Search This Blog

2014-06-16

Retrieve Severity and Facility From Raw Syslog Messages

Sometimes you'll get syslog messages with a number as follows
<191> logtext 
and you may wonder how on earth you're supposed to figure out where to log these based on facility and severity.

Well there's actually a mathmatical calculation to derive the facility and severity components of this tag. Stolen from: https://gist.github.com/marvin/1017480

PRI = 191
 
To get the Facility
Divide the PRI number by 8.
191/8 = 23.875
The whole number part is the facility.
 
To get the Severity
Take the whole number part 23 and multiply by 8 and the product subtract from 191:
191 - (23 * 8 )= 7
 
PRI = Facility 23 and Priority (7)
 
Work backword to check our work:
23*8 = 184 + 7 = 191

syslog severity overview
 
Numerical Severity
Code
 
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

Numerical Facility
Code
 
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages (note 1)
 
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon (note 2)
10 security/authorization messages (note 1)
11 FTP daemon
12 NTP subsystem
13 log audit (note 1)
14 log alert (note 1)
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)


Alternatively, if you hate math you can just use this handy dandy table which is basically functions the same as a multiplication table from elementary school:
emergency   alert   critical   error   warning   notice   info   debug
kernel              0       1          2       3         4        5      6       7
user                8       9         10      11        12       13     14      15
mail               16      17         18      19        20       21     22      23
system             24      25         26      27        28       29     30      31
security           32      33         34      35        36       37     38      39
syslog             40      41         42      43        44       45     46      47
lpd                48      49         50      51        52       53     54      55
nntp               56      57         58      59        60       61     62      63
uucp               64      65         66      67        68       69     70      71
time               72      73         74      75        76       77     78      79
security           80      81         82      83        84       85     86      87
ftpd               88      89         90      91        92       93     94      95
ntpd               96      97         98      99       100      101    102     103
logaudit          104     105        106     107       108      109    110     111
logalert          112     113        114     115       116      117    118     119
clock             120     121        122     123       124      125    126     127
local0            128     129        130     131       132      133    134     135
local1            136     137        138     139       140      141    142     143
local2            144     145        146     147       148      149    150     151
local3            152     153        154     155       156      157    158     159
local4            160     161        162     163       164      165    166     167
local5            168     169        170     171       172      173    174     175
local6            176     177        178     179       180      181    182     183
local7            184     185        186     187       188      189    190     191

References:
http://answers.splunk.com/answers/31036/syslog-facility-and-severity-loglevel
https://gist.github.com/marvin/1017480
https://www.youtube.com/watch?v=DEReadkHf2Y&list=LLCinOQV6KbeaR_YujUzARRg&index=2

No comments:

Post a Comment