1. Does anyone know which facility is used for what? That is, when I type "configure syslog add 10.0.0.1:514 vr vr-default" and hit tab, I get this list:
"local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7"
I've configured my switch to use all 8 of them, and it works, but do I need to do all 8?
2. Is anyone familiar enough with Logstash to know how to modify the syslog filter so that it can parse these messages: "11/06/2014 10:46:15.95 [i]...". I'm brand new to Logstash, so I don't know how it to plug in regular expressions to get the timestamp, priority, process name, and message (I can write the regex's just fine, just don't know how to plug them in).
Here's a regex real quick: (\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d.\d\d) <(\w+):(\w+).(\w+)>(.*)
Match 1 is timestamp.
Match 2 is priority.
Match 3 is process name.
Match 4 is part of the message I guess.
Match 5 is the message.
The timestamp needs to be in what Logstash calls Grok format, something like "MM/dd/yyyy hhss.??". Anyway, I'm reading about this now, I was just hoping maybe someone might've already done this and I could piggyback.