[logs] Capturing facility and level information

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Jun 18 03:50:09 PDT 2007 

[speaking as maintainer of rsyslog package]

Hi all,

inspired by Tina's thoughts, I have created a tutorial on how to capture
syslog priority with rsyslog (http://www.rsyslog.com). This tutorial
also includes instructions on how to run rsyslog just for
priority-gathering purposes, so there is no need to permanently replace
your existing syslogd.

Find the tutorial at:

http://www.rsyslog.com/module-Static_Docs-view-f-/rsyslog_recording_pri.
html.phtml

As a side-note, I've also improved rsyslog so that it now support a new
message property containing the friendly priority name (e.g.
"syslog.info"). 

Many thanks to Tina for pointing out the obvious!

A universal installer package for the improved version will most
probably appear soon at

http://bent.latency.net/bent/i386/

(search for "rsyslog-"). The existing rsyslog-1.13.2.cpio.bz2 will work
perfectly, except that it does not yet know the friendly priority names
(it just tell you numbers).

As always, feedback is highly appreciated.

Rainer

> -----Original Message-----
> From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-
> bounces at loganalysis.org] On Behalf Of Tina Bird
> Sent: Thursday, June 14, 2007 8:18 PM
> To: loganalysis at loganalysis.org
> Subject: [logs] Capturing facility and level information
> 
> 
> Since I sent out my request for failed login data, I've had a couple
of
> queries about how to capture facility and level data for syslog data.
> It's
> an annoying problem, because although it seems like it ought to be
> straightforward, it's anything but.
> 
> For Linux and FreeBSD (the servers I am currently testing with),
> there's no
> obvious way to make the system record that information, although it's
> included in the syslog datagram. For these servers, the two choices
> I've
> come up with are to either replace the stock syslog with syslog-ng or
> some
> other replacement that lets you define the structure of stored
> messages; or
> to take advantage of the '=' operator within the stock
> /etc/syslog.conf.
> 
> ----
> 
> If you're using syslog-ng, you can use templates to explicitly record
> facility and level. My syslog-ng.conf includes the template in the
> "messages" destination:
> 
> destination messages {
>         file("/var/log/repository/$YEAR/$MONTH/$DAY/$HOST"
>         template("<$FACILITY.$PRIORITY> $MSG\n")
>         template_escape(no));
> };
> 
> which creates messages like this:
> 
> <syslog.info> syslog-ng[4402]: Log statistics;
> processed='center(queued)=5856',
> processed='center(received)=5856',
> processed='destination(messages)=5856',
> proce
> ssed='source(s_sys)=5856'
> 
> ----
> 
> If you want a quick hack to stock syslog, verify that your syslog
> server
> supports the use of the '=' operator in the selector portion of
> syslog.conf.
> If it does, adding the following lines to syslog.conf will split
> messages
> into separate buckets based on their priority/level/severity:
> 
> *.=emerg			/var/log/emerg
> *.=alert			/var/log/alert
> *.=crit			/var/log/crit
> *.=err			/var/log/err
> *.=warn			/var/log/warn
> *.=notice			/var/log/notice
> *.=info			/var/log/info
> *.=debug			/var/log/debug
> 
> ----
> 
> Hope this helps -- sorry for asking for such irritating data -- tbird
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis

More information about the LogAnalysis mailing list