sent
`incident_created`	Incident table	New incident auto-created or promoted
`incident_updated`	Incident table	Status, analyst, notes, or ticket changed
`case_created`	Threat cases table	New correlation case detected
`case_updated`	Threat cases table	Case status changed

Syslog Severity Mapping

Syslog severity is set based on risk level (incidents) or case severity (cases):

Risk Level / Severity	Syslog Severity	Syslog Code
Critical (score >= 85)	Critical	2
High (score >= 70)	Error	3
Medium (score >= 40)	Warning	4
Low	Informational	6

Incident Structured Data

SD-ID: sigma-incident@32473

Field	Type	Description	Example
`id`	string	Incident ID	`INC-7601d999`
`event`	string	Event type	`created` or `updated`
`actor`	string	Actor identifier (user/host/IP)	`jsmith`
`actor_type`	string	Actor type	`user`, `host`, `ip`
`entity`	string	Entity/tenant name	`Primary Site`
`status`	string	Incident status	`OPEN`, `IN_PROGRESS`, `CLOSED`, `FALSE_POSITIVE`
`risk_score`	integer	Composite risk score (0-100)	`82`
`risk_level`	string	Risk tier	`critical`, `high`, `medium`, `low`
`alarm_count`	integer	Total LogRhythm alarms	`156`
`sigma_alert_count`	integer	Total RhythmX detections	`47`
`threat_case_count`	integer	Active threat cases	`3`
`related_case_ids`	string	Comma-separated case IDs	`CASE-abc,CASE-def`
`related_case_types`	string	Comma-separated case types	`lateral_movement,credential_theft`
`assigned_analyst`	string	Assigned analyst	`analyst1`
`external_ticket`	string	External ticket ID	`SEC-1234`

Incident JSON Body

The message body is a full JSON payload with all enriched data:

{
  "incident_id": "INC-7601d999",
  "event": "created",
  "group_key": "jsmith",
  "actor_type": "user",
  "entity_name": "Primary Site",
  "status": "OPEN",
  "assigned_analyst": null,
  "investigation_notes": null,
  "resolution_notes": null,
  "external_ticket_id": null,
  "external_ticket_url": null,
  "external_system": null,
  "risk": {
    "score": 82,
    "level": "critical",
    "alarm_count": 156,
    "alarm_count_7d": 89,
    "alarm_count_24h": 23,
    "sigma_alert_count": 47,
    "sigma_unique_rules": 12,
    "sigma_high_sev_count": 8,
    "threat_case_count": 3,
    "max_rbp": 95,
    "avg_rbp": 67.5
  },
  "mitre": {
    "unique_tactics": 6,
    "unique_techniques": 14
  },
  "related_cases": [
    {
      "case_id": "CASE-abc123",
      "case_type": "lateral_movement",
      "severity": "CRITICAL",
      "status": "OPEN",
      "alert_count": 28,
      "max_risk_score": 85,
      "first_alert": "2026-03-12T14:00:00Z",
      "last_alert": "2026-03-13T02:30:00Z"
    },
    {
      "case_id": "CASE-def456",
      "case_type": "credential_theft",
      "severity": "HIGH",
      "status": "OPEN",
      "alert_count": 12,
      "max_risk_score": 78,
      "first_alert": "2026-03-12T16:00:00Z",
      "last_alert": "2026-03-13T01:15:00Z"
    }
  ],
  "timeline": {
    "first_alarm": "2026-03-12T18:26:28Z",
    "last_alarm": "2026-03-13T03:49:20Z",
    "risk_first_seen": "2026-03-12T08:00:00Z",
    "risk_last_seen": "2026-03-13T04:00:00Z",
    "created_at": "2026-03-12T18:26:28Z",
    "updated_at": "2026-03-13T03:49:20Z",
    "closed_at": null
  }
}

Complete Incident Syslog Example

<137>1 2026-03-13T04:35:00Z RhythmX SigmaIncident 67890 - [sigma-incident@32473 id="INC-7601d999" event="created" actor="jsmith" actor_type="user" entity="Primary Site" status="OPEN" risk_score="82" risk_level="critical" alarm_count="156" sigma_alert_count="47" threat_case_count="3" related_case_ids="CASE-abc123,CASE-def456" related_case_types="lateral_movement,credential_theft" assigned_analyst="" external_ticket=""] {"incident_id":"INC-7601d999","event":"created","group_key":"jsmith",...}

Case Structured Data

SD-ID: sigma-case@32473

Field	Type	Description	Example
`id`	string	Case ID	`CASE-abc123`
`event`	string	Event type	`created` or `updated`
`entity`	string	Entity/tenant name	`Primary Site`
`type`	string	Correlation type	`lateral_movement`
`status`	string	Case status	`OPEN`, `IN_PROGRESS`, `CLOSED`
`severity`	string	Case severity	`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`
`alert_count`	integer	Alerts in this case	`28`
`risk_score`	integer	Max risk score	`85`
`primary_user`	string	Primary actor	`jsmith`
`affected_hosts`	string	Comma-separated hostnames	`WS-101,WS-102,DC-01`
`assigned_analyst`	string	Assigned analyst	`analyst1`
`related_incident_id`	string	Linked incident ID	`INC-7601d999`

Case JSON Body

{
  "case_id": "CASE-abc123",
  "event": "created",
  "entity_name": "Primary Site",
  "case_type": "lateral_movement",
  "status": "OPEN",
  "severity": "CRITICAL",
  "primary_user": "jsmith",
  "assigned_analyst": null,
  "investigation_notes": null,
  "alert_count": 28,
  "max_risk_score": 85,
  "affected_computers": ["WS-101", "WS-102", "DC-01"],
  "related_incident": {
    "incident_id": "INC-7601d999",
    "group_key": "jsmith",
    "status": "OPEN",
    "assigned_analyst": null
  },
  "timeline": {
    "first_alert": "2026-03-12T14:00:00Z",
    "last_alert": "2026-03-13T02:30:00Z",
    "created_at": "2026-03-12T14:05:00Z",
    "updated_at": "2026-03-13T02:35:00Z"
  }
}

Cross-Referencing Incidents and Cases

Incidents and cases are linked through the actor identity:

Incident → Cases: The incident's group_key (actor) maps to threat_cases.primary_user. Each incident syslog message includes related_case_ids and the full related_cases[] array.
Case → Incident: Each case's primary_user maps back to incidents.group_key. Each case syslog message includes related_incident_id and the full related_incident{} object.

flowchart LR
    A["Incident<br>INC-7601d999<br>actor: jsmith"] -->|"group_key = primary_user"| B["Case: Lateral Movement<br>CASE-abc123"]
    A -->|"group_key = primary_user"| C["Case: Credential Theft<br>CASE-def456"]

    style A fill:#b71c1c,stroke:#f05545,color:#fff
    style B fill:#0d47a1,stroke:#42a5f5,color:#fff
    style C fill:#0d47a1,stroke:#42a5f5,color:#fff

This enables SIEM correlation rules like: "When an incident is created, automatically pull all related case details from the same syslog stream."

Parsing in Your SIEM

Splunk

Extract structured data fields using props.conf:

[source::sigma_incidents]
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ
EXTRACT-incident_id = sigma-incident@32473\s+id="(?<incident_id>[^"]+)"
EXTRACT-risk_score = risk_score="(?<risk_score>\d+)"
EXTRACT-actor = actor="(?<actor>[^"]+)"
EXTRACT-status = status="(?<incident_status>[^"]+)"
EXTRACT-case_ids = related_case_ids="(?<related_case_ids>[^"]+)"

QRadar

Create a custom log source type with DSM parsing:

Log Source Type: Syslog
Protocol: TCP/514
Facility: local0 (alerts) or local1 (incidents)
App Name: SigmaAlert or SigmaIncident

Use regex property extraction on structured data fields.

Elastic / OpenSearch

Use a Logstash pipeline with the syslog_pri and kv filters:

filter {
  grok {
    match => { "message" => "<%{POSINT:syslog_pri}>%{NONNEGINT} %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname} %{WORD:app_name} %{POSINT:pid} %{NOTSPACE:msg_id} \[%{DATA:structured_data}\] %{GREEDYDATA:json_body}" }
  }
  json {
    source => "json_body"
    target => "incident"
  }
}

Configuration

Alert Syslog

Config file: /opt/Sigma_ML_MSSP/siem_sender/config.json

{
  "syslog": {
    "protocol": "tcp",
    "host": "192.168.1.50",
    "port": 514,
    "app_name": "SigmaAlert"
  },
  "daemon": {
    "poll_interval_seconds": 30,
    "hourly_interval_minutes": 60,
    "batch_size": 100,
    "health_port": 8888
  }
}

Incident/Case Syslog

Config file: /opt/Sigma_ML_MSSP/siem_sender/incident_syslog_config.json

{
  "syslog": {
    "protocol": "tcp",
    "host": "192.168.1.50",
    "port": 514,
    "facility": 17,
    "app_name": "SigmaIncident",
    "hostname": "RhythmX"
  },
  "daemon": {
    "poll_interval_seconds": 60,
    "batch_size": 50,
    "health_port": 8889
  }
}

Both can be configured through System Settings > Integrations in the web UI.

Health Checks

# Alert syslog health
curl http://localhost:8888/health

# Incident syslog health
curl http://localhost:8889/health

Response:

{
  "status": "running",
  "uptime_seconds": 86400,
  "incidents_sent": 45,
  "cases_sent": 128,
  "errors": 0,
  "last_poll": "2026-03-13T04:30:00Z"
}