Hi, I think you're confused a little bit. "informational" level is known by the windows agent of syslog-ng, not buy the unix syslog-ng daemon. If you're using the agent then you should ask BalaBit support it's non-free and I guess it is supported officially. I've never used the agent myself, sorry. The priority should be stored as an integer. Where is your SQL schema originating from, and what is your sql destination definition? Regards, Sandor On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes@gmail.com> wrote:
Anyone that can comment on this?
On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes@gmail.com> wrote:
Hey Guys,
According to the documentation: $LEVEL = Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error). $FACILITY = The facility sending the message. $PRI = Priority header of the message, storing the facility and the level of the message.
Questions: What is the difference between LEVEL and PRI in syslog-ng? it doesn't seem to be storing anything but the level? When I look in the database, it shows identical information about the two:
mysql> select distinct priority from logs; +----------+ | priority | +----------+ | alert | | crit | | debug | | emerg | | err | | info | | notice | | warning | +----------+
mysql> select distinct level from logs; +---------+ | level | +---------+ | err | | info | | notice | | debug | | warning | | crit | | emerg | | alert | +---------+
According to the RFC: The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity. For example, a kernel message (Facility=0) with a Severity of Emergency (Severity=0) would have a Priority value of 0. Also, a "local use 4" message (Facility=20) with a Severity of Notice (Severity=5) would have a Priority value of 165. In the PRI part of a syslog message, these values would be placed between the angle brackets as <0> and <165> respectively. The only time a value of "0" will follow the "<" is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be used.
So, if that's the case, couldn't I just grab the PRI from the message and store only that in the table and use the code on my end to derive the FAC and SEV (I assume severity = level in syslog-ng)?
Also, is there a way to store these as integers from syslog-ng? There's a finite number of all of these, it seems that it would be better/faster to store them as an integer in the table and reference that in my code. Or I could use enum - not sure which is faster. Can I safely drop LEVEL or PRI and only keep one? it seems odd to have two columns for the same thing :-)
Thanks! ______________________________________________________________
Clayton Dukes ______________________________________________________________
-- ______________________________________________________________
Clayton Dukes ______________________________________________________________ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html