[syslog-ng] Questions about Facility, Priority and Level
Clayton Dukes
cdukes at gmail.com
Tue Jul 28 16:26:41 CEST 2009
On Tue, Jul 28, 2009 at 7:30 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
> The syslog wire protocol provides only one 8-bit integer field called "priority" to represent both facility and severity together. Severity is stored in the bottom three bits of the field (and therefore is an integer between 0 and 7) and facility is stored in the top 5 bits (and therefore is an integer between 0 and 31). Syslog-ng makes the priority value available to you as the macro $PRI and for your convenience it also derives the facility and severity values automatically and makes those available as $FACILITY and $LEVEL. So at all times PRI = (($FACILITY << 3) + $LEVEL) or looking at it the other way FACILITY = ($PRI >> 3) and LEVEL = ($PRI & 7)
>
Understood - and that's what I would have thought it was doing...but
I'm still trying to figure out where/why it's inserting these levels
as a string, not an int?
>>> couldn't I just grab the PRI from the message and store only that
>> in the table and use the code on my end to derive the FAC and SEV
>
> Yes, absolutely.
>
> Joe.
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Sandor Geller
> Sent: 28 July 2009 08:31
> To: cdukes at cdukes.com; Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Questions about Facility, Priority and Level
>
> Hi,
>
> I think you're confused a little bit. "informational" level is known
> by the windows agent of syslog-ng, not buy the unix syslog-ng daemon.
> If you're using the agent then you should ask BalaBit support it's
> non-free and I guess it is supported officially. I've never used the
> agent myself, sorry.
>
> The priority should be stored as an integer. Where is your SQL schema
> originating from, and what is your sql destination definition?
>
> Regards,
>
> Sandor
>
> On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>> Anyone that can comment on this?
>>
>>
>>
>> On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>>> Hey Guys,
>>>
>>> According to the documentation:
>>> $LEVEL = Importance level of the message represented as a number:
>>> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
>>> $FACILITY = The facility sending the message.
>>> $PRI = Priority header of the message, storing the facility
>>> and the level of the message.
>>>
>>>
>>> Questions:
>>> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
>>> seem to be storing anything but the level?
>>> When I look in the database, it shows identical information about the two:
>>>
>>> mysql> select distinct priority from logs;
>>> +----------+
>>> | priority |
>>> +----------+
>>> | alert |
>>> | crit |
>>> | debug |
>>> | emerg |
>>> | err |
>>> | info |
>>> | notice |
>>> | warning |
>>> +----------+
>>>
>>> mysql> select distinct level from logs;
>>> +---------+
>>> | level |
>>> +---------+
>>> | err |
>>> | info |
>>> | notice |
>>> | debug |
>>> | warning |
>>> | crit |
>>> | emerg |
>>> | alert |
>>> +---------+
>>>
>>> According to the RFC:
>>> The Priority value is calculated by first multiplying the Facility
>>> number by 8 and then adding the numerical value of the Severity. For
>>> example, a kernel message (Facility=0) with a Severity of Emergency
>>> (Severity=0) would have a Priority value of 0. Also, a "local use 4"
>>> message (Facility=20) with a Severity of Notice (Severity=5) would
>>> have a Priority value of 165. In the PRI part of a syslog message,
>>> these values would be placed between the angle brackets as <0> and
>>> <165> respectively. The only time a value of "0" will follow the "<"
>>> is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>>> used.
>>>
>>> So, if that's the case, couldn't I just grab the PRI from the message
>>> and store only that in the table and use the code on my end to derive
>>> the FAC and SEV (I assume severity = level in syslog-ng)?
>>>
>>> Also, is there a way to store these as integers from syslog-ng?
>>> There's a finite number of all of these, it seems that it would be
>>> better/faster to store them as an integer in the table and reference
>>> that in my code.
>>> Or I could use enum - not sure which is faster.
>>> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
>>> two columns for the same thing :-)
>>>
>>> Thanks!
>>> ______________________________________________________________
>>>
>>> Clayton Dukes
>>> ______________________________________________________________
>>>
>>
>>
>>
>> --
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
______________________________________________________________
Clayton Dukes
______________________________________________________________
More information about the syslog-ng
mailing list