0

My SnapGear (now McAfee) SG560 (firmware Version 4.0.10) has a "remote system log" feature, which can send syslog-type data to a host in my network. It's working, but writing to /var/log/messages. I'd like it to store this information in a different file. I think that knowing the facility, I can change syslog.conf, however Googling hasn't turned anything up.

What is the "facility" for system log?

Felipe Alvarez
  • 193
  • 2
  • 12
  • 1
    possible duplicate of [Determine which programs are logging to a specific syslog facility](http://serverfault.com/questions/283541/determine-which-programs-are-logging-to-a-specific-syslog-facility) – Wesley Apr 17 '12 at 05:01

2 Answers2

1

In addition to the clues given in the question/answers that I believe is at least a very close relative to this question, you can also inspect the traffic that is going to your syslog collector using tcpdump or whatever your favorite packet inspector is. Within the packets for syslog, there is a number encased in angle brackets < and >. That number is the syslog priority level. Priority level is determined with the following equation: (facility # * 8) + (syslog level).

Knowing that equation, you can deconstruct the priority number and arrive at the facility number by simply dividing the priority number by 8. The remainder will be the severity level. For example, <56> will divide into 7 with a 0 remainder. That equates to a facility of network news subsystem with a syslog level of Emergency.

For reference, here are the syslog facilities:

0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

For reference, here are the severity levels:

0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
Wesley
  • 32,690
  • 9
  • 82
  • 117
0

For a detailed explanation of syslog facilities, ways to manage syslog and even some of the tools to use for analysis, here's a great whitepaper on Cisco's website.

Clayton Dukes
  • 444
  • 2
  • 9