[syslog-ng] Questions about Facility, Priority and Level
Sandor Geller
Sandor.Geller at morganstanley.com
Tue Jul 28 09:31:06 CEST 2009
Hi,
I think you're confused a little bit. "informational" level is known
by the windows agent of syslog-ng, not buy the unix syslog-ng daemon.
If you're using the agent then you should ask BalaBit support it's
non-free and I guess it is supported officially. I've never used the
agent myself, sorry.
The priority should be stored as an integer. Where is your SQL schema
originating from, and what is your sql destination definition?
Regards,
Sandor
On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes at gmail.com> wrote:
> Anyone that can comment on this?
>
>
>
> On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>> Hey Guys,
>>
>> According to the documentation:
>> $LEVEL = Importance level of the message represented as a number:
>> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
>> $FACILITY = The facility sending the message.
>> $PRI = Priority header of the message, storing the facility
>> and the level of the message.
>>
>>
>> Questions:
>> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
>> seem to be storing anything but the level?
>> When I look in the database, it shows identical information about the two:
>>
>> mysql> select distinct priority from logs;
>> +----------+
>> | priority |
>> +----------+
>> | alert |
>> | crit |
>> | debug |
>> | emerg |
>> | err |
>> | info |
>> | notice |
>> | warning |
>> +----------+
>>
>> mysql> select distinct level from logs;
>> +---------+
>> | level |
>> +---------+
>> | err |
>> | info |
>> | notice |
>> | debug |
>> | warning |
>> | crit |
>> | emerg |
>> | alert |
>> +---------+
>>
>> According to the RFC:
>> The Priority value is calculated by first multiplying the Facility
>> number by 8 and then adding the numerical value of the Severity. For
>> example, a kernel message (Facility=0) with a Severity of Emergency
>> (Severity=0) would have a Priority value of 0. Also, a "local use 4"
>> message (Facility=20) with a Severity of Notice (Severity=5) would
>> have a Priority value of 165. In the PRI part of a syslog message,
>> these values would be placed between the angle brackets as <0> and
>> <165> respectively. The only time a value of "0" will follow the "<"
>> is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>> used.
>>
>> So, if that's the case, couldn't I just grab the PRI from the message
>> and store only that in the table and use the code on my end to derive
>> the FAC and SEV (I assume severity = level in syslog-ng)?
>>
>> Also, is there a way to store these as integers from syslog-ng?
>> There's a finite number of all of these, it seems that it would be
>> better/faster to store them as an integer in the table and reference
>> that in my code.
>> Or I could use enum - not sure which is faster.
>> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
>> two columns for the same thing :-)
>>
>> Thanks!
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list