Syslog Facility

Syslog Facility is one information field associated with a syslog message. It is defined by the syslog protocol. It is meant to provide a very rough clue from what part of a system the message originated from. Tradidionally, under UNIX, there are facilities like KERN (the OS kernel itself), LPD (the line printer daemon) and so on. There are also the LOCAL_0 to LOCAL_7 facilities, which were traditionally reserved for administrator and application use.

However, with the wide adaption of the syslog protocol, the facility field contents has become a little less clear. Most syslog enabled devices nowadays allow configuring any value as the facility. So it is basically left to distinguise different classes of syslog messages.

The facility can be very helpful to define rules that split messages for example to different log files based on the facility level.

Facility values are defined in RFC 3164:

The Facilities and Severities of the messages are numerically coded
with decimal values. Some of the operating system daemons and
processes have been assigned Facility values. Processes and daemons
that have not been explicitly assigned a Facility may use any of the
“local use” facilities or they may use the “user-level” Facility.
Those Facilities that have been designated are shown in the following
table along with their numerical code values.

 Numerical Facility

 0 kernel messages
 1 user-level messages
 2 mail system
 3 system daemons
 4 security/authorization messages (note 1)

 5 messages generated internally by syslogd
 6 line printer subsystem
 7 network news subsystem
 8 UUCP subsystem
 9 clock daemon (note 2)
 10 security/authorization messages (note 1)
 11 FTP daemon
 12 NTP subsystem
 13 log audit (note 1)
 14 log alert (note 1)
 15 clock daemon (note 2)
 16 local use 0 (local0)
 17 local use 1 (local1)
 18 local use 2 (local2)
 19 local use 3 (local3)
 20 local use 4 (local4)
 21 local use 5 (local5)
 22 local use 6 (local6)
 23 local use 7 (local7)

 Table 1. syslog Message Facilities

Note 1 – Various operating systems have been found to utilize
Facilities 4, 10, 13 and 14 for security/authorization,
audit, and alert messages which seem to be similar.
Note 2 – Various operating systems have been found to utilize
both Facilities 9 and 15 for clock (cron/at) messages.