[syslog-ng] Tool to determine facility and severity from syslog packets

Paul Krizak paul.krizak at amd.com
Tue Dec 5 17:10:25 CET 2006 

Man, that's a really complicated method for something that has a very 
simple solution (if you're using syslog-ng).  Just use a template to 
write out your logs.  I've included strategic bits from our 
syslog-ng.conf; it may not work as-is, but you get the basic idea.

# Syslog inputs
source s_external_syslog {
     udp(port(514));
};

# Local syslog
source s_internal_syslog {
     unix-dgram("/dev/log");
     file("/proc/kmsg" log_prefix("kernel:"));
};

# Sylog-ng's internal log
source s_syslog-ng {
     internal();
};

# This template reformats incoming messages for use in human-readable 
logfiles
template t_human_readable {
     template("$R_FULLDATE $HOST $FACILITY.$PRIORITY $MESSAGE\n");
     template-escape(no);
};

# The big monolithic syslog file
destination d_big_messages {
     file (
         "/var/log/logs/messages.log"
         template(t_human_readable)
         owner(root)
         group(root)
         perm(0644)
     );
};

# log syslog messages to the host-messages tree and to the big 
monolithic messages file
log {
     source(s_external_syslog);
     source(s_internal_syslog);
     destination(d_big_messages);
};


Paul Krizak                         5900 E. Ben White Blvd. MS 625
Advanced Micro Devices              Austin, TX  78741
Linux/Unix Systems Engineering      Phone: (512) 602-8775
Silicon Design Division             Cell:  (512) 791-0686


G.W. Haywood wrote:
> Hi there,
> 
> On Tue, 5 Dec 2006, "Justin Shore" wrote:
> 
>> Does anyone know of a tool to read the facility and severity info from
>> inbound syslog packets?  I have a number of devices that are sending me
>> syslog info and I can't determine what facility they're using.
> 
>>From your description I'm not sure exactly what your problems are, but
> _if_ you're using syslog-ng (if not, why not?!:) and _if_ I understand
> what you need then I think I would simply create two sets of temporary
> logfiles: one set would log everything at every severity and the other
> would log everything at every facility.  Then I'd look in the logs to
> see if I recognized any of the output.
> 
> A lot simpler and, er, more deterministic than hacking C and/or Perl.
> 
> --
> 
> 73,
> Ged.
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>

More information about the syslog-ng mailing list