[Dshield] Syslog facility
dentonj at gmail.com
Thu Mar 3 13:17:55 GMT 2005
On Wed, 02 Mar 2005 13:39:38 -0500, Esler, Joel CNTR/Sytex
<joel.esler at rcert-s.army.mil> wrote:
> Is there anyway to tell what facility syslog UDP traffic is coming in
> out through the use of tcpdump?
> When I put *.* in my syslog.conf i get the messages I want, but I can't
> find the facility they are coming in on..
Sorry, I didn't think of this last night. Ethereal will parse the
message for you:
Syslog message: KERN.INFO: kernel: device eth1 entered ...
0000 0... = Facility: KERN - kernel messages (0)
.... .110 = Level: INFO - informational (6)
Message: kernel: device eth1 entered promiscuous mode\n
Syslog message: USER.NOTICE: logger: This is a test
0000 1... = Facility: USER - random user-level messages (1)
.... .101 = Level: NOTICE - normal but significant condition (5)
Message: logger: This is a test\n
Or from tethereal:
Capturing on eth1
0.000000 192.168.144.103 -> 192.168.144.104 Syslog KERN.INFO:
kernel: device eth1 entered ...
4.299278 192.168.144.103 -> 192.168.144.104 Syslog USER.NOTICE:
logger: This is a test
More information about the list