[syslog-ng] Questions about Facility, Priority and Level

Clayton Dukes cdukes at gmail.com
Mon Jul 27 23:41:25 CEST 2009


Anyone that can comment on this?



On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
> Hey Guys,
>
> According to the documentation:
> $LEVEL     = Importance level of the message represented as a number:
> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
> $FACILITY = The facility sending the message.
> $PRI          = Priority header of the message, storing the facility
> and the level of the message.
>
>
> Questions:
> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
> seem to be storing anything but the level?
> When I look in the database, it shows identical information about the two:
>
> mysql> select distinct priority from logs;
> +----------+
> | priority |
> +----------+
> | alert    |
> | crit     |
> | debug    |
> | emerg    |
> | err      |
> | info     |
> | notice   |
> | warning  |
> +----------+
>
> mysql> select distinct level from logs;
> +---------+
> | level   |
> +---------+
> | err     |
> | info    |
> | notice  |
> | debug   |
> | warning |
> | crit    |
> | emerg   |
> | alert   |
> +---------+
>
> According to the RFC:
> The Priority value is calculated by first multiplying the Facility
>   number by 8 and then adding the numerical value of the Severity. For
>   example, a kernel message (Facility=0) with a Severity of Emergency
>   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
>   message (Facility=20) with a Severity of Notice (Severity=5) would
>   have a Priority value of 165.  In the PRI part of a syslog message,
>   these values would be placed between the angle brackets as <0> and
>   <165> respectively.  The only time a value of "0" will follow the "<"
>   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>   used.
>
> So, if that's the case, couldn't I just grab the PRI from the message
> and store only that in the table and use the code on my end to derive
> the FAC and SEV (I assume severity = level in syslog-ng)?
>
> Also, is there a way to store these as integers from syslog-ng?
> There's a finite number of all of these, it seems that it would be
> better/faster to store them as an integer in the table and reference
> that in my code.
> Or I could use enum - not sure which is faster.
> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
> two columns for the same thing :-)
>
> Thanks!
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>



-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________


More information about the syslog-ng mailing list