When dealing with Syslog, one should notice that each message starts with a number. This number identifies the priority of that message, and in this text, I will explain how to calculate and decompose it. Here are some examples of Syslog messages:
<11>Aug 23 19:07:55 <process>: <payload> <13>Aug 23 19:08:55 <process>: <payload> <84>Aug 23 19:09:55 <process>: <payload> <96>Aug 23 19:10:55 <process>: <payload> <136>Aug 23 19:11:55 <process>: <payload>
That first number at the beginning of the line is the priority value (prival) and it ranges from 0 to 191. The prival is obtained from facility and severity values.
The facility is the process that created the message and it varies between 0 and 23, where 0-15 are predefined and 16-23 are commonly used by networking equipment. All of the severity values are predefined and they vary from 0 to 7. The next block of [Python] code shows how to calculate the prival and how to get the facility and severity values from the priority.
prival = facility * 8 + severity facility = (prival - prival % 8) // 8 severity = prival % 8
When working with Syslog, it is useful to know how to decompose the priority to troubleshoot the current configuration. By the way, here are the severity and facility values for the five priorities shown at the beginning of this text:
priority=11, facility=1 (user-level), severity=3 (error) priority=13, facility=1 (user-level), severity=5 (notice) priority=84, facility=10 (security/auth), severity=4 (warning) priority=96, facility=12 (ntp), severity=0 (emergency) priority=136, facility=17 (local1), severity=0 (emergency)
That's it! :)