LOG_LOCAL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LOG_LOCAL

L4 Transporter

What is the idea/reason behind the facility setting for syslog? Is LOG_USER, and LOG_LOCAL0-7 just a method of ID, or is there something more to it? When setting up to send to a syslog server should you aviod using LOG_USER and use LOG_LOCAL(0-7)?

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
1 accepted solution

Accepted Solutions

L5 Sessionator

The syslog facility can be configured within the system when setting the syslog destination. Multiple syslog settings can be configured and referenced by the various log forwarding function if desired. The available facilities are: user, local0, local1, local2, local3, local4, local5, local6, and local7.

A facility level is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently.[4] The list of facilities available:[5] (defined by RFC 3164)

Facility Number Keyword Facility Description

0 kern kernel messages

1 user user-level messages

2 mail mail system

3 daemon system daemons

4 auth security/authorization messages

5 syslog messages generated internally by syslogd

6 lpr line printer subsystem

7 news network news subsystem

8 uucp UUCP subsystem

9 clock daemon

10 authpriv security/authorization messages

11 ftp FTP daemon

12 - NTP subsystem

13 - log audit

14 - log alert

15 cron clock daemon

16 local0 local use 0 (local0)

17 local1 local use 1 (local1)

18 local2 local use 2 (local2)

19 local3 local use 3 (local3)

20 local4 local use 4 (local4)

21 local5 local use 5 (local5)

22 local6 local use 6 (local6)

23 local7 local use 7 (local7)

For more reference on syslog facilities, refer to the below link:

http://en.wikipedia.org/wiki/Syslog#Facility_Levels

BR,

Karthik RP

View solution in original post

5 REPLIES 5

L5 Sessionator

The syslog facility can be configured within the system when setting the syslog destination. Multiple syslog settings can be configured and referenced by the various log forwarding function if desired. The available facilities are: user, local0, local1, local2, local3, local4, local5, local6, and local7.

A facility level is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently.[4] The list of facilities available:[5] (defined by RFC 3164)

Facility Number Keyword Facility Description

0 kern kernel messages

1 user user-level messages

2 mail mail system

3 daemon system daemons

4 auth security/authorization messages

5 syslog messages generated internally by syslogd

6 lpr line printer subsystem

7 news network news subsystem

8 uucp UUCP subsystem

9 clock daemon

10 authpriv security/authorization messages

11 ftp FTP daemon

12 - NTP subsystem

13 - log audit

14 - log alert

15 cron clock daemon

16 local0 local use 0 (local0)

17 local1 local use 1 (local1)

18 local2 local use 2 (local2)

19 local3 local use 3 (local3)

20 local4 local use 4 (local4)

21 local5 local use 5 (local5)

22 local6 local use 6 (local6)

23 local7 local use 7 (local7)

For more reference on syslog facilities, refer to the below link:

http://en.wikipedia.org/wiki/Syslog#Facility_Levels

BR,

Karthik RP

L5 Sessionator

You can also refer to the below doc:

https://live.paloaltonetworks.com/docs/DOC-2021

BR,

Karthik RP

L4 Transporter

By the Docs, and explanations, it is just a method of ID. You could set up different settings and use different facilities to reference them, or for different servers or however you want.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

L3 Networker

Just in case, I hope this helps someone

The Facilities and Severities of the messages are numerically coded with decimal values. Some of the operating system daemons and processes have been assigned Facility values. Processes and daemons that have not been explicitly assigned a Facility may use any of the "local use" facilities or they may use the "user-level" Facility. Therefore, for the facility levels:

16 local use 0 (local0)

17 local use 1 (local1)

18 local use 2 (local2)

19 local use 3 (local3)

20 local use 4 (local4)

21 local use 5 (local5)

22 local use 6 (local6)

23 local use 7 (local7)

Similarly the numerical values for the severity levels is :


0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

The Priority value (the first component of a syslog message) is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity. For example, a kernel message (Facility=0) with a Severity of Emergency (Severity=0) would have a Priority value of 0. Also, a "local use 4" message (Facility=20) with a Severity of Notice (Severity=5) would have a Priority value of 165. In the PRI part of a Syslog message, these values would be placed between the angle brackets as <0> and <165> respectively.

  • 1 accepted solution
  • 15779 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!