[syslog-ng] Questions about Facility, Priority and Level

Clayton Dukes cdukes at gmail.com
Tue Jul 28 16:52:07 CEST 2009 

Aha! Thank you!


On Tue, Jul 28, 2009 at 10:42 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
> Ah I see now. The full numeric syslog priority field you're looking for is called $PRI in syslog-ng. The other macro $PRIORITY is just an alias for $LEVEL i.e. only the bottom 3 bits of $PRI, translated into text.
>
>
> -----Original Message-----
> From: Clayton Dukes [mailto:cdukes at gmail.com]
> Sent: 28 July 2009 15:27
> To: Fegan, Joe
> Cc: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Questions about Facility, Priority and Level
>
> On Tue, Jul 28, 2009 at 7:30 AM, Fegan, Joe<Joe.Fegan at hp.com> wrote:
>> The syslog wire protocol provides only one 8-bit integer field called "priority" to represent both facility and severity together. Severity is stored in the bottom three bits of the field (and therefore is an integer between 0 and 7) and facility is stored in the top 5 bits (and therefore is an integer between 0 and 31). Syslog-ng makes the priority value available to you as the macro $PRI and for your convenience it also derives the facility and severity values automatically and makes those available as $FACILITY and $LEVEL. So at all times PRI = (($FACILITY << 3) + $LEVEL) or looking at it the other way FACILITY = ($PRI >> 3) and LEVEL = ($PRI & 7)
>>
> Understood - and that's what I would have thought it was doing...but
> I'm still trying to figure out where/why it's inserting these levels
> as a string, not an int?
>
>
>>>> couldn't I just grab the PRI from the message and store only that
>>> in the table and use the code on my end to derive the FAC and SEV
>>
>> Yes, absolutely.
>>
>> Joe.
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Sandor Geller
>> Sent: 28 July 2009 08:31
>> To: cdukes at cdukes.com; Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] Questions about Facility, Priority and Level
>>
>> Hi,
>>
>> I think you're confused a little bit. "informational" level is known
>> by the windows agent of syslog-ng, not buy the unix syslog-ng daemon.
>> If you're using the agent then you should ask BalaBit support it's
>> non-free and I guess it is supported officially. I've never used the
>> agent myself, sorry.
>>
>> The priority should be stored as an integer. Where is your SQL schema
>> originating from, and what is your sql destination definition?
>>
>> Regards,
>>
>> Sandor
>>
>> On Mon, Jul 27, 2009 at 11:41 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>>> Anyone that can comment on this?
>>>
>>>
>>>
>>> On Wed, Jul 22, 2009 at 10:59 PM, Clayton Dukes<cdukes at gmail.com> wrote:
>>>> Hey Guys,
>>>>
>>>> According to the documentation:
>>>> $LEVEL     = Importance level of the message represented as a number:
>>>> 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
>>>> $FACILITY = The facility sending the message.
>>>> $PRI          = Priority header of the message, storing the facility
>>>> and the level of the message.
>>>>
>>>>
>>>> Questions:
>>>> What is the difference between LEVEL and PRI in syslog-ng? it doesn't
>>>> seem to be storing anything but the level?
>>>> When I look in the database, it shows identical information about the two:
>>>>
>>>> mysql> select distinct priority from logs;
>>>> +----------+
>>>> | priority |
>>>> +----------+
>>>> | alert    |
>>>> | crit     |
>>>> | debug    |
>>>> | emerg    |
>>>> | err      |
>>>> | info     |
>>>> | notice   |
>>>> | warning  |
>>>> +----------+
>>>>
>>>> mysql> select distinct level from logs;
>>>> +---------+
>>>> | level   |
>>>> +---------+
>>>> | err     |
>>>> | info    |
>>>> | notice  |
>>>> | debug   |
>>>> | warning |
>>>> | crit    |
>>>> | emerg   |
>>>> | alert   |
>>>> +---------+
>>>>
>>>> According to the RFC:
>>>> The Priority value is calculated by first multiplying the Facility
>>>>   number by 8 and then adding the numerical value of the Severity. For
>>>>   example, a kernel message (Facility=0) with a Severity of Emergency
>>>>   (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
>>>>   message (Facility=20) with a Severity of Notice (Severity=5) would
>>>>   have a Priority value of 165.  In the PRI part of a syslog message,
>>>>   these values would be placed between the angle brackets as <0> and
>>>>   <165> respectively.  The only time a value of "0" will follow the "<"
>>>>   is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
>>>>   used.
>>>>
>>>> So, if that's the case, couldn't I just grab the PRI from the message
>>>> and store only that in the table and use the code on my end to derive
>>>> the FAC and SEV (I assume severity = level in syslog-ng)?
>>>>
>>>> Also, is there a way to store these as integers from syslog-ng?
>>>> There's a finite number of all of these, it seems that it would be
>>>> better/faster to store them as an integer in the table and reference
>>>> that in my code.
>>>> Or I could use enum - not sure which is faster.
>>>> Can I safely drop LEVEL or PRI and only keep one? it seems odd to have
>>>> two columns for the same thing :-)
>>>>
>>>> Thanks!
>>>> ______________________________________________________________
>>>>
>>>> Clayton Dukes
>>>> ______________________________________________________________
>>>>
>>>
>>>
>>>
>>> --
>>> ______________________________________________________________
>>>
>>> Clayton Dukes
>>> ______________________________________________________________
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
>
>
> --
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>



-- 
______________________________________________________________

Clayton Dukes
______________________________________________________________

More information about the syslog-ng mailing list