[logs] Capturing facility and level information
Chris Brenton
cbrenton at chrisbrenton.org
Mon Jun 18 06:11:28 PDT 2007
Hi Tina! <wave>
On Thu, 2007-06-14 at 11:18 -0700, Tina Bird wrote:
>
> Since I sent out my request for failed login data, I've had a couple of
> queries about how to capture facility and level data for syslog data. It's
> an annoying problem, because although it seems like it ought to be
> straightforward, it's anything but.
Agreed. Best bet if you are using a central logging server is to run
ngrep in the path and have it watch UDP/514. The priority will be the
first value transmitted. Something like:
<38>sshd(pam_unix)[31140]:.session.opened.for.user.cbrenton.by.(uid=0).
>From there it's just some simple math:
38/8 = 4 with a remainder of 6
So:
Facility = 4 = auth
Severity = 6 = info
or auth.info :)
HTH,
Chris
More information about the LogAnalysis
mailing list