55

##What I understand

On *nix servers, we configure sending logs using facility.severity, where facility is the name of the (let's call it) "component" of the system, such as kernel, authentication, and so on; and severity is the "level" of each of the logs logged by a facility, such as info (informational), crit (critical) logs.

So, if I want to send kernel critical logs, I'll use kern.crit.

The combination of facility and severity is known as the priority, for example...

  • priority = kern.crit
  • facility = kern
  • severity = crit

##Question

There are "facilities" called local0 to local7.

What in the world are these local# facilities? I'm asking specifically about local6, since it's usually the most common one I find in searches.

My question is actually because I'm configuring Snort (SourceFire Intrusion Sensor) to send logs, so I wanted to know which facility to use. My question is not Snort specific though, because local# facilities are everywhere; on Cisco and IBM's WebSphere Application Server for instance.

##Research

  • RFC3164, which is where the syslog protocol is defined, only says:

      local6 - local use 6

Which doesn't really describe it, as opposed to:

    auth   - security/authorization messages
  • In Ubuntu, man syslog shows:
       LOG_LOCAL0 through LOG_LOCAL7
                      reserved for local use

Also, vague.

Community
  • 1
Alaa Ali
  • 1,875
  • 2
  • 15
  • 21

2 Answers2

46

General info

The facilities local0 to local7 are "custom" unused facilities that syslog provides for the user. If a developer create an application and wants to make it log to syslog, or if you want to redirect the output of anything to syslog (for example, Apache logs), you can choose to send it to any of the local# facilities. Then, you can use /etc/syslog.conf (or /etc/rsyslog.conf) to save the logs being sent to that local# to a file, or to send it to a remote server.

Answer to my question

I asked this question because I wanted to send logs to an external server, so I wanted to know which one to choose, not "write logs to a local# facility". I had to go back to the Snort documentation to find out what they are writing to the local# facilities.

Community
  • 1
Alaa Ali
  • 1,875
  • 2
  • 15
  • 21
12

Local# facilities are dedicated for local use and there is not any standard defined (like RFC) which one is used by which application. So you can choose whatever you want. Of course, some applications and their developers agreed on a particular facility to use but this is not an official standard (like sudo - LOCAL2, Snort - LOCAL5, ...).

dsmsk80
  • 3,038
  • 1
  • 15
  • 20
  • What do you mean "I can choose whatever I want"? Are they all the same? I don't understand the last bit about `sudo local2` and `snort local5`; you mean on some devices, `sudo` is using `local2` and on others `snort` is `local5`? – Alaa Ali Sep 17 '13 at 07:09
  • I mean you can choose whatever you want from LOCAL0 to LOCAL6. Yes, on some distros I remember that sudo used local2 facility by default. – dsmsk80 Sep 17 '13 at 07:36