fir3net
PPS-Firenetbanner-780.5x190-30-03-17

How to determine the Syslog Facility using Tcpdump

Each Syslog message contains a priority value. The priority value is enclosed within the characters < >. The priority value can be between 0 and 191 and consists of a Facility value and a Level value. Facility being the type of message, such as a kernel or mail message. And level being a severity level of the message.

To calculate the priority value the following formula is used : Priority = Facility * 8 + Level

So to determine the facility value of a syslog message we divide the priority value by 8. The remainder is the level value.
Below is an example of the tcpdump syntax :           

[root@logserver ~]# tcpdump -Xni eth0 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:08:05.306002 IP 10.1.1.10.55595 > 10.1.1.1.514: length: 288
        0x0000:  4500 013c 177d 0000 4011 4b06 0a01 0164  E..<.}..@.K....d
        0x0010:  0a01 01c9 d92b a2a2 0128 5f4b 3c31 3431  .....+...(_K<141
        0x0020:  3e6e 7335 6774 3a20 4e65 7453 6372 6565  >ns5gt:.NetScree
        0x0030:  6e20 6465 7669 6365 5f69 643d 6e73 3567  n.device_id=ns5g
        0x0040:  7420 205b 526f 6f74 5d73 7973 7465 6d2d  t..[Root]system-
        0x0050:  6e6f  

Using the above example this would give us a facility of 17 (local1) and a level of 5 (notice).               


Severity Levels

0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

Facilities available

0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7) 

Tags: TCP, Tcpdump

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001