This option allows us to split the network feed by the ‘action’ field of the syslogd daemon, commonly known as 'Severity'.

Select the ‘Log File Splitting’ value of ‘Level(Severity)’ to filter on severity of the message, enabling you to split by one of the following - listed in order of most critical to least critical;

Severity Options
emerg
alert
crit
err
warning
notice
info
debug
These keywords also correspond to the similar “LOG_” values specified to the syslog() routine

Log Receiver requirement: To receive events over UDP:514 from various devices on the network and split by ‘Severity

Using the Log Receiver dashboard, we have created;

  • a Rule called Syslog Server
  • a Source called syslog_UDP
  • a Destination called syslog_UDP_dest
  • a Destination Filename called syslog_UDP.log

We have enabled the ‘Level(Severity)’ option from the Log File Splitting selector to create separate sub-directories containing events with different Severity values, for example;

/opt/sbox/data/syslog_UDP/alert/syslog_UDP.log
/opt/sbox/data/syslog_UDP/crit/syslog_UDP.log
/opt/sbox/data/syslog_UDP/warning/syslog_UDP.log