19

As well as the common system facilities (mail, news, daemon, cron, etc), syslog provides a series of "local" facilities, numbers 0 to 7: LOCAL0, LOCAL1, ..., LOCAL7.

Which ones are program defaults for common applications?

I'm looking to find out which facilities are "traditionally" used for well known services. I will be deploying an application over many servers, with various software installed, and would like to see if there's a "free" facility I could easily use for my own logs.

As a note, I realize there are other ways of doing this than a syslog facility. Just curious!

Here are some, (a start to answering my own question) and some thanks to voretaq7:

  • LOCAL0 is used by postgresql
  • LOCAL2 is used by sudo
  • LOCAL3 is used by some versions of SpamAssassin
  • LOCAL4 is used by default by slapd (OpenLDAP server)
  • LOCAL5 is sometimes used by the Snort IDS
  • LOCAL7 is used for boot messages on Fedora 12
Jonathan Clarke
  • 1,667
  • 2
  • 11
  • 25
  • Aren't all the logs pre-pended with the name of the process or a user defined name that sent it? I use to work with syslogs and I don't remember running into problems filtering log entries by app. – Clutch Feb 23 '10 at 20:05
  • clutch, you're referring to the Syslog 'tag'. By default, on Linux, the tag consists of the process name and ID, like 'httpd[1234]', that generated the log message. But you can set the tag to whatever you want via the Syslog API. See my answer, below, for more detail. – Ryan B. Lynch Feb 23 '10 at 21:30

4 Answers4

7

The LOCALn facilities are available for any local use and can vary pretty widely from site to site.

I guarantee every one of the 8 available are used by something, so if you want to avoid conflicts my best advice is to log all 7 to separate logs and pick the one that nothing else seems to be using.

Some you missed (program defaults - may be changed locally so double-check):

  • LOCAL0 is used by postgresql (if configured to log to syslog)
  • LOCAL2 is used by sudo (if configured to log to syslog)
  • LOCAL3 is used by some versions of SpamAssassin
    • This is often changed by the local admin to log to mail instead
  • LOCAL5 is sometimes used by the Snort IDS
    • I don't know if this is a default or just coincidence, but I've seen it on several Snort installations
voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Great! This is exactly what I'm looking for - program defaults. More are welcome! Clearly, various facilities will be in use, I'm just looking to see which applications I'm going to be getting in the way of. – Jonathan Clarke Feb 24 '10 at 17:28
2

There is no standard for the LOCAL0-LOCAL7 Syslog facilities. By design, you cannot count on whether they'll be used by anything. Particular distros or organizations might have their own conventions, but that's up to distro or organization policy, not any broader standard.

As an alternative, have you considered using Syslog "tags"? Tags are free-form strings that are prepended to log messages to identify specific applications or log channels. By default, the tag is usually formed from the process name and ID (e.g., 'httpd[2839]') that generated the log data. The 'logger' command-line utility and most Syslog APIs support specifying whatever tags you want to use for your applications.

For instance, I personally like using 'http-access' for my Apache web server access logs, which I send to Syslog by piping Apache's log output to the command 'logger -p local7.info -t 'http-access'.

Ryan B. Lynch
  • 2,026
  • 1
  • 12
  • 13
  • Interesting, thanks. However, I'm building a solution on top of some existing software that can be configured to log to one of LOCAL0 through LOCAL7. My question really regards the defaults that various software uses. – Jonathan Clarke Feb 24 '10 at 17:30
  • Makes sense, I missed that. But I will point out that there's a danger in relying on non-standardized behavior, here. The developers or packagers of OpenLDAP, Fedora, etc. can (and sometimes do) change these behaviors from version to version. There's no guarantee that an update won't diverge from any Syslog facility choices made in the past. This isn't a deal-breaker, just a potential problem you might want to watch out for. – Ryan B. Lynch Feb 24 '10 at 18:23
2

Most syslog.conf files are setup with wildcard facilities for the messages file (*.info). If this is just a run of the mill app and not some full blown log hogging cow you should probably just log to messages and not a standalone file.

Choosing to log to your own file means adding a postinstall step to your software's install packages that adds an appropriate entry in syslog.conf. This also means that if your nice you would add a postinstall step that creates an appropriate logrotate file as well.

CarpeNoctem
  • 2,437
  • 4
  • 23
  • 32
-3

I was also looking for a config file like syslog.conf to cross reference the local0-7 facilities to the program that is writing to them. It appears that such a config file does not exist. To find out what program is writing to the log, you'll have to open the log file and find the program name next to column next to the colon, for example... sendmail[22950]: is for the sendmail program. The number within the square brackets is for the port number used during the execution of the program.

Victor
  • 1