Syslog facilities and severities
Syslog facilities and severities are transmitted in a single field that RFC 3164 refers to as the PRI (priority) and that is the first field of the message.
The priority is calculated using the following syntax:
(facilityCode x 8) + severityCode = priority
The priority value is enclosed in angle brackets.
Syslog facilities
The following table lists the syslog facility names from RFC 3164 (in mixed case) and RFC 5427 (in lowercase) with their meanings. In BMC AMI Defender, you can specify facilities using either of the RFC names (in upper, lower or mixed case) and use the following abbreviations:
- Abbreviate RFC 3164 forms to the part shown in upper case.
- Abbreviate RFC 5427 names that are longer than four characters to their first four characters, except for cron2 and localn names, which you must write out fully.
As specified for BMC AMI Defender or CZASEND | Description from | Syslog code | Usage by BMC AMI Defender and CZASEND |
|---|---|---|---|
KERNel | kernel messages | 0 | SMF 7, SMF 90 |
USER | user-level messages | 1 | CZASEND |
MAIL | mail system | 2 |
|
SYSTem | system daemons | 3 | SMF 30 |
SECURITY4 | security/authorization messages 1 | 4 | SMF 80; SMF ACF2; SMF TSS80 |
SYSLOGd | messages generated internally by syslogd | 5 | zDefender internal messages; SMF DIAG |
PRINTER | line printer subsystem | 6 |
|
NEWS | network news subsystem | 7 |
|
UUCP | UUCP subsystem | 8 | SMF 119 |
CLOCK9 | clock daemon 2 | 9 |
|
SECURITY10 | security/authorization messages 1 | 10 |
|
FTP | FTP daemon | 11 |
|
NTP | NTP subsystem | 12 |
|
LOGAUdit | log audit 1 | 13 | SMF DB2 |
LOGALert | log alert 1 | 14 | SMF events except as otherwise indicated |
CLOCK15 | clock daemon 2 | 15 |
|
LOCAL0 | local use 0 (local0) | 16 | SMF 110 |
LOCAL1 | local use 1 (local1) | 17 | IND$FILE audit |
LOCAL2 | local use 2 (local2) | 18 | MicroFocus ChangeMan |
LOCAL3 | local use 3 (local3) | 19 | LSPACE |
LOCAL4 | local use 4 (local4) | 20 | CONSOLE |
LOCAL5 | local use 5 (local5) | 21 | MQ SMF 115 and 116 |
LOCAL6 | local use 6 (local6) | 22 |
|
LOCAL7 | local use 7 (local7) | 23 |
|
1 Various syslog message generating devices utilize facilities 4, 10, 13, and 14 for security/authorization, audit, and alert messages.
2 Various syslog message generating devices utilize both facilities 9 and 15 for clock (cron/at) messages.
Syslog severities
The syslog severities and their meanings (as defined by RFC 3164 and RFC 5427) are listed in the following table. When specified in BMC AMI Defender, they might be abbreviated to the portion shown in upper case.
As specified for zDefender or CZASEND | Severity code | Description |
|---|---|---|
EMERGency | 0 | Emergency: system is unusable. |
ALERT | 1 | Alert: action must be taken immediately. |
CRITical | 2 | Critical: critical conditions. |
ERRor | 3 | Error: error conditions. |
WARNing | 4 | Warning: warning conditions. |
NOTICE | 5 | Notice: normal but significant condition. |
INFOrmational | 6 | Informational: informational messages. |
DEBUG | 7 | Debug: debug-level messages. |
In addition, BMC AMI Defender and related programs can support pseudo-severities of DEFAULT and SUPPRESS:
- DEFAULT specifies a default severity determined by some means appropriate to the particular context.
- SUPPRESS indicates that the specified event records are not to be forwarded to the syslog server at all. SUPPRESS has no effect on whether records are written to the SMF data sets by SMF.
DEFAULT and SUPPRESS are documented more specifically with the parameter statements where they can be used, such as Parameters common to DEFAULTs, JOBLOG, and MODIFY JOBLOG.