Gecko [ 122.154.134.11 ]

Name	Size	Permission
AUTHORS	501 B	-rw-r--r--
COPYING	34.32 KB	-rw-r--r--
COPYING.ASL20	8.92 KB	-rw-r--r--
COPYING.LESSER	7.46 KB	-rw-r--r--
ChangeLog	339.47 KB	-rw-r--r--
NEWS	63 B	-rw-r--r--
README	249 B	-rw-r--r--
bugs.html	1.45 KB	-rw-r--r--
build_from_repo.html	4.35 KB	-rw-r--r--
contributors.html	2.44 KB	-rw-r--r--
debug.html	9.41 KB	-rw-r--r--
dev_queue.html	17.27 KB	-rw-r--r--
droppriv.html	2.9 KB	-rw-r--r--
expression.html	1.15 KB	-rw-r--r--
features.html	8.64 KB	-rw-r--r--
generic_design.html	8.8 KB	-rw-r--r--
gssapi.html	3.55 KB	-rw-r--r--
history.html	8.75 KB	-rw-r--r--
how2help.html	2.43 KB	-rw-r--r--
im3195.html	2.08 KB	-rw-r--r--
imfile.html	7.62 KB	-rw-r--r--
imgssapi.html	2.26 KB	-rw-r--r--
imklog.html	4.36 KB	-rw-r--r--
impstats.html	2.91 KB	-rw-r--r--
imptcp.html	4.14 KB	-rw-r--r--
imrelp.html	2.52 KB	-rw-r--r--
imsolaris.html	1.9 KB	-rw-r--r--
imtcp.html	6.15 KB	-rw-r--r--
imuxsock.html	9.45 KB	-rw-r--r--
index.html	1.62 KB	-rw-r--r--
install.html	10.97 KB	-rw-r--r--
ipv6.html	2.94 KB	-rw-r--r--
licensing.html	3.69 KB	-rw-r--r--
log_rotation_fix_size.html	2.74 KB	-rw-r--r--
manual.html	7.48 KB	-rw-r--r--
mmsnmptrapd.html	4.89 KB	-rw-r--r--
modules.html	5.98 KB	-rw-r--r--
multi_ruleset.html	13.65 KB	-rw-r--r--
netstream.html	1.36 KB	-rw-r--r--
ns_gtls.html	2.78 KB	-rw-r--r--
ns_ptcp.html	911 B	-rw-r--r--
omlibdbi.html	6.57 KB	-rw-r--r--
ommail.html	7.78 KB	-rw-r--r--
ommysql.html	3.95 KB	-rw-r--r--
omoracle.html	6.04 KB	-rw-r--r--
omrelp.html	2.37 KB	-rw-r--r--
omruleset.html	6.93 KB	-rw-r--r--
omsnmp.html	6.97 KB	-rw-r--r--
omstdout.html	1.9 KB	-rw-r--r--
omudpspoof.html	4.23 KB	-rw-r--r--
omuxsock.html	1.88 KB	-rw-r--r--
pmlastmsg.html	3.05 KB	-rw-r--r--
property_replacer.html	17.83 KB	-rw-r--r--
queues.html	27.85 KB	-rw-r--r--
queues_analogy.html	20.11 KB	-rw-r--r--
rainerscript.html	4.19 KB	-rw-r--r--
rsconf1_actionexeconlywhenprev...	2.54 KB	-rw-r--r--
rsconf1_actionresumeinterval.h...	1.47 KB	-rw-r--r--
rsconf1_allowedsender.html	3.6 KB	-rw-r--r--
rsconf1_controlcharacterescape...	1.37 KB	-rw-r--r--
rsconf1_debugprintcfsyslinehan...	989 B	-rw-r--r--
rsconf1_debugprintmodulelist.h...	950 B	-rw-r--r--
rsconf1_debugprinttemplatelist...	956 B	-rw-r--r--
rsconf1_dircreatemode.html	1.04 KB	-rw-r--r--
rsconf1_dirgroup.html	1.06 KB	-rw-r--r--
rsconf1_dirowner.html	1.05 KB	-rw-r--r--
rsconf1_dropmsgswithmaliciousd...	1.31 KB	-rw-r--r--
rsconf1_droptrailinglfonrecept...	1.24 KB	-rw-r--r--
rsconf1_dynafilecachesize.html	2.1 KB	-rw-r--r--
rsconf1_escape8bitcharsonrecei...	2.1 KB	-rw-r--r--
rsconf1_escapecontrolcharacter...	1.92 KB	-rw-r--r--
rsconf1_failonchownfailure.htm...	1.25 KB	-rw-r--r--
rsconf1_filecreatemode.html	2.03 KB	-rw-r--r--
rsconf1_filegroup.html	1.05 KB	-rw-r--r--
rsconf1_fileowner.html	1.05 KB	-rw-r--r--
rsconf1_generateconfiggraph.ht...	7.92 KB	-rw-r--r--
rsconf1_gssforwardservicename....	1.04 KB	-rw-r--r--
rsconf1_gsslistenservicename.h...	905 B	-rw-r--r--
rsconf1_gssmode.html	1.04 KB	-rw-r--r--
rsconf1_includeconfig.html	3.06 KB	-rw-r--r--
rsconf1_mainmsgqueuesize.html	2.15 KB	-rw-r--r--
rsconf1_markmessageperiod.html	1.33 KB	-rw-r--r--
rsconf1_moddir.html	1.2 KB	-rw-r--r--
rsconf1_modload.html	1.49 KB	-rw-r--r--
rsconf1_repeatedmsgreduction.h...	1.3 KB	-rw-r--r--
rsconf1_resetconfigvariables.h...	1.05 KB	-rw-r--r--
rsconf1_rulesetcreatemainqueue...	3.7 KB	-rw-r--r--
rsconf1_rulesetparser.html	5.77 KB	-rw-r--r--
rsconf1_umask.html	1.16 KB	-rw-r--r--
rscript_abnf.html	6.69 KB	-rw-r--r--
rsyslog_conf.html	4.19 KB	-rw-r--r--
rsyslog_conf_actions.html	18 KB	-rw-r--r--
rsyslog_conf_examples.html	7.7 KB	-rw-r--r--
rsyslog_conf_filter.html	14.08 KB	-rw-r--r--
rsyslog_conf_global.html	21.93 KB	-rw-r--r--
rsyslog_conf_modules.html	10.26 KB	-rw-r--r--
rsyslog_conf_nomatch.html	2.69 KB	-rw-r--r--
rsyslog_conf_output.html	4.06 KB	-rw-r--r--
rsyslog_conf_templates.html	10.99 KB	-rw-r--r--
rsyslog_high_database_rate.htm...	8.62 KB	-rw-r--r--
rsyslog_mysql.html	16.02 KB	-rw-r--r--
rsyslog_ng_comparison.html	16.53 KB	-rw-r--r--
rsyslog_packages.html	2.76 KB	-rw-r--r--
rsyslog_pgsql.html	19.75 KB	-rw-r--r--
rsyslog_php_syslog_ng.html	8.54 KB	-rw-r--r--
rsyslog_recording_pri.html	8.19 KB	-rw-r--r--
rsyslog_reliable_forwarding.ht...	8.46 KB	-rw-r--r--
rsyslog_secure_tls.html	7.33 KB	-rw-r--r--
rsyslog_stunnel.html	15.39 KB	-rw-r--r--
rsyslog_tls.html	15.52 KB	-rw-r--r--
syslog_parsing.html	14.03 KB	-rw-r--r--
syslog_protocol.html	12.64 KB	-rw-r--r--
tls_cert_ca.html	7.67 KB	-rw-r--r--
tls_cert_client.html	4.5 KB	-rw-r--r--
tls_cert_errmsgs.html	5.67 KB	-rw-r--r--
tls_cert_machine.html	8.61 KB	-rw-r--r--
tls_cert_scenario.html	3.03 KB	-rw-r--r--
tls_cert_server.html	6.61 KB	-rw-r--r--
tls_cert_summary.html	3.26 KB	-rw-r--r--
tls_cert_udp_relay.html	5.11 KB	-rw-r--r--
troubleshoot.html	11.08 KB	-rw-r--r--
v3compatibility.html	11.19 KB	-rw-r--r--
v4compatibility.html	6.2 KB	-rw-r--r--
v5compatibility.html	2.19 KB	-rw-r--r--
version_naming.html	8.71 KB	-rw-r--r--

Code Editor : rsyslog_recording_pri.html

<html><head>
<title>Recording the Priority of Syslog Messages</title>
<meta name="KEYWORDS" content="syslog, mysql, syslog to mysql, howto">
</head>
<body>
<h1>Recording the Priority of Syslog Messages</h1>
		<P><small><i>Written by
		<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer 
		Gerhards</a> (2007-06-18)</i></small></P>
<h2>Abstract</h2>
<p><i><b>The so-called priority (PRI) is very important in syslog messages, 
because almost all filtering in syslog.conf is based on it.</b> However, many 
syslogds (including the Linux stock sysklogd) do not provide a way to record 
that value. In this article, I'll give a brief overview of how PRI can be 
written to a log file.</i></p>
<h2>Background</h2>
<p>The PRI value is a combination of so-called severity and facility. The 
facility indicates where the message originated from (e.g. kernel, mail 
subsystem) while the severity provides a glimpse of how important the message 
might be (e.g. error or informational). Be careful with these values: they are 
in no way consistent across applications (especially severity). However, they 
still form the basis of most filtering in syslog.conf. For example, the 
directive (aka &quot;selector line)</p>
<p align="center">
<code>mail.* /var/log/mail.log</code>
</p>
<p>means that messages with the mail facility should be stored to 
/var/log/mail.log, no matter which severity indicator they have (that is telling 
us the asterisk). If you set up complex conditions, it can be annoying to find 
out which PRI value a specific syslog message has. Most stock syslogds do not 
provide any way to record them.</p>
<h2>How is it done?</h2>
<p>With <a href="http://www.rsyslog.com/">rsyslog</a>, PRI recording is simple. 
All you need is the correct template. Even if you do not use rsyslog on a regular 
basis, it might be a handy tool for finding out the priority.</p>
<p>Rsyslog provides a flexible system to specify the output formats. It is 
template-based. A template with the traditional syslog format looks as follows:</p>
<p align="center">
<code>$template TraditionalFormat,&quot;%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n&quot;</code>
</p>
<p>The part in quotes is the output formats. Things between percent-signs are 
so-called <a href="property_replacer.html">messages properties</a>. They are replaced with the respective content 
from the syslog message when output is written. Everything outside of the 
percent signs is literal text, which is simply written as specified.</p>
<p>Thankfully, rsyslog provides message properties for the priority. These are 
called &quot;PRI&quot;, &quot;syslogfacility&quot; and &quot;syslogpriority&quot; (case is important!). They are numerical 
values. Starting with rsyslog 1.13.4, there is also a property &quot;pri-text&quot;, which 
contains the priority in friendly text format (e.g. &quot;local0.err<133>&quot;). For the rest 
of this article, I assume that you run version 1.13.4 or higher.</p>
<p>Recording the priority is now a simple matter of adding the respective field 
to the template. It now looks like this:</p>
<p align="center">
<code>$template TraditionalFormatWithPRI,&quot;%pri-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n&quot;</code>
</p>
<p>Now we have the right template - but how to write it to a file? You probably 
have a line like this in your syslog.conf:</p>
<p align="center"><code>*.* -/var/log/messages.log</code></p>
<p>It does not specify a template. Consequently, rsyslog uses the traditional 
format. In order to use some other format, simply specify the template after the 
semicolon:</p>
<p align="center"><code>*.* -/var/log/messages.log;TraditionalFormatWithPRI</code></p>
<p>That's all you need to do. There is one common pitfall: you need to define 
the template before you use it in a selector line. Otherwise, you will receive 
an error.</p>
<p>Once you have applied the changes, you need to restart rsyslogd. It 
will then pick the new configuration.</p>
<h2>What if I do not want rsyslogd to be the standard syslogd?</h2>
<p>If you do not want to switch to rsyslog, you can still use it as a setup aid. 
A little bit of configuration is required.</p>
<ol>
	<li>Download, make and install rsyslog</li>
	<li>copy your syslog.conf over to rsyslog.conf</li>
	<li>add the template described above to it; select the file that should use 
	it</li>
	<li>stop your regular syslog daemon for the time being</li>
	<li>run rsyslogd (you may even do this interactively by calling it with the 
	-n additional option from a shell)</li>
	<li>stop rsyslogd (press ctrl-c when running interactively)</li>
	<li>restart your regular syslogd</li>
</ol>
<p>That's it - you can now review the priorities.</p>
<h2>Some Sample Data</h2>
<p>Below is some sample data created with the template specified above. Note the 
priority recording at the start of each line.</p>
<p>
<code>kern.info&lt;6&gt;: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 00:04.0<br>
kern.info&lt;6&gt;: Jun 15 18:10:38 host kernel: PCI: Sharing IRQ 11 with 01:00.0<br>
kern.warn&lt;4&gt;: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11<br>
kern.warn&lt;4&gt;: Jun 15 18:10:38 host kernel: Socket status: 30000006<br>
kern.warn&lt;4&gt;: Jun 15 18:10:38 host kernel: Yenta IRQ list 06b8, PCI irq11<br>
kern.warn&lt;4&gt;: Jun 15 18:10:38 host kernel: Socket status: 30000010<br>
kern.info&lt;6&gt;: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0c00-0x0cff: clean.<br>
kern.info&lt;6&gt;: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0100-0x04ff: excluding 0x100-0x107 0x378-0x37f 0x4d0-0x4d7<br>
kern.info&lt;6&gt;: Jun 15 18:10:38 host kernel: cs: IO port probe 0x0a00-0x0aff: clean.<br>
local7.notice&lt;189&gt;: Jun 15 18:17:24 host dd: 1+0 records out<br>
local7.notice&lt;189&gt;: Jun 15 18:17:24 host random: Saving random seed: succeeded<br>
local7.notice&lt;189&gt;: Jun 15 18:17:25 host portmap: portmap shutdown succeeded<br>
local7.notice&lt;189&gt;: Jun 15 18:17:25 host network: Shutting down interface eth1: succeeded<br>
local7.notice&lt;189&gt;: Jun 15 18:17:25 host network: Shutting down loopback interface: succeeded<br>
local7.notice&lt;189&gt;: Jun 15 18:17:25 host pcmcia: Shutting down PCMCIA services: cardmgr<br>
user.notice&lt;13&gt;: Jun 15 18:17:25 host /etc/hotplug/net.agent: NET unregister event not supported<br>
local7.notice&lt;189&gt;: Jun 15 18:17:27 host pcmcia: modules.<br>
local7.notice&lt;189&gt;: Jun 15 18:17:29 host rc: Stopping pcmcia: succeeded<br>
local7.notice&lt;189&gt;: Jun 15 18:17:30 host rc: Starting killall: succeeded<br>
syslog.info&lt;46&gt;: Jun 15 18:17:33 host [origin software=&quot;rsyslogd&quot; swVersion=&quot;1.13.3&quot; x-pid=&quot;2464&quot;] exiting on signal 15.<br>
syslog.info&lt;46&gt;: Jun 18 10:55:47 host [origin software=&quot;rsyslogd&quot; swVersion=&quot;1.13.3&quot; x-pid=&quot;2367&quot;][x-configInfo udpReception=&quot;Yes&quot; udpPort=&quot;514&quot; tcpReception=&quot;Yes&quot; tcpPort=&quot;1470&quot;] restart<br>
user.notice&lt;13&gt;: Jun 18 10:55:50 host rger: test<br>
syslog.info&lt;46&gt;: Jun 18 10:55:52 host [origin software=&quot;rsyslogd&quot; swVersion=&quot;1.13.3&quot; x-pid=&quot;2367&quot;] exiting on signal 2.</code></p>
<h2>Feedback Requested</h2>
<P>I would appreciate feedback on this paper. If you have additional ideas, 
comments or find bugs, please
<a href="mailto:rgerhards@adiscon.com">let me know</a>.</P>
<h2>References and Additional Material</h2>
<ul>
	<li><a href="http://www.rsyslog.com">www.rsyslog.com</a> - the rsyslog site</li>
</ul>
<h2>Revision History</h2>
<ul>
	<li>2007-06-18 *
	<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a> 
	* initial version created</li>
</ul>
<h2>Copyright</h2>
<p>Copyright (c) 2007
<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a> 
and <a href="http://www.adiscon.com/en/">Adiscon</a>.</p>
<p>Permission is granted to copy, distribute and/or modify this document under 
the terms of the GNU Free Documentation License, Version 1.2 or any later 
version published by the Free Software Foundation; with no Invariant Sections, 
no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be 
viewed at <a href="http://www.gnu.org/copyleft/fdl.html">
http://www.gnu.org/copyleft/fdl.html</a>.</p>
</body>
</html>

${this.title}

Code Editor : rsyslog_recording_pri.html