[logs] Facility 101 (was: Syslog and facilities)

[Chris Brenton]

On Wed, 2007-06-06 at 16:25 +0530, saudi sans wrote:
>
> Syslog has facilities and levels.
> 
> What is the "facility" in syslog ? The level concept is pretty intuitive.

Sorry for the slow re, been totally swamped. Other's have replied but I
thought I would toss in some additional info.

The concept behind facility was to create a general bit bucket for log
entries to go into. The problem is there is very little framework
defined for each entry. For example, should a logon event be recorded as
facility 4 described as "security/authorization messages", or facility
10 which is also described as "security/authorization messages" (there
is no further clarification between the two facilities in the RFC).
You'll find apps like openSSH actually use both. Or maybe it actually
belongs in facility 3 (system daemons) because technically you are
authenticating to a running process. You get the idea, with so much open
to interpretation its easy for messages to end up pretty much anywhere.

The other problem is some of the facilities are a bit dated. For example
there is a facility for FTP (11) but not HTTP. UUCP even has its own
facility (8) but of course no one uses it anymore (I use it for my
Windows stuff. Keeps it from getting mixed in with other log entries ;-)

Finally, we come to the local use facilities (16-23). The concept here
is that these are "private" (kind of like IP addresses) so you can use
them as you please. Of course the problem here is you start running into
conflicts. For example Linux uses local use 7 for its boot up messages.
Apache also uses this facility for its error log reporting. So send all
local use 7 entries to a single log file and you will end up with the
two mixed together. Hard to fix without a pretty severe hack (a conf
file change would be nice but most programmers don't pay that much
attention to logging control).

Now, with all that said, when you are sorting logs its actually the
"priority" that's used by Syslog. Priority is simply:

(facility * 8) + severity = priority

So for example a critical Sendmail error would be: 2x8+2=18

So how you tell your logging server to deal with priority 18
(mail.critical) will decide which log file it ends up in.

> I have a central syslog server where I am aggregating logs from
> several cisco routers and Unix machines.
> 
> I have given Level7 as my facility in all cisco routers and Level4 for all Unix
> 
> If I am collecting logs remotely does the "facility" field contain
> anything meaningful? Does it make any difference to the log generation
> ? Does it matter if I set Level4 or LevelX?

Yup, see above. Combine your assigned facility with the severity level
and you can sort things as required. Or, you could just simply choose to
do something like the following in syslog.conf:

news.*			/var/log/router_stuff
auth.*			/var/log/all_unix_stuff

HTH,
Chris