What I understand
On *nix servers, we configure sending logs using facility.severity, where facility is the name of the (let's call it) "component" of the system, such as kernel, authentication, and so on; and severity is the "level" of each of the logs logged by a facility, such as info (informational), crit (critical) logs.
So, if I want to send kernel critical logs, I'll use kern.crit.
The combination of facility and severity is known as the priority, for example…
- priority = kern.crit
- facility = kern
- severity = crit
Question
There are "facilities" called local0 to local7.
What in the world are these local# facilities? I'm asking specifically about local6, since it's usually the most common one I find in searches.
My question is actually because I'm configuring Snort (SourceFire Intrusion Sensor) to send logs, so I wanted to know which facility to use. My question is not Snort specific though, because local# facilities are everywhere; on Cisco and IBM's WebSphere Application Server for instance.
Research
-
RFC3164, which is where the syslog protocol is defined, only says:local6 - local use 6Which doesn't really describe it, as opposed to:
auth - security/authorization messages -
In Ubuntu,
man syslogshows:LOG_LOCAL0 through LOG_LOCAL7 reserved for local useAlso, vague.
Best Answer
General info
The facilities
local0tolocal7are "custom" unused facilities that syslog provides for the user. If a developer create an application and wants to make it log to syslog, or if you want to redirect the output of anything to syslog (for example, Apache logs), you can choose to send it to any of thelocal#facilities. Then, you can use/etc/syslog.conf(or/etc/rsyslog.conf) to save the logs being sent to thatlocal#to a file, or to send it to a remote server.Answer to my question
I asked this question because I wanted to send logs to an external server, so I wanted to know which one to choose, not "write logs to a
local#facility". I had to go back to the Snort documentation to find out what they are writing to thelocal#facilities.