问题:
当我们在logstash-output-syslog中配置facility为local6的时候,实际上走的是local4;而定义facility为local7的时候,实际上走的是local5,但是,定义为daemon的时候,确实是daemon
原因:
- 参考源码: https://github.com/phpor/logstash-output-syslog/blob/master/lib/logstash/outputs/syslog.rb 关于facility的定义有一个数组:
123456789101112131415161718192021222324FACILITY_LABELS = ["kernel","user-level","mail","daemon","security/authorization","syslogd","line printer","network news","uucp","clock","ftp","ntp","log audit","log alert","local0","local1","local2","local3","local4","local5","local6","local7",]
而rfc中的定义如下: https://tools.ietf.org/html/rfc3164#section-4.1.1
123456789101112Numerical FacilityCode0 kernel messages1 user-level messages2 mail system3 system daemons<strong> 4 security/authorization messages (note 1)</strong><span class="grey">Lonvick Informational [Page 8]</span>1234567891011121314151617181920212223<a id="page-9" class="invisible" href="https://tools.ietf.org/html/rfc3164#page-9" name="page-9"> </a><span class="grey"><a href="https://tools.ietf.org/html/rfc3164">RFC 3164</a> The BSD syslog Protocol August 2001</span>5 messages generated internally by syslogd6 line printer subsystem7 network news subsystem8 UUCP subsystem<strong> 9 clock daemon (note 2)</strong><strong> 10 </strong> <strong>security/authorization messages (note 1)</strong>11 FTP daemon12 NTP subsystem13 log audit (note 1)14 log alert (note 1)<strong> 15 clock daemon (note 2)</strong>16 local use 0 (local0)17 local use 1 (local1)18 local use 2 (local2)19 local use 3 (local3)20 local use 4 (local4)21 local use 5 (local5)22 local use 6 (local6)23 local use 7 (local7)
我们发现,4和10的定义是重复的,9和15的定义是重复的; 而插件源码中把这两个重复的条目就简单去掉了,于是就导致facility-code就对不上了 - 解决办法: 把重复的两项补回去就可以了