Re: [syslog-ng] Tool to determine facility and severity from syslog packets

5 Dec 2006

      Man, that's a really complicated method for something that has a very 
simple solution (if you're using syslog-ng).  Just use a template to 
write out your logs.  I've included strategic bits from our 
syslog-ng.conf; it may not work as-is, but you get the basic idea.

# Syslog inputs
source s_external_syslog {
     udp(port(514));
};

# Local syslog
source s_internal_syslog {
     unix-dgram("/dev/log");
     file("/proc/kmsg" log_prefix("kernel:"));
};

# Sylog-ng's internal log
source s_syslog-ng {
     internal();
};

# This template reformats incoming messages for use in human-readable 
logfiles
template t_human_readable {
     template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
     template-escape(no);
};

# The big monolithic syslog file
destination d_big_messages {
     file (
         "/var/log/logs/messages.log"
         template(t_human_readable)
         owner(root)
         group(root)
         perm(0644)
     );
};

# log syslog messages to the host-messages tree and to the big 
monolithic messages file
log {
     source(s_external_syslog);
     source(s_internal_syslog);
     destination(d_big_messages);
};

Paul Krizak                         5900 E. Ben White Blvd. MS 625
Advanced Micro Devices              Austin, TX  78741
Linux/Unix Systems Engineering      Phone: (512) 602-8775
Silicon Design Division             Cell:  (512) 791-0686

G.W. Haywood wrote:
...
Hi there,
On Tue, 5 Dec 2006, "Justin Shore" wrote:
...
Does anyone know of a tool to read the facility and severity info from
inbound syslog packets?  I have a number of devices that are sending me
syslog info and I can't determine what facility they're using.
...
From your description I'm not sure exactly what your problems are, but
_if_ you're using syslog-ng (if not, why not?!:) and _if_ I understand
what you need then I think I would simply create two sets of temporary
logfiles: one set would log everything at every severity and the other
would log everything at every facility.  Then I'd look in the logs to
see if I recognized any of the output.
A lot simpler and, er, more deterministic than hacking C and/or Perl.
--
73,
Ged.
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html