I've added the following to etc/system/local/limits.conf
no_priority_stripping = true
no_appending_timestamp = true
My interest is to retrieve the facility and severity (loglevel) from the incoming syslog events. However now each event is prefixed with <137> which means nothing to me. Here's an example:
<137>Sep 22 15:52:30 host...
Facility is set at local1 and level is alert. Per rfc3164 that'd be facility=17 and severity=1.
1. What is <137> (it wasn't there
before, and does show up in _raw)?
2. How do I retrieve facility / severity? I'd like them to be indexed fields if possible, to make searching, sorting and alerting easier.
... View more