Syslog facilities and severities

Syslog facilities and severities are transmitted in a single field that RFC 3164 refers to as the PRI (priority) and that is the first field of the message.

The priority is calculated using the following syntax:
(facilityCode x 8) + severityCodepriority

Related topic

Planning

The priority value is enclosed in angle brackets.

Example

Using the values from the following tables, the priority of a system daemon (syslog code = 3) with a warning (severity code = 4) is calculated as follows:

(3 x 8) + 4 = 28

The priority is enclosed in angle brackets:

<28>Oct 11 22:14:15 LPARB …

Syslog facilities

The following table lists the syslog facility names from RFC 3164 (in mixed case) and RFC 5427 (in lowercase) with their meanings. In BMC AMI Datastream, you can specify facilities using either of the RFC names (in upper, lower or mixed case) and use the following abbreviations:

  • Abbreviate RFC 3164 forms to the part shown in upper case.
  • Abbreviate RFC 5427 names that are longer than four characters to their first four characters, except for cron2 and localn names, which you must write out fully.

As specified for BMC AMI Datastream or CZASEND

Description from
RFC 3164 and RFC 5427

Syslog code

Usage by BMC AMI Datastream and CZASEND

KERNel
kern

kernel messages

0

SMF 7, SMF 90

USER
user

user-level messages

1

CZASEND

MAIL
mail

mail system

2


SYSTem
daemon

system daemons

3

SMF 30

SECURITY4
auth

security/authorization messages 1

4

SMF 80; SMF ACF2; SMF TSS80

SYSLOGd
syslog

messages generated internally by syslogd

5

BMC AMI Datastream internal messages; SMF DIAG

PRINTER
lpr

line printer subsystem

6


NEWS
news

network news subsystem

7


UUCP
uucp

UUCP subsystem

8

SMF 119

CLOCK9
cron

clock daemon 2

9


SECURITY10
authpriv

security/authorization messages 1

10


FTP
ftp

FTP daemon

11


NTP
ntp

NTP subsystem

12


LOGAUdit
audit

log audit 1

13

SMF DB2

LOGALert
console

log alert 1

14

SMF events except as otherwise indicated

CLOCK15
cron2

clock daemon 2

15


LOCAL0
local0

local use 0 (local0)

16

SMF 110

LOCAL1
local1

local use 1 (local1)

17

IND$FILE audit

LOCAL2
local2

local use 2 (local2)

18

MicroFocus ChangeMan

LOCAL3
local3

local use 3 (local3)

19

LSPACE

LOCAL4
local4

local use 4 (local4)

20

CONSOLE

LOCAL5
local5

local use 5 (local5)

21

MQ SMF 115 and 116

LOCAL6
local6

local use 6 (local6)

22


LOCAL7
local7

local use 7 (local7)

23


1 Various syslog message generating devices utilize facilities 4, 10, 13, and 14 for security/authorization, audit, and alert messages.

2 Various syslog message generating devices utilize both facilities 9 and 15 for clock (cron/at) messages.

Syslog severities

The syslog severities and their meanings (as defined by RFC 3164 and RFC 5427) are listed in the following table. When specified in BMC AMI Datastream, they might be abbreviated to the portion shown in upper case.

As specified for BMC AMI Datastream or CZASEND

Severity code

Description

EMERGency

0

Emergency: system is unusable.

ALERT

1

Alert: action must be taken immediately.

CRITical

2

Critical: critical conditions.

ERRor

3

Error: error conditions.

WARNing

4

Warning: warning conditions.

NOTICE

5

Notice: normal but significant condition.

INFOrmational

6

Informational: informational messages.

DEBUG

7

Debug: debug-level messages.


In addition, BMC AMI Datastream and related programs can support pseudo-severities of DEFAULT and SUPPRESS:

  • DEFAULT specifies a default severity determined by some means appropriate to the particular context.
  • SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. SUPPRESS has no effect on whether records are written to the SMF data sets by SMF.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*