[logs] Capturing facility and level information

[Tina Bird]

Since I sent out my request for failed login data, I've had a couple of
queries about how to capture facility and level data for syslog data. It's
an annoying problem, because although it seems like it ought to be
straightforward, it's anything but.

For Linux and FreeBSD (the servers I am currently testing with), there's no
obvious way to make the system record that information, although it's
included in the syslog datagram. For these servers, the two choices I've
come up with are to either replace the stock syslog with syslog-ng or some
other replacement that lets you define the structure of stored messages; or
to take advantage of the '=' operator within the stock /etc/syslog.conf.

----

If you're using syslog-ng, you can use templates to explicitly record
facility and level. My syslog-ng.conf includes the template in the
"messages" destination:

destination messages {
        file("/var/log/repository/$YEAR/$MONTH/$DAY/$HOST"
        template("<$FACILITY.$PRIORITY> $MSG\n")
        template_escape(no));
};

which creates messages like this:

<syslog.info> syslog-ng[4402]: Log statistics;
processed='center(queued)=5856',
processed='center(received)=5856', processed='destination(messages)=5856',
proce
ssed='source(s_sys)=5856'

----

If you want a quick hack to stock syslog, verify that your syslog server
supports the use of the '=' operator in the selector portion of syslog.conf.
If it does, adding the following lines to syslog.conf will split messages
into separate buckets based on their priority/level/severity:

*.=emerg			/var/log/emerg
*.=alert			/var/log/alert
*.=crit			/var/log/crit
*.=err			/var/log/err
*.=warn			/var/log/warn
*.=notice			/var/log/notice
*.=info			/var/log/info
*.=debug			/var/log/debug

----

Hope this helps -- sorry for asking for such irritating data -- tbird