[colug-432] syslog facilities
Jon Miller
jonebird at gmail.com
Wed Apr 9 11:07:31 EDT 2014
Rick Hornsby <richardjhornsby at gmail.com> writes:
> Curious about opinions on syslog facilities, specifically when your
> [r]syslog server is set up to accept logs from remote sources. Says the
> RFC, the enumerated facilities are:
>
> 0 kernel messages
> 1 user-level messages
> 2 mail system
> 3 system daemons
> 4 security/authorization messages
> 5 messages generated internally by syslogd
> 6 line printer subsystem
> 7 network news subsystem
> 8 UUCP subsystem
> 9 clock daemon
> 10 security/authorization messages
> 11 FTP daemon
> 12 NTP subsystem
> 13 log audit
> 14 log alert
> 15 clock daemon (note 2)
> 16 local use 0 (local0)
> 17 local use 1 (local1)
> 18 local use 2 (local2)
> 19 local use 3 (local3)
> 20 local use 4 (local4)
> 21 local use 5 (local5)
> 22 local use 6 (local6)
> 23 local use 7 (local7)
>
>
> I realize the names are just labels, but I like to do things correctly and not just make it up as I go along. I want, as much as possible, the next guy who comes after me not to scratch his head wondering what kind of nonsense I came up with.
>
>
> If you're using a syslog server (for example) to accept HTTP access logs from load balancers, which facility is the "correct" one? We're using local0 right now, but that feels kind of hack-ish because local is supposed to be for local stuff, not remote stuff?
>
>
> What is the convention for choosing a facility to handle remote logs?
I've always used one of the localN facilities myself. I like to think of
"local" as in "local institution" in that it's our playground for managing
the syslog traffic that we deliberately care about. And if I were the next
guy after you, I certainly wouldn't be scratching my head about using
local0.
--
Jon Miller
More information about the colug-432
mailing list