Inspect UDP syslog packets in Ruby

Question

I'm attempting to hack together a Ruby-based (1.9.1) syslog server, and am running into a pretty basic issue right from the get-go.

Here's my (very basic) code:

#!/usr/bin/env ruby

require 'socket'
require 'io/wait'
require 'syslog'

class Server
    def initialize
        @listener = UDPSocket.new
        @listener.bind("192.168.253.5", "514")
        getdata
    end

    def getdata
        while true
            @text, @sender = @listener.recvfrom(9000)
            p @listener
            p @text
            p @sender
        end
    end
end

x = Server.new

It all works fine, except that this does not display either the facility or the severity of the message:

#<UDPSocket:fd 5>
"<189>49: *Mar  1 00:24:37.862: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down"
["AF_INET", 56970, "192.168.253.10", "192.168.253.10"]

Tcpdump shows this info just fine ("local7" facility, "notice" severity):

15:18:01.987542 IP 192.168.253.10.56970 > 192.168.253.5.514: SYSLOG local7.notice, length: 115

How can I inspect the UDP packet that was sent to me so I can glean both facility and severity of the syslog message?

Answer 1

Whenever you are implementing a well-defined network protocol, always look at the RFC:

https://www.rfc-editor.org/rfc/rfc5424

The Priority value is calculated by first multiplying the Facility
   number by 8 and then adding the numerical value of the Severity. 

so "local7" is 23 according to the RFC. 23 * 8 = 184

the severity of "notice" is 5: 184 + 5 = 189.

And there's 189 right at the beginning of your message - that's the "priority" number referenced by the RFC.

So you'll need to encode the mapping from the RFC between numeric values and the textual description into your program and compute it yourself.

To get the severify and facility:

Severity = Priority % 8
Facility = Priority / 8