[logs] Re: Syslog analisys - where is the severity?

From: Jeremy Mates (jmates@private)
Date: Wed Sep 28 2005 - 11:25:39 PDT


* Gerardo Amaya <joseg@private>
> Hello all. I've been trying to analize syslog messages from Watchguard
> and NetScreen Boxes I'm trying to parse the content, I can get a lot
> of values from the messages but the value that I can't find anywhere
> is the severity(not even the facility). the content of the message is
> very rich but I have not figure out how to get the severity. I see
> that syslog messages from both boxes starts with <digit>, is that the
> severity and the facilty. Where can I find this values?

To tear apart the syslog protocol, have a look at this script:

http://sial.org/code/perl/scripts/syslog_snarf.pl

Most syslogd strip the facility and priority information. Some syslogd
offer options to add these flags to the logfiles (-v -v on FreeBSD?) and
others, such as syslog-ng, let you template the output:

destination messages { 
  file("/var/log/archive/messages/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY"
    template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
    template_escape(no)
  );
};

For more information on syslog-ng, see:

http://sial.org/howto/logging/syslog-ng/
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Sep 28 2005 - 11:41:11 PDT