Syslog Facility is one information field associated with a
syslog message. It is defined by the syslog protocol. It is meant to
provide a very rough clue from what part of a system the message originated from. Tradidionally, under UNIX, there are
facilities like KERN (the OS kernel itself), LPD (the line
printer daemon) and so on. There are also the LOCAL_0 to LOCAL_7 facilities, which were
traditionally reserved for administrator and application use.
However, with the wide adaption of the syslog protocol, the facility field
contents has become a little less clear. Most syslog enabled devices nowadays
allow configuring any value as the facility. So it is basically left to
distinguise different classes of syslog messages.
The facility can be very helpful to define rules that split messages for
example to different log files based on the facility level.
Facility values are defined in RFC 3164:
The Facilities and Severities of the messages are numerically coded
with decimal values. Some of the operating system daemons and
processes have been assigned Facility values. Processes and daemons
that have not been explicitly assigned a Facility may use any of the
"local use" facilities or they may use the "user-level" Facility.
Those Facilities that have been designated are shown in the following
table along with their numerical code values.
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages (note 1)
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon (note 2)
10 security/authorization messages (note 1)
11 FTP daemon
12 NTP subsystem
13 log audit (note 1)
14 log alert (note 1)
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
Table 1. syslog Message Facilities
Note 1 - Various operating systems have been found to utilize
Facilities 4, 10, 13 and 14 for security/authorization,
audit, and alert messages which seem to be similar.
Note 2 - Various operating systems have been found to utilize
both Facilities 9 and 15 for clock (cron/at) messages.
Do you want to receive syslog in a Windows environment? Take a look at
Receive, process and store your syslog data from routers, firewalls or linux/unix servers with this easy to configure application in your Windows environment. Troubleshoot network problems or be alerted, all quickly and easily.
Take a Quick Tour to WinSyslog to know more about its exciting features or directly download the free and full-featured 30 day trial version.