Home / server / Questions / 115923
In Process
Jonathan Clarke
Asked: 2010-02-24 11:02:24 +0800 CST

Which program defaults uses syslog local[0-7] facilities?

  • 772

As well as the common system facilities (mail, news, daemon, cron, etc), syslog provides a series of "local" facilities, numbers 0 to 7: LOCAL0, LOCAL1, ..., LOCAL7.

Which ones are program defaults for common applications?

I'm looking to find out which facilities are "traditionally" used for well known services. I will be deploying an application over many servers, with various software installed, and would like to see if there's a "free" facility I could easily use for my own logs.

As a note, I realize there are other ways of doing this than a syslog facility. Just curious!

Here are some, (a start to answering my own question) and some thanks to voretaq7:

  • LOCAL0 is used by postgresql
  • LOCAL2 is used by sudo
  • LOCAL3 is used by some versions of SpamAssassin
  • LOCAL4 is used by default by slapd (OpenLDAP server)
  • LOCAL5 is sometimes used by the Snort IDS
  • LOCAL7 is used for boot messages on Fedora 12
logging syslog

4 Answers

  1. The LOCALn facilities are available for any local use and can vary pretty widely from site to site.

    I guarantee every one of the 8 available are used by something, so if you want to avoid conflicts my best advice is to log all 7 to separate logs and pick the one that nothing else seems to be using.

    Some you missed (program defaults - may be changed locally so double-check):

    • LOCAL0 is used by postgresql (if configured to log to syslog)
    • LOCAL2 is used by sudo (if configured to log to syslog)
    • LOCAL3 is used by some versions of SpamAssassin
      • This is often changed by the local admin to log to mail instead
    • LOCAL5 is sometimes used by the Snort IDS
      • I don't know if this is a default or just coincidence, but I've seen it on several Snort installations
    • 7

  2. There is no standard for the LOCAL0-LOCAL7 Syslog facilities. By design, you cannot count on whether they'll be used by anything. Particular distros or organizations might have their own conventions, but that's up to distro or organization policy, not any broader standard.

    As an alternative, have you considered using Syslog "tags"? Tags are free-form strings that are prepended to log messages to identify specific applications or log channels. By default, the tag is usually formed from the process name and ID (e.g., 'httpd[2839]') that generated the log data. The 'logger' command-line utility and most Syslog APIs support specifying whatever tags you want to use for your applications.

    For instance, I personally like using 'http-access' for my Apache web server access logs, which I send to Syslog by piping Apache's log output to the command 'logger -p local7.info -t 'http-access'.

    • 2

  3. Most syslog.conf files are setup with wildcard facilities for the messages file (*.info). If this is just a run of the mill app and not some full blown log hogging cow you should probably just log to messages and not a standalone file.

    Choosing to log to your own file means adding a postinstall step to your software's install packages that adds an appropriate entry in syslog.conf. This also means that if your nice you would add a postinstall step that creates an appropriate logrotate file as well.

    • 2

  4. I was also looking for a config file like syslog.conf to cross reference the local0-7 facilities to the program that is writing to them. It appears that such a config file does not exist. To find out what program is writing to the log, you'll have to open the log file and find the program name next to column next to the colon, for example... sendmail[22950]: is for the sendmail program. The number within the square brackets is for the port number used during the execution of the program.

    • -3