This option allows us to split the network feed by the ‘action’ field of the syslogd daemon, commonly known as 'Severity'.
Select the ‘Log File Splitting’ value of ‘Level(Severity)’ to filter on severity of the message, enabling you to split by one of the following - listed in order of most critical to least critical;
| Severity Options | |
|---|---|
| emerg | |
| alert | |
| crit | |
| err | |
| warning | |
| notice | |
| info | |
| debug | |
| These keywords also correspond to the similar “LOG_” values specified to the syslog() routine |
Log Receiver requirement: To receive events over UDP:514 from various devices on the network and split by ‘Severity’
Using the Log Receiver dashboard, we have created;
- a Rule called Syslog Server
- a Source called syslog_UDP
- a Destination called syslog_UDP_dest
- a Destination Filename called syslog_UDP.log
We have enabled the ‘Level(Severity)’ option from the Log File Splitting selector to create separate sub-directories containing events with different Severity values, for example;
/opt/sbox/data/syslog_UDP/alert/syslog_UDP.log
/opt/sbox/data/syslog_UDP/crit/syslog_UDP.log
/opt/sbox/data/syslog_UDP/warning/syslog_UDP.log