[syslog-ng] Questions about Facility, Priority and Level

Fegan, Joe Joe.Fegan at hp.com
Tue Jul 28 13:30:13 CEST 2009 

The syslog wire protocol provides only one 8-bit integer field called "priority" to represent both facility and severity together. Severity is stored in the bottom three bits of the field (and therefore is an integer between 0 and 7) and facility is stored in the top 5 bits (and therefore is an integer between 0 and 31). Syslog-ng makes the priority value available to you as the macro $PRI and for your convenience it also derives the facility and severity values automatically and makes those available as $FACILITY and $LEVEL. So at all times PRI = (($FACILITY << 3) + $LEVEL) or looking at it the other way FACILITY = ($PRI >> 3) and LEVEL = ($PRI & 7)

>> couldn't I just grab the PRI from the message and store only that
> in the table and use the code on my end to derive the FAC and SEV

Yes, absolutely.

Joe.

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Sandor Geller
Sent: 28 July 2009 08:31
To: cdukes at cdukes.com; Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Questions about Facility, Priority and Level

Hi,

I think you're confused a little bit. "informational" level is known
by the windows agent of syslog-ng, not buy the unix syslog-ng daemon.
If you're using the agent then you should ask BalaBit support it's
non-free and I guess it is supported officially. I've never used the
agent myself, sorry.

The priority should be stored as an integer. Where is your SQL schema
originating from, and what is your sql destination definition?

Regards,

Sandor

On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes at gmail.com> wrote:
> Anyone that can comment on this?
>
>
>
> On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>> Hey Guys,
>>
>> According to the documentation:
>> $LEVEL     = Importance level of the message represented as a number:
>> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
>> $FACILITY = The facility sending the message.
>> $PRI          = Priority header of the message, storing the facility
>> and the level of the message.
>>
>>
>> Questions:
>> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
>> seem to be storing anything but the level?
>> When I look in the database, it shows identical information about the two:
>>
>> mysql> select distinct priority from logs;
>> +----------+
>> | priority |
>> +----------+
>> | alert    |
>> | crit     |
>> | debug    |
>> | emerg    |
>> | err      |
>> | info     |
>> | notice   |
>> | warning  |
>> +----------+
>>
>> mysql> select distinct level from logs;
>> +---------+
>> | level   |
>> +---------+
>> | err     |
>> | info    |
>> | notice  |
>> | debug   |
>> | warning |
>> | crit    |
>> | emerg   |
>> | alert   |
>> +---------+
>>
>> According to the RFC:
>> The Priority value is calculated by first multiplying the Facility
>>   number by 8 and then adding the numerical value of the Severity. For
>>   example, a kernel message (Facility=0) with a Severity of Emergency
>>   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
>>   message (Facility=20) with a Severity of Notice (Severity=5) would
>>   have a Priority value of 165.  In the PRI part of a syslog message,
>>   these values would be placed between the angle brackets as <0> and
>>   <165> respectively.  The only time a value of "0" will follow the "<"
>>   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>>   used.
>>
>> So, if that's the case, couldn't I just grab the PRI from the message
>> and store only that in the table and use the code on my end to derive
>> the FAC and SEV (I assume severity = level in syslog-ng)?
>>
>> Also, is there a way to store these as integers from syslog-ng?
>> There's a finite number of all of these, it seems that it would be
>> better/faster to store them as an integer in the table and reference
>> that in my code.
>> Or I could use enum - not sure which is faster.
>> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
>> two columns for the same thing :-)
>>
>> Thanks!
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list