[Dshield] Syslog facility

Jeffrey Denton dentonj at gmail.com
Thu Mar 3 03:21:37 GMT 2005


On Wed, 02 Mar 2005 13:39:38 -0500, Esler, Joel CNTR/Sytex
<joel.esler at rcert-s.army.mil> wrote:
> Is there anyway to tell what facility syslog UDP traffic is coming in
> out through the use of tcpdump?
> 
> When I put *.* in my syslog.conf i get the messages I want, but I can't
> find the facility they are coming in on..

The BSD Syslog Protocol

http://www.faqs.org/rfcs/rfc3164.html


4.1.1 PRI Part:

"The Priority value is calculated by first multiplying the Facility
number by 8 and then adding the numerical value of the Severity. For
example, a kernel message (Facility=0) with a Severity of Emergency
(Severity=0) would have a Priority value of 0.  Also, a "local use 4"
message (Facility=20) with a Severity of Notice (Severity=5) would
have a Priority value of 165.  In the PRI part of a syslog message,
these values would be placed between the angle brackets as <0> and
<165> respectively.  The only time a value of "0" will follow the "<"
is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
used."

# tcpdump -nvvXi eth1 -s 1500 
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1500 bytes
19:32:02.545235 IP (tos 0xc0, ttl  64, id 14315, offset 0, flags
[none], length: 104) 192.168.144.104 > 192.168.144.103: icmp 84:
192.168.144.104 udp port 514 unreachable for IP (tos 0x0, ttl  64, id
0, offset 0, flags [DF], length: 76) 192.168.144.103.514 >
192.168.144.104.514: [udp sum ok] UDP, length: 48
        0x0000:  45c0 0068 37eb 0000 4001 9fc9 c0a8 9068  E..h7... at ......h
        0x0010:  c0a8 9067 0303 9f67 0000 0000 4500 004c  ...g...g....E..L
        0x0020:  0000 4000 4011 9880 c0a8 9067 c0a8 9068  .. at .@......g...h
        0x0030:  0202 0202 0038 cf85 3c36 3e6b 6572 6e65  .....8..<6>kerne
        0x0040:  6c3a 2064 6576 6963 6520 6574 6831 2065  l:.device.eth1.e
        0x0050:  6e74 6572 6564 2070 726f 6d69 7363 756f  ntered.promiscuo
        0x0060:  7573 206d 6f64 650a                      us.mode.
19:32:06.835539 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],
length: 55) 192.168.144.103.514 > 192.168.144.104.514: [udp sum ok]
UDP, length: 27
        0x0000:  4500 0037 0000 4000 4011 9895 c0a8 9067  E..7.. at .@......g
        0x0010:  c0a8 9068 0202 0202 0023 d24a 3c31 333e  ...h.....#.J<13>
        0x0020:  6c6f 6767 6572 3a20 5468 6973 2069 7320  logger:.This.is.
        0x0030:  6120 7465 7374 0a                        a.test.


>From /var/log/messgaes:

Mar  2 19:32:02 lab kernel: device eth1 entered promiscuous mode
Mar  2 19:32:06 lab logger: This is a test


>From the tcpdump, the codes <6> and <13> are what we want.  

The first message is an informational kernel entry that has a facility
of 0 and a severity of 6.  (8 * 0) + 6 = 6

The second message is from the 'logger' command.  It defaults to
sending messages as user.notice which have a facility of 1 and a
severity of 5.  (8 * 1) + 5 = 13

To determine the what the original facility and severity were, divid
the code by 8 to get the facility and the remainder is the severity.



More information about the list mailing list