S/N/K-Series Decode of Syslog Numeric Prepend

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14635 

Products
S-Series
Matrix N-Series DFE
K-Series 

Goals
Meaning of a syslog message's prepend <number>.
Decode the severity of a generated syslog message.
Determine the facility of a generated syslog message.
Determine the priority of a generated syslog message. 

Solution
The Severity of a syslog message, shown bracketed at the beginning of these syslog message samples... 
<135>Feb 2 18:52:43 10.9.9.1 OSPF[1]Extern spf elapsed time 2651 us
<138>Feb 9 01:25:54 10.10.20.100 Dispatch[2.tDispatch]0xfc6eb8 : -43 = ( 0x3470aa0, 46, *0x3470a38=20 )
<149>Apr 12 15:03:31 10.144.253.173 System[3]The board in slot 2 of the chassis is operational.
<166>Apr 23 16:56:02 10.254.254.7 Last message repeated 4 times
<180>Jan 28 22:06:23 10.128.19.12 Last message repeated 2 times
<187>Apr 27 20:50:15 10.20.150.200 NonVol[1.tusrAppInit]nvFilePtrMgr::fFlush(5) fflush(0xb4b8110) retval=-1, errno=9
      ...is the mathematical sum of the message Facility and the message Priority. 

The Facility is the result of syslog server(s) ("Local0", ..., "Local7") configured, and may be useful for categorizing message sources at the syslog server. 
Mnemonic      Facility      Math
------------------------------------------------------------------------------
LOG_KERN 0 (0 << 3)
LOG_USER 8 (1 << 3)
LOG_MAIL 16 (2 << 3)
LOG_DAEMON 24 (3 << 3)
LOG_AUTH 32 (4 << 3)
LOG_SYSLOG 40 (5 << 3)
LOG_LPR 48 (6 << 3)
LOG_NEWS 56 (7 << 3)
LOG_UUCP 64 (8 << 3)
LOG_CRON 72 (9 << 3)
LOG_AUTH2 80 (10<< 3)
LOG_FTP 88 (11<< 3)
LOG_NTP 96 (12<< 3)
LOG_AUDIT_LOG 104 (13<< 3)
LOG_ALERT_LOG 112 (14<< 3)
LOG_CLOCK 120 (15<< 3)
LOG_LOCAL0 128 (16<< 3)
LOG_LOCAL1 136 (17<< 3)
LOG_LOCAL2 144 (18<< 3)
LOG_LOCAL3 152 (19<< 3)
LOG_LOCAL4 160 (20<< 3) The default facility
LOG_LOCAL5 168 (21<< 3)
LOG_LOCAL6 176 (22<< 3)
LOG_LOCAL7 184 (23<< 3)
The Priority used in message generation may be computed by starting with the Severity, then subtracting the highest possible Facility value that would still yield a positive result. With the default facility ("Local4(160)"), the message Priority is conveniently identified in clear text in the right-most column of the Severity field, while the use of other facilities requires simple math to derive the Priority. 
Mnemonic      Priority      MIB/CLI Level   Notes
------------------------------------------------------------------------------
LOG_EMERG 0 1 Fatal error, will reset the module
LOG_ALERT 1 2 Fatal error, will reset the module
LOG_CRIT 2 3 Logged to diagnostic message log
LOG_ERR 3 4 Logged to diagnostic message log
LOG_WARNING 4 5 Logged to all servers by default
LOG_NOTICE 5 6 Logged to all servers by default
LOG_INFO 6 7 Messages suppressed by default
LOG_DEBUG 7 8 Messages suppressed by default
Finally, the 0-based Priority may be converted to the 1-based Priority used in the MIB/CLI, for example in the 'show logging application' output shown below. The CLI sometimes confuses Severity and Priority, and it does so here. Note that Application is not discussed in this document. 
S4 Chassis(su)->show logging application

Application Current Severity Level Server List
----------------------------------------------------------
88 RtrAcl 7 2,8
. . .
218 OAM 7 2,8

1(emergencies) 2(alerts) 3(critical)
4(errors) 5(warnings) 6(notifications)
7(information) 8(debugging)

S4 Chassis(su)->
Applying this conversion process to the original sample messages... 
<135>Feb 2 18:52:43 10.9.9.1 OSPF[1]Extern spf elapsed time 2651 us
- LOG_LOCAL0(128) = LOG_DEBUG(7) ~ 8(debugging)
<138>Feb 9 01:25:54 10.10.20.100 Dispatch[2.tDispatch]0xfc6eb8 : -43 = ( 0x3470aa0, 46, *0x3470a38=20 )
- LOG_LOCAL1(136) = LOG_CRIT(2) ~ 3(critical)
<149>Apr 12 15:03:31 10.144.253.173 System[3]The board in slot 2 of the chassis is operational.
- LOG_LOCAL2(144) = LOG_NOTICE(5) ~ 6(notifications)
<166>Apr 23 16:56:02 10.254.254.7 Last message repeated 4 times
- LOG_LOCAL4(160) = LOG_INFO(6) ~ 7(information)
<180>Jan 28 22:06:23 10.128.19.12 Last message repeated 2 times
- LOG_LOCAL6(176) = LOG_WARNING(4) ~ 5(warnings)
<187>Apr 27 20:50:15 10.20.150.200 NonVol[1.tusrAppInit]nvFilePtrMgr::fFlush(5) fflush(0xb4b8110) retval=-1, errno=9
- LOG_LOCAL7(184) = LOG_ERR(3) ~ 4(errors)
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.