| protocol | protocol | Transport protocol for Syslog messages; may be TCP or UDP |
| host | host | Host name or IP address of the receiving Syslog server |
| port | port | The TCP/IP port number of the receiving Syslog server |
| connectTimeout | connectTimeout | Timeout for connecting to the Syslog server (seconds) |
| facility | facility | Options shown in the Admin UI, KERN, USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTPRIV, FTP, NTP, LOGAUDIT, LOGALERT, CLOCKD, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7 correspond directly to facility values shown in RFC 5424, The Syslog Protocol. |
| SeverityFieldMappings | severityFieldMappings | Sets the correspondence between audit event fields and Syslog severity values |
| topic | topic | Severity Field Mappings: the audit event topic to which the mapping applies |
| field | field | Severity Field Mappings: the audit event field to which the mapping applies; taken from the JSON schema for the audit event content |
| Value Mappings | valueMappings | Severity Field Mappings: The map of audit event values to Syslog severities. Syslog severities may be: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, or DEBUG, in descending order of importance |
| Buffering | buffering | Disabled by default; all messages written immediately to the log |