Re: [rsyslog] CEE field values, ambiguities, sev, syslog!pri, etc

Sat, 10 Jul 2021 13:38:26 -0700

Just a note that in practice, CEE is pretty much dead. Pretty much all that survived is the idea of using JSON to format the data and to use ! to be able to specify multi-level field names. Everything else in CEE should be treated as an idea that may or may not be useful rather than a RFC to be followed.
you have pri, which is facility and severity combined, it doesn't make a huge amount of sense to send all three. In practice the syslog facility and severity values are what you are going to see. 


What I do is to use a standard syslog header, and then in the JSON body I don't 
repeat the info that's in the header (although I do like to create a 
trusted!relay!foo set of values that populates info to track what systems it's 
gone through, doing set $!trusted!relay!lasthop = $!trusted!relay; before 
setting the new values)


David Lang

On Sat, 10 Jul 2021, Daniel Pocock via rsyslog wrote:


Date: Sat, 10 Jul 2021 18:15:36 +0200
From: Daniel Pocock via rsyslog <[email protected]>
To: [email protected]
Cc: Daniel Pocock <[email protected]>
Subject: [rsyslog] CEE field values, ambiguities, sev, syslog!pri, etc


Looking at the CEE field names, the descriptions are very brief

For example, what the permitted values for "sev", are they the same as
the levels in Syslog level?

More confusing are the syslog!pri and syslog!fac fields.

From the Syslog API[1]:

  priority = facility | level

example:

  pri = LOG_DAEMON | LOG_INFO
      =     0x18   |   6
      =     0x1e


but I see that some people are simply putting the level value (e.g. 6)
into the syslog!pri field.

It would appear more useful to have a syslog!level field for cases where
we know the level (LOG_INFO) but we might not know the facility value.



1. https://www.man7.org/linux/man-pages/man3/syslog.3.html
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to