[logs] Syslog and facilities

[Rainer Gerhards]

To answer that a bit more precisely than in my post to Marcus:

Facility is indeed mostly useless if you do not do anthing about it. You
can configure different devices/senders to use specific facilities and
then use them while relaying, storing messages or some other way to
process them. It' mostly a filter property. With current syslog
impementations (e.g. syslog-ng, rsyslog [www.rsyslog.com], WinSyslog
[www.winsyslog.com]) you can filter on many more things than on
facility. For example, filters can be the originator, message content
etc. However, facility is often a very handy tool for filtering. It also
works with stock syslklogd on Linux.

HTH,
Rainer

PS: I am the maintainer of the rsyslog project and I am with Adiscon,
the WinSyslog vendor. 

> -----Original Message-----
> From: loganalysis-bounces at loganalysis.org 
> [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of saudi sans
> Sent: Wednesday, June 06, 2007 12:56 PM
> To: loganalysis at loganalysis.org
> Subject: [logs] Syslog and facilities
> 
> Syslog has facilities and levels.
> 
> What is the "facility" in syslog ? The level concept is 
> pretty intuitive.
> 
> As I understand "facility" field contains the source-program which
> generated the log entry .
> 
> I have a central syslog server where I am aggregating logs from
> several cisco routers and Unix machines.
> 
> I have given Level7 as my facility in all cisco routers and 
> Level4 for all Unix
> 
> If I am collecting logs remotely does the "facility" field contain
> anything meaningful? Does it make any difference to the log generation
> ? Does it matter if I set Level4 or LevelX?
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>