Re: [syslog-ng] Questions about Facility, Priority and Level

Anyone that can comment on this? On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes@gmail.com> wrote:

Hey Guys,

According to the documentation: $LEVEL     = Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error). $FACILITY = The facility sending the message. $PRI          = Priority header of the message, storing the facility and the level of the message.

Questions: What is the difference between LEVEL and PRI in syslog-ng? it doesn't seem to be storing anything but the level? When I look in the database, it shows identical information about the two:

mysql> select distinct priority from logs; +----------+ | priority | +----------+ | alert    | | crit     | | debug    | | emerg    | | err      | | info     | | notice   | | warning  | +----------+

mysql> select distinct level from logs; +---------+ | level   | +---------+ | err     | | info    | | notice  | | debug   | | warning | | crit    | | emerg   | | alert   | +---------+

According to the RFC: The Priority value is calculated by first multiplying the Facility   number by 8 and then adding the numerical value of the Severity. For   example, a kernel message (Facility=0) with a Severity of Emergency   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"   message (Facility=20) with a Severity of Notice (Severity=5) would   have a Priority value of 165.  In the PRI part of a syslog message,   these values would be placed between the angle brackets as <0> and   <165> respectively.  The only time a value of "0" will follow the "<"   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be   used.

So, if that's the case, couldn't I just grab the PRI from the message and store only that in the table and use the code on my end to derive the FAC and SEV (I assume severity = level in syslog-ng)?

Also, is there a way to store these as integers from syslog-ng? There's a finite number of all of these, it seems that it would be better/faster to store them as an integer in the table and reference that in my code. Or I could use enum - not sure which is faster. Can I safely drop LEVEL or PRI and only keep one? it seems odd to have two columns for the same thing :-)

Thanks! ______________________________________________________________

Clayton Dukes ______________________________________________________________

-- ______________________________________________________________ Clayton Dukes ______________________________________________________________