[syslog-ng] Questions about Facility, Priority and Level

Fegan, Joe Joe.Fegan at hp.com
Tue Jul 28 16:42:17 CEST 2009


Ah I see now. The full numeric syslog priority field you're looking for is called $PRI in syslog-ng. The other macro $PRIORITY is just an alias for $LEVEL i.e. only the bottom 3 bits of $PRI, translated into text.


-----Original Message-----
From: Clayton Dukes [mailto:cdukes at gmail.com] 
Sent: 28 July 2009 15:27
To: Fegan, Joe
Cc: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Questions about Facility, Priority and Level

On Tue, Jul 28, 2009 at 7:30 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
> The syslog wire protocol provides only one 8-bit integer field called "priority" to represent both facility and severity together. Severity is stored in the bottom three bits of the field (and therefore is an integer between 0 and 7) and facility is stored in the top 5 bits (and therefore is an integer between 0 and 31). Syslog-ng makes the priority value available to you as the macro $PRI and for your convenience it also derives the facility and severity values automatically and makes those available as $FACILITY and $LEVEL. So at all times PRI = (($FACILITY << 3) + $LEVEL) or looking at it the other way FACILITY = ($PRI >> 3) and LEVEL = ($PRI & 7)
>
Understood - and that's what I would have thought it was doing...but
I'm still trying to figure out where/why it's inserting these levels
as a string, not an int?


>>> couldn't I just grab the PRI from the message and store only that
>> in the table and use the code on my end to derive the FAC and SEV
>
> Yes, absolutely.
>
> Joe.
>
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Sandor Geller
> Sent: 28 July 2009 08:31
> To: cdukes at cdukes.com; Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Questions about Facility, Priority and Level
>
> Hi,
>
> I think you're confused a little bit. "informational" level is known
> by the windows agent of syslog-ng, not buy the unix syslog-ng daemon.
> If you're using the agent then you should ask BalaBit support it's
> non-free and I guess it is supported officially. I've never used the
> agent myself, sorry.
>
> The priority should be stored as an integer. Where is your SQL schema
> originating from, and what is your sql destination definition?
>
> Regards,
>
> Sandor
>
> On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>> Anyone that can comment on this?
>>
>>
>>
>> On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>>> Hey Guys,
>>>
>>> According to the documentation:
>>> $LEVEL     = Importance level of the message represented as a number:
>>> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
>>> $FACILITY = The facility sending the message.
>>> $PRI          = Priority header of the message, storing the facility
>>> and the level of the message.
>>>
>>>
>>> Questions:
>>> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
>>> seem to be storing anything but the level?
>>> When I look in the database, it shows identical information about the two:
>>>
>>> mysql> select distinct priority from logs;
>>> +----------+
>>> | priority |
>>> +----------+
>>> | alert    |
>>> | crit     |
>>> | debug    |
>>> | emerg    |
>>> | err      |
>>> | info     |
>>> | notice   |
>>> | warning  |
>>> +----------+
>>>
>>> mysql> select distinct level from logs;
>>> +---------+
>>> | level   |
>>> +---------+
>>> | err     |
>>> | info    |
>>> | notice  |
>>> | debug   |
>>> | warning |
>>> | crit    |
>>> | emerg   |
>>> | alert   |
>>> +---------+
>>>
>>> According to the RFC:
>>> The Priority value is calculated by first multiplying the Facility
>>>   number by 8 and then adding the numerical value of the Severity. For
>>>   example, a kernel message (Facility=0) with a Severity of Emergency
>>>   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
>>>   message (Facility=20) with a Severity of Notice (Severity=5) would
>>>   have a Priority value of 165.  In the PRI part of a syslog message,
>>>   these values would be placed between the angle brackets as <0> and
>>>   <165> respectively.  The only time a value of "0" will follow the "<"
>>>   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>>>   used.
>>>
>>> So, if that's the case, couldn't I just grab the PRI from the message
>>> and store only that in the table and use the code on my end to derive
>>> the FAC and SEV (I assume severity = level in syslog-ng)?
>>>
>>> Also, is there a way to store these as integers from syslog-ng?
>>> There's a finite number of all of these, it seems that it would be
>>> better/faster to store them as an integer in the table and reference
>>> that in my code.
>>> Or I could use enum - not sure which is faster.
>>> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
>>> two columns for the same thing :-)
>>>
>>> Thanks!
>>> ______________________________________________________________
>>>
>>> Clayton Dukes
>>> ______________________________________________________________
>>>
>>
>>
>>
>> --
>> ______________________________________________________________
>>
>> Clayton Dukes
>> ______________________________________________________________
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>



-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________


More information about the syslog-ng mailing list