Syslog Facility

Syslog Facility is one information field associated with a syslog message. It is defined by the syslog protocol. It is meant to provide a very rough clue from what part of a system the message originated from. Tradidionally, under UNIX, there are facilities like KERN (the OS kernel itself), LPD (the line printer daemon) and so on. There are also the LOCAL_0 to LOCAL_7 facilities, which were traditionally reserved for administrator and application use.

However, with the wide adaption of the syslog protocol, the facility field contents has become a little less clear. Most syslog enabled devices nowadays allow configuring any value as the facility. So it is basically left to distinguise different classes of syslog messages.

The facility can be very helpful to define rules that split messages for example to different log files based on the facility level.

Facility values are defined in RFC 3164:

 The Facilities and Severities of the messages are numerically coded
 with decimal values. Some of the operating system daemons and
 processes have been assigned Facility values. Processes and daemons
 that have not been explicitly assigned a Facility may use any of the
 "local use" facilities or they may use the "user-level" Facility.
 Those Facilities that have been designated are shown in the following
 table along with their numerical code values.

 Numerical Facility
 Code

 0 kernel messages
 1 user-level messages
 2 mail system
 3 system daemons
 4 security/authorization messages (note 1)

 5 messages generated internally by syslogd
 6 line printer subsystem
 7 network news subsystem
 8 UUCP subsystem
 9 clock daemon (note 2)
 10 security/authorization messages (note 1)
 11 FTP daemon
 12 NTP subsystem
 13 log audit (note 1)
 14 log alert (note 1)
 15 clock daemon (note 2)
 16 local use 0 (local0)
 17 local use 1 (local1)
 18 local use 2 (local2)
 19 local use 3 (local3)
 20 local use 4 (local4)
 21 local use 5 (local5)
 22 local use 6 (local6)
 23 local use 7 (local7)

 Table 1. syslog Message Facilities

 Note 1 - Various operating systems have been found to utilize
 Facilities 4, 10, 13 and 14 for security/authorization,
 audit, and alert messages which seem to be similar.
 Note 2 - Various operating systems have been found to utilize
 both Facilities 9 and 15 for clock (cron/at) messages.

Do you want to receive syslog in a Windows environment? Take a look at WinSyslog!

Receive, process and store your syslog data from routers, firewalls or linux/unix servers with this easy to configure application in your Windows environment. Troubleshoot network problems or be alerted, all quickly and easily.

Take a Quick Tour to WinSyslog to know more about its exciting features or directly download the free and full-featured 30 day trial version.


 

Back to Non-Printer Version