[syslog-ng] Questions about Facility, Priority and Level

Clayton Dukes cdukes at gmail.com
Thu Jul 23 04:59:55 CEST 2009 

Hey Guys,

According to the documentation:
$LEVEL     = Importance level of the message represented as a number:
6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
$FACILITY = The facility sending the message.
$PRI          = Priority header of the message, storing the facility
and the level of the message.


Questions:
What is the difference between LEVEL and PRI in syslog-ng? it doesn't
seem to be storing anything but the level?
When I look in the database, it shows identical information about the two:

mysql> select distinct priority from logs;
+----------+
| priority |
+----------+
| alert    |
| crit     |
| debug    |
| emerg    |
| err      |
| info     |
| notice   |
| warning  |
+----------+

mysql> select distinct level from logs;
+---------+
| level   |
+---------+
| err     |
| info    |
| notice  |
| debug   |
| warning |
| crit    |
| emerg   |
| alert   |
+---------+

According to the RFC:
The Priority value is calculated by first multiplying the Facility
   number by 8 and then adding the numerical value of the Severity. For
   example, a kernel message (Facility=0) with a Severity of Emergency
   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
   message (Facility=20) with a Severity of Notice (Severity=5) would
   have a Priority value of 165.  In the PRI part of a syslog message,
   these values would be placed between the angle brackets as <0> and
   <165> respectively.  The only time a value of "0" will follow the "<"
   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
   used.

So, if that's the case, couldn't I just grab the PRI from the message
and store only that in the table and use the code on my end to derive
the FAC and SEV (I assume severity = level in syslog-ng)?

Also, is there a way to store these as integers from syslog-ng?
There's a finite number of all of these, it seems that it would be
better/faster to store them as an integer in the table and reference
that in my code.
Or I could use enum - not sure which is faster.
Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
two columns for the same thing :-)

Thanks!
______________________________________________________________

Clayton Dukes
______________________________________________________________

More information about the syslog-ng mailing list