Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

syslog facility and severity (loglevel)

telecity
Engager
‎09-22-2011 08:16 AM

I've added the following to etc/system/local/limits.conf

[udp://514]
no_priority_stripping = true
no_appending_timestamp = true

My interest is to retrieve the facility and severity (loglevel) from the incoming syslog events. However now each event is prefixed with <137> which means nothing to me. Here's an example:

<137>Sep 22 15:52:30 host...

Facility is set at local1 and level is alert. Per rfc3164 that'd be facility=17 and severity=1.

My questions:
1. What is <137> (it wasn't there
before, and does show up in _raw)?
2. How do I retrieve facility / severity? I'd like them to be indexed fields if possible, to make searching, sorting and alerting easier.

Reply
1 Solution
Solved! Jump to solution
Solution

telecity
Engager
‎09-23-2011 03:38 AM

After loads of searching, I think I've finally found the answer. Apparently splunk is using a matrix (which I suspected, but couldn't identify or confirm) that seems to match the following:

Severity        0   1   2   3   4   5   6   7
Facility
kernel  0   0   1   2   3   4   5   6   7
user    1   8   9   10  11  12  13  14  15
mail    2   16  17  18  19  20  21  22  23
system  3   24  25  26  27  28  29  30  31
security    4   32  33  34  35  36  37  38  39
syslog  5   40  41  42  43  44  45  46  47
lpd 6   48  49  50  51  52  53  54  55
nntp    7   56  57  58  59  60  61  62  63
uucp    8   64  65  66  67  68  69  70  71
time    9   72  73  74  75  76  77  78  79
security    10  80  81  82  83  84  85  86  87
ftpd    11  88  89  90  91  92  93  94  95
ntpd    12  96  97  98  99  100 101 102 103
logaudit    13  104 105 106 107 108 109 110 111
logalert    14  112 113 114 115 116 117 118 119
clock   15  120 121 122 123 124 125 126 127
local0  16  128 129 130 131 132 133 134 135
local1  17  136 137 138 139 140 141 142 143
local2  18  144 145 146 147 148 149 150 151
local3  19  152 153 154 155 156 157 158 159
local4  20  160 161 162 163 164 165 166 167
local5  21  168 169 170 171 172 173 174 175
local6  22  176 177 178 179 180 181 182 183
local7  23  184 185 186 187 188 189 190 191

Source of Matrix:
http://chris-mccafferty.blogspot.com/2010/12/syslog-priority-matrix.html

Here's a perl script to sort it out for you:

#!/usr/bin/perl -w
use strict;
# http://splunk-base.splunk.com/answers/31036/syslog-facility-and-severity-loglevel

my @facilities = qw(Kernel User Mail System Security Syslog Lpd Nntp Uucp Time
                        Security Ftpd Ntpd Logaudit Logalert Clock Local0 
                        Local1 Local2 Local3 Local4 Local5 Local6 Local7);
my @severities = qw(Emergency Alert Critical Error Warning Notice Info Debug);
my $count = 0;

foreach my $facility (@facilities) {
        foreach my $severity (@severities) {
                print("$count,$facility.$severity\n");
                $count++;
        }
}

View solution in original post

Reply
Solved! Jump to solution

SyntecSeb
New Member
‎03-02-2012 10:39 AM

You've only answered Q1 here. What about Q2? 2. How do I retrieve facility / severity? I'd like them to be indexed fields if possible, to make searching, sorting and alerting easier.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...