[logs] Re: Syslog analisys - where is the severity?

From: Jeff Saxton (jeff.saxton@private)
Date: Wed Sep 28 2005 - 11:19:25 PDT

4.1.1 PRI Part

    The PRI part MUST have three, four, or five characters and will be
    bound with angle brackets as the first and last characters.  The PRI
    part starts with a leading "<" ('less-than' character), followed by a
    number, which is followed by a ">" ('greater-than' character). The
    code set used in this part MUST be seven-bit ASCII in an eight-bit
    field as described in RFC 2234 [2].  These are the ASCII codes as
    defined in "USA Standard Code for Information Interchange" [3].  In
    this, the "<" character is defined as the Augmented Backus-Naur Form
    (ABNF) %d60, and the ">" character has ABNF value %d62.  The number
    contained within these angle brackets is known as the Priority value
    and represents both the Facility and Severity as described below.
    The Priority value consists of one, two, or three decimal integers
    (ABNF DIGITS) using values of %d48 (for "0") through %d57 (for "9").

    The Facilities and Severities of the messages are numerically coded
    with decimal values.  Some of the operating system daemons and
    processes have been assigned Facility values.  Processes and daemons
    that have not been explicitly assigned a Facility may use any of the
    "local use" facilities or they may use the "user-level" Facility.
    Those Facilities that have been designated are shown in the following
    table along with their numerical code values.

        Numerical             Facility

            0             kernel messages
            1             user-level messages
            2             mail system
            3             system daemons
            4             security/authorization messages (note 1)

            5             messages generated internally by syslogd
            6             line printer subsystem
            7             network news subsystem
            8             UUCP subsystem
            9             clock daemon (note 2)
           10             security/authorization messages (note 1)
           11             FTP daemon
           12             NTP subsystem
           13             log audit (note 1)
           14             log alert (note 1)
           15             clock daemon (note 2)
           16             local use 0  (local0)
           17             local use 1  (local1)
           18             local use 2  (local2)
           19             local use 3  (local3)
           20             local use 4  (local4)
           21             local use 5  (local5)
           22             local use 6  (local6)
           23             local use 7  (local7)

            Table 1.  syslog Message Facilities

         Note 1 - Various operating systems have been found to utilize
            Facilities 4, 10, 13 and 14 for security/authorization,
            audit, and alert messages which seem to be similar.
         Note 2 - Various operating systems have been found to utilize
            both Facilities 9 and 15 for clock (cron/at) messages.

    Each message Priority also has a decimal Severity level indicator.
    These are described in the following table along with their numerical

         Numerical         Severity

            0       Emergency: system is unusable
            1       Alert: action must be taken immediately
            2       Critical: critical conditions
            3       Error: error conditions
            4       Warning: warning conditions
            5       Notice: normal but significant condition
            6       Informational: informational messages
            7       Debug: debug-level messages

            Table 2. syslog Message Severities

    The Priority value is calculated by first multiplying the Facility
    number by 8 and then adding the numerical value of the Severity. For
    example, a kernel message (Facility=0) with a Severity of Emergency
    (Severity=0) would have a Priority value of 0.  Also, a "local use 4"
    message (Facility=20) with a Severity of Notice (Severity=5) would
    have a Priority value of 165.  In the PRI part of a syslog message,
    these values would be placed between the angle brackets as <0> and
    <165> respectively.  The only time a value of "0" will follow the "<"
    is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be

Gerardo Amaya wrote:
> Hello all. I've been trying to analize syslog messages from Watchguard 
> and NetScreen Boxes I'm trying to parse the content, I can get a lot of 
> values from the messages but the value that I can't find anywhere is the 
> severity(not even the facility). the content of the message is very rich 
> but I have not figure out how to get the severity. I see that syslog 
> messages from both boxes starts with <digit>, is that the severity and 
> the facilty. Where can I find this values?
> Thanks in advance
> Gerardo Amaya
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

Jeff Saxton
SenSage, Inc.
55 Hawthorne Lane Suite 700
San Francisco, CA 94105
Phone:  415.808.5900
Fax:    415.371.1385
Direct: 415-808-5921
Cell:   415-640-6392

Enterprise Security Analytics

SenSage, the leading provider of enterprise security analytics, offers
unparalleled performance and a scalable means for organizations to centrally
aggregate, efficiently analyze, dynamically monitor and cost-effectively
store massive volumes of event log data.

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Sep 28 2005 - 11:21:55 PDT