[Dshield] Syslog facility

Jeffrey Denton dentonj at gmail.com
Thu Mar 3 13:17:55 GMT 2005


On Wed, 02 Mar 2005 13:39:38 -0500, Esler, Joel CNTR/Sytex
<joel.esler at rcert-s.army.mil> wrote:
> Is there anyway to tell what facility syslog UDP traffic is coming in
> out through the use of tcpdump?
> 
> When I put *.* in my syslog.conf i get the messages I want, but I can't
> find the facility they are coming in on..

Sorry, I didn't think of this last night.  Ethereal will parse the
message for you:

Syslog message: KERN.INFO: kernel: device eth1 entered ...
  0000 0... = Facility: KERN - kernel messages (0)
  .... .110 = Level: INFO - informational (6)
  Message: kernel: device eth1 entered promiscuous mode\n

Syslog message: USER.NOTICE: logger: This is a test
  0000 1... = Facility: USER - random user-level messages (1)
  .... .101 = Level: NOTICE - normal but significant condition (5)
  Message: logger: This is a test\n


Or from tethereal:

# tethereal
Capturing on eth1
  0.000000 192.168.144.103 -> 192.168.144.104 Syslog KERN.INFO:
kernel: device eth1 entered ...
  4.299278 192.168.144.103 -> 192.168.144.104 Syslog USER.NOTICE:
logger: This is a test



More information about the list mailing list