{"id":498,"date":"2010-09-08T20:10:11","date_gmt":"2010-09-08T20:10:11","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2010\/09\/08\/how-to-determine-the-syslog-facility-using-tcpdump\/"},"modified":"2021-07-30T13:50:39","modified_gmt":"2021-07-30T13:50:39","slug":"how-to-determine-the-syslog-facility-using-tcpdump","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/General-UNIX\/how-to-determine-the-syslog-facility-using-tcpdump.html","title":{"rendered":"How to determine the Syslog Facility using Tcpdump"},"content":{"rendered":"
Each Syslog message contains a priority value. The priority value is enclosed within the characters < >. The priority value can be between 0 and 191 and consists of a Facility value and a Level value. Facility being the type of message, such as a kernel or mail message. And level being a severity level of the message.<\/p>\n
To calculate the priority value the following formula is used : Priority = Facility * 8 + Level<\/strong><\/p>\n So to determine the facility value of a syslog message we divide the priority value by 8. The remainder is the level value. Using the above example this would give us a facility of 17 (local1) and a level of 5 (notice).<\/p>\n Severity Levels<\/strong><\/span><\/p>\n 0 Emergency: system is unusable Facilities available<\/strong><\/span><\/p>\n 0 kernel messages Each Syslog message contains a priority value. The priority value is enclosed within the characters < >. The priority value can be between 0 and 191 and consists of a Facility value and a Level value. Facility being the type of message, such as a kernel or mail message. And level being a severity level … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52],"tags":[],"yoast_head":"\n
\nBelow is an example of the tcpdump syntax :<\/p>\n[root@logserver ~]# tcpdump -Xni eth0 port 514\r\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\r\nlistening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes\r\n20:08:05.306002 IP 10.1.1.10.55595 > 10.1.1.1.514: length: 288\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0000:\u00a0 4500 013c 177d 0000 4011 4b06 0a01 0164\u00a0 E..<.}..@.K....d\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0010:\u00a0 0a01 01c9 d92b a2a2 0128 5f4b 3c31 3431\u00a0 .....+...(_K<141<\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0020:\u00a0 3e6e 7335 6774 3a20 4e65 7453 6372 6565\u00a0 ><\/strong>ns5gt:.NetScree\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0030:\u00a0 6e20 6465 7669 6365 5f69 643d 6e73 3567\u00a0 n.device_id=ns5g\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0040:\u00a0 7420 205b 526f 6f74 5d73 7973 7465 6d2d\u00a0 t..[Root]system-\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x0050:\u00a0 6e6f<\/pre>\n
\n1 Alert: action must be taken immediately
\n2 Critical: critical conditions
\n3 Error: error conditions
\n4 Warning: warning conditions
\n5 Notice: normal but significant condition
\n6 Informational: informational messages
\n7 Debug: debug-level messages<\/p>\n
\n1 user-level messages
\n2 mail system
\n3 system daemons
\n4 security\/authorization messages
\n5 messages generated internally by syslogd
\n6 line printer subsystem
\n7 network news subsystem
\n8 UUCP subsystem
\n9 clock daemon
\n10 security\/authorization messages
\n11 FTP daemon
\n12 NTP subsystem
\n13 log audit
\n14 log alert
\n15 clock daemon
\n16 local use 0 (local0)
\n17 local use 1 (local1)
\n18 local use 2 (local2)
\n19 local use 3 (local3)
\n20 local use 4 (local4)
\n21 local use 5 (local5)
\n22 local use 6 (local6)
\n23 local use 7 (local7)<\/p>\n","protected":false},"excerpt":{"rendered":"