Isn't that good for you, if you write a syslog-ng tamplate using these macros?: FACILITY The name of the facility from where the message originates. PRIORITY or LEVEL The priority of the message. TAG The priority and facility encoded as a 2 digit hexadecimal number. PRI The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages. So if you log everything into one file with the facility/priority placed in the message this way (using a template), then you can determine the facility of your devices. (I'm sure you can recognize the messages sent by the devices, so you can distinguish them from each other.) Balazs -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Justin Shore Sent: Tuesday, December 05, 2006 4:55 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Tool to determine facility and severity from syslogpackets Does anyone know of a tool to read the facility and severity info from inbound syslog packets? I have a number of devices that are sending me syslog info and I can't determine what facility they're using. These devices can't be set to use specific facilities unfortunately. It would be ideal if I could read the data out of a raw dump from tcpdump or at least be able to bind it to 514/udp and prepend facility/severity info on each log line. Along the same lines it would be sweet if there was a way to rewrite the facility information in inbound syslog packets (based on source IP) before passing them to your favorite syslog server. This would be ideal for occasions such as this. Any info would be greatly appreciated. Thanks Justin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html