After loads of searching, I think I've finally found the answer. Apparently splunk is using a matrix (which I suspected, but couldn't identify or confirm) that seems to match the following:
Severity 0 1 2 3 4 5 6 7
Facility
kernel 0 0 1 2 3 4 5 6 7
user 1 8 9 10 11 12 13 14 15
mail 2 16 17 18 19 20 21 22 23
system 3 24 25 26 27 28 29 30 31
security 4 32 33 34 35 36 37 38 39
syslog 5 40 41 42 43 44 45 46 47
lpd 6 48 49 50 51 52 53 54 55
nntp 7 56 57 58 59 60 61 62 63
uucp 8 64 65 66 67 68 69 70 71
time 9 72 73 74 75 76 77 78 79
security 10 80 81 82 83 84 85 86 87
ftpd 11 88 89 90 91 92 93 94 95
ntpd 12 96 97 98 99 100 101 102 103
logaudit 13 104 105 106 107 108 109 110 111
logalert 14 112 113 114 115 116 117 118 119
clock 15 120 121 122 123 124 125 126 127
local0 16 128 129 130 131 132 133 134 135
local1 17 136 137 138 139 140 141 142 143
local2 18 144 145 146 147 148 149 150 151
local3 19 152 153 154 155 156 157 158 159
local4 20 160 161 162 163 164 165 166 167
local5 21 168 169 170 171 172 173 174 175
local6 22 176 177 178 179 180 181 182 183
local7 23 184 185 186 187 188 189 190 191
Source of Matrix:
http://chris-mccafferty.blogspot.com/2010/12/syslog-priority-matrix.html
Here's a perl script to sort it out for you:
#!/usr/bin/perl -w
use strict;
# http://splunk-base.splunk.com/answers/31036/syslog-facility-and-severity-loglevel
my @facilities = qw(Kernel User Mail System Security Syslog Lpd Nntp Uucp Time
Security Ftpd Ntpd Logaudit Logalert Clock Local0
Local1 Local2 Local3 Local4 Local5 Local6 Local7);
my @severities = qw(Emergency Alert Critical Error Warning Notice Info Debug);
my $count = 0;
foreach my $facility (@facilities) {
foreach my $severity (@severities) {
print("$count,$facility.$severity\n");
$count++;
}
}
... View more